Mozilla Products Multiple Remote Vulnerabilities
BID:24242
Info
Mozilla Products Multiple Remote Vulnerabilities
| Bugtraq ID: | 24242 |
| Class: | Unknown |
| CVE: |
CVE-2007-1362 CVE-2007-2871 CVE-2007-2870 CVE-2007-2869 CVE-2007-2868 CVE-2007-2867 |
| Remote: | Yes |
| Local: | No |
| Published: | May 31 2007 12:00AM |
| Updated: | Sep 04 2008 03:14PM |
| Credit: | Boris Zbarsky, Eli Friedman, Georgi Guninski, Jesse Ruderman, Martijn Wargers and Olli Pettay, Marcel, Nicolas Derouet, Gaëtan Leurent, moz_bug_r_a4, and Chris Thomas discovered and reported these issues to Mozilla. |
| Vulnerable: |
Ubuntu Ubuntu Linux 7.04 sparc Ubuntu Ubuntu Linux 7.04 powerpc Ubuntu Ubuntu Linux 7.04 i386 Ubuntu Ubuntu Linux 7.04 amd64 Ubuntu Ubuntu Linux 6.10 sparc Ubuntu Ubuntu Linux 6.10 powerpc Ubuntu Ubuntu Linux 6.10 i386 Ubuntu Ubuntu Linux 6.10 amd64 Ubuntu Ubuntu Linux 6.06 LTS sparc Ubuntu Ubuntu Linux 6.06 LTS powerpc Ubuntu Ubuntu Linux 6.06 LTS i386 Ubuntu Ubuntu Linux 6.06 LTS amd64 SuSE SUSE Linux Enterprise Server 8 SuSE SUSE Linux Enterprise Server 10 SP1 SuSE SUSE Linux Enterprise Desktop 10 SP1 SuSE Linux Professional 10.2 x86_64 SuSE Linux Personal 10.2 x86_64 Sun Solaris 9_x86 Sun Solaris 9 Sun Solaris 8_x86 Sun Solaris 8_sparc Sun Solaris 10_x86 Sun Solaris 10.0_x86 Sun Solaris 10.0 Sun Solaris 10 Slackware Linux 10.2 Slackware Linux 11.0 Slackware Linux -current SGI ProPack 3.0 SP6 S.u.S.E. UnitedLinux 1.0 S.u.S.E. SuSE Linux Standard Server 8.0 S.u.S.E. SuSE Linux School Server for i386 S.u.S.E. SUSE LINUX Retail Solution 8.0 S.u.S.E. SuSE Linux Openexchange Server 4.0 S.u.S.E. openSUSE 10.2 S.u.S.E. Novell Linux POS 9 S.u.S.E. Novell Linux Desktop 9 S.u.S.E. Linux Professional 10.0 OSS S.u.S.E. Linux Professional 10.0 S.u.S.E. Linux Professional 10.2 S.u.S.E. Linux Professional 10.1 S.u.S.E. Linux Personal 10.0 OSS S.u.S.E. Linux Personal 10.2 S.u.S.E. Linux Personal 10.1 S.u.S.E. Linux 10.1 x86-64 S.u.S.E. Linux 10.1 x86 S.u.S.E. Linux 10.1 ppc S.u.S.E. Linux 10.0 x86-64 S.u.S.E. Linux 10.0 x86 S.u.S.E. Linux 10.0 ppc rPath rPath Linux 1 RedHat Enterprise Linux WS 4 RedHat Enterprise Linux WS 3 RedHat Enterprise Linux WS 2.1 IA64 RedHat Enterprise Linux WS 2.1 RedHat Enterprise Linux Optional Productivity Application 5 server RedHat Enterprise Linux ES 4 RedHat Enterprise Linux ES 3 RedHat Enterprise Linux ES 2.1 IA64 RedHat Enterprise Linux ES 2.1 RedHat Enterprise Linux Desktop Workstation 5 client RedHat Enterprise Linux Desktop version 4 RedHat Advanced Workstation for the Itanium Processor 2.1 Red Hat Fedora 7 Red Hat Enterprise Linux Desktop 5 client Red Hat Enterprise Linux AS 4 Red Hat Enterprise Linux AS 3 Red Hat Enterprise Linux AS 2.1 IA64 Red Hat Enterprise Linux AS 2.1 Red Hat Enterprise Linux 5 Server Mozilla Thunderbird 1.5 beta 2 Mozilla Thunderbird 1.5 .9 Mozilla Thunderbird 1.5 Mozilla Thunderbird 1.0.8 Mozilla Thunderbird 1.0.7 Mozilla Thunderbird 1.0.6 Mozilla Thunderbird 1.0.5 Mozilla Thunderbird 1.0.2 Mozilla Thunderbird 1.0.1 Mozilla Thunderbird 1.0 Mozilla Thunderbird 1.5.0.8 Mozilla Thunderbird 1.5.0.7 Mozilla Thunderbird 1.5.0.5 Mozilla Thunderbird 1.5.0.4 Mozilla Thunderbird 1.5.0.2 Mozilla Thunderbird 1.5.0.10 Mozilla Thunderbird 1.5.0.1 Mozilla SeaMonkey 1.1.1 Mozilla SeaMonkey 1.0.99 Mozilla SeaMonkey 1.0.8 Mozilla SeaMonkey 1.0.7 Mozilla SeaMonkey 1.0.6 Mozilla SeaMonkey 1.0.5 Mozilla SeaMonkey 1.0.3 Mozilla SeaMonkey 1.0.2 Mozilla SeaMonkey 1.0.1 Mozilla SeaMonkey 1.1 beta Mozilla SeaMonkey 1.0 dev Mozilla SeaMonkey 1.0 Mozilla Firefox 2.0 .3 Mozilla Firefox 2.0 .1 Mozilla Firefox 1.5 beta 2 Mozilla Firefox 1.5 beta 1 Mozilla Firefox 1.5 .8 Mozilla Firefox 1.5 .6 Mozilla Firefox 1.5 Mozilla Firefox 1.0.8 Mozilla Firefox 1.0.7 Mozilla Firefox 1.0.6 Mozilla Firefox 1.0.5 Mozilla Firefox 1.0.5 Mozilla Firefox 1.0.4 Mozilla Firefox 1.0.3 Mozilla Firefox 1.0.2 Mozilla Firefox 1.0.1 Mozilla Firefox 1.0 Mozilla Firefox 2.0.0.3 Mozilla Firefox 2.0.0.2 Mozilla Firefox 2.0 RC3 Mozilla Firefox 2.0 RC2 Mozilla Firefox 2.0 beta 1 Mozilla Firefox 2.0 Mozilla Firefox 1.5.0.9 Mozilla Firefox 1.5.0.8 Mozilla Firefox 1.5.0.7 Mozilla Firefox 1.5.0.6 Mozilla Firefox 1.5.0.5 Mozilla Firefox 1.5.0.4 Mozilla Firefox 1.5.0.3 Mozilla Firefox 1.5.0.2 Mozilla Firefox 1.5.0.2 Mozilla Firefox 1.5.0.11 Mozilla Firefox 1.5.0.10 Mozilla Firefox 1.5.0.1 Mozilla Camino 1.0.3 Mozilla Camino 1.0.2 Mozilla Camino 1.0.1 Mozilla Camino 0.8.4 Mozilla Camino 0.8.3 Mozilla Camino 0.8 Mozilla Camino 0.7 .0 Mozilla Camino 1.5 Mozilla Camino 1.0 Mandriva Linux Mandrake 2007.1 x86_64 Mandriva Linux Mandrake 2007.1 Mandriva Linux Mandrake 2007.0 x86_64 Mandriva Linux Mandrake 2007.0 MandrakeSoft Corporate Server 3.0 x86_64 MandrakeSoft Corporate Server 3.0 HP HP-UX B.11.31 HP HP-UX B.11.23 HP HP-UX B.11.11 Gentoo www-client/seamonkey-bin 1.0.7 Gentoo www-client/seamonkey 1.0.7 Gentoo www-client/mozilla-firefox-bin 2.0.0.3 Gentoo www-client/mozilla-firefox 2.0.0.3 Gentoo net-libs/xulrunner 1.8.1.3 Gentoo mail-client/mozilla-thunderbird-bin 2.0.0.3 Gentoo mail-client/mozilla-thunderbird 2.0.0.3 Foresight Linux Foresight Linux 1.1 Debian Xulrunner 0 Debian Linux 4.0 sparc Debian Linux 4.0 s/390 Debian Linux 4.0 powerpc Debian Linux 4.0 mipsel Debian Linux 4.0 mips Debian Linux 4.0 m68k Debian Linux 4.0 ia-64 Debian Linux 4.0 ia-32 Debian Linux 4.0 hppa Debian Linux 4.0 arm Debian Linux 4.0 amd64 Debian Linux 4.0 alpha Debian Linux 4.0 Debian Iceweasel 0 Debian Icedove 0 Debian Iceape 1.1.1 Avaya Messaging Storage Server MSS 3.0 Avaya Interactive Response 3.0 Avaya Interactive Response 2.0 |
| Not Vulnerable: |
Mozilla Thunderbird 2.0 .4 Mozilla Thunderbird 1.5.0.12 Mozilla SeaMonkey 1.1.2 Mozilla SeaMonkey 1.0.9 Mozilla Firefox 2.0 .4 Mozilla Firefox 1.5 12 Mozilla Camino 1.5.1 Gentoo www-client/seamonkey-bin 1.1.2 Gentoo www-client/seamonkey 1.1.2 Gentoo www-client/mozilla-firefox-bin 2.0.0.4 Gentoo www-client/mozilla-firefox 2.0.0.4 Gentoo net-libs/xulrunner 1.8.1.4 Gentoo mail-client/mozilla-thunderbird-bin 2.0.0.4 Gentoo mail-client/mozilla-thunderbird-bin 1.5.0.12 Gentoo mail-client/mozilla-thunderbird 2.0.0.4 Gentoo mail-client/mozilla-thunderbird 1.5.0.12 |
Discussion
Mozilla Products Multiple Remote Vulnerabilities
The Mozilla Foundation has released six security advisories specifying vulnerabilities in Firefox, SeaMonkey, and Thunderbird.
These vulnerabilities allow attackers to:
- Execute arbitrary code
- Cause denial-of-service conditions
- Perform cross-site scripting attacks
- Obtain potentially sensitive information
- Spoof legitimate content
Other attacks may also be possible.
The Mozilla Foundation has released six security advisories specifying vulnerabilities in Firefox, SeaMonkey, and Thunderbird.
These vulnerabilities allow attackers to:
- Execute arbitrary code
- Cause denial-of-service conditions
- Perform cross-site scripting attacks
- Obtain potentially sensitive information
- Spoof legitimate content
Other attacks may also be possible.
Exploit / POC
Mozilla Products Multiple Remote Vulnerabilities
Some of the vulnerabilities described in this BID do not require exploits.
Proof-of-concept exploits are available in the Mozilla Bugzilla database, but are not currently available to the general public.
Some of the vulnerabilities described in this BID do not require exploits.
Proof-of-concept exploits are available in the Mozilla Bugzilla database, but are not currently available to the general public.
Solution / Fix
Mozilla Products Multiple Remote Vulnerabilities
Solution:
Mozilla has released Firefox 1.5.0.12 and 2.0.0.4, Thunderbird 1.5.0.12 and 2.0.0.4, and SeaMonkey 1.0. and 1.1.2 to address these issues.
Please see the referenced advisories for information on obtaining and applying fixes.
Mozilla Firefox 1.5.0.3
Mozilla Thunderbird 1.5.0.5
Mozilla Firefox 1.5.0.2
Sun Solaris 8_sparc
Mozilla Firefox 2.0 RC2
Sun Solaris 10
Mozilla Thunderbird 1.5.0.8
Mozilla Firefox 1.5.0.1
Mozilla Firefox 1.5.0.7
Mozilla Thunderbird 1.5.0.4
Mozilla Thunderbird 1.5.0.2
Mozilla SeaMonkey 1.1 beta
Mozilla Firefox 1.5.0.6
Mozilla Thunderbird 1.5.0.10
Mozilla Firefox 2.0.0.2
Mozilla SeaMonkey 1.0 dev
Mozilla SeaMonkey 1.0
Mozilla Camino 0.8
Mozilla Camino 0.8.3
Mozilla SeaMonkey 1.0.1
Mozilla Camino 1.0.2
Mozilla SeaMonkey 1.0.2
Mozilla Firefox 1.0.2
Mozilla Firefox 1.0.4
Mozilla Firefox 1.0.5
Mozilla SeaMonkey 1.0.5
Mozilla SeaMonkey 1.0.6
Mozilla SeaMonkey 1.0.7
Mozilla Firefox 1.0.7
Mozilla Firefox 1.5 .6
Mozilla Firefox 1.5 .8
Mozilla Firefox 1.5 beta 2
Mozilla Thunderbird 1.5 .9
Mozilla Thunderbird 1.5
Slackware Linux 10.2
Mozilla Firefox 2.0 .1
Mozilla Firefox 2.0 .3
Solution:
Mozilla has released Firefox 1.5.0.12 and 2.0.0.4, Thunderbird 1.5.0.12 and 2.0.0.4, and SeaMonkey 1.0. and 1.1.2 to address these issues.
Please see the referenced advisories for information on obtaining and applying fixes.
Mozilla Firefox 1.5.0.3
-
Mozilla Mozilla Firefox 1.5.0.12
http://www.mozilla.com/en-US/firefox/all.html
Mozilla Thunderbird 1.5.0.5
-
Mozilla Mozilla Thunderbird 1.5.0.12
http://www.mozilla.com/en-US/thunderbird/all.html
Mozilla Firefox 1.5.0.2
-
Mozilla Mozilla Firefox 1.5.0.12
http://www.mozilla.com/en-US/firefox/all.html
Sun Solaris 8_sparc
-
Sun Patch 119115-33
http://sunsolve.sun.com/search/document.do?assetkey=1-21-119115-33-1 -
Sun Patch 119116-33
http://sunsolve.sun.com/search/document.do?assetkey=1-21-119116-33-1 -
Sun Patch 120671-08
http://sunsolve.sun.com/search/document.do?assetkey=1-21-120671-08-1 -
Sun Patch 120672-08
http://sunsolve.sun.com/search/document.do?assetkey=1-21-120672-08-1
Mozilla Firefox 2.0 RC2
-
Mozilla Mozilla Firefox 2.0.0.4
http://www.mozilla.com/en-US/firefox/all.html
Sun Solaris 10
-
Sun Patch 119115-33
http://sunsolve.sun.com/search/document.do?assetkey=1-21-119115-33-1 -
Sun Patch 119116-33
http://sunsolve.sun.com/search/document.do?assetkey=1-21-119116-33-1 -
Sun Patch 120671-08
http://sunsolve.sun.com/search/document.do?assetkey=1-21-120671-08-1 -
Sun Patch 120672-08
http://sunsolve.sun.com/search/document.do?assetkey=1-21-120672-08-1
Mozilla Thunderbird 1.5.0.8
-
Mozilla Mozilla Thunderbird 1.5.0.12
http://www.mozilla.com/en-US/thunderbird/all.html
Mozilla Firefox 1.5.0.1
-
Mozilla Mozilla Firefox 1.5.0.12
http://www.mozilla.com/en-US/firefox/all.html
Mozilla Firefox 1.5.0.7
-
Mozilla Mozilla Firefox 1.5.0.12
http://www.mozilla.com/en-US/firefox/all.html
Mozilla Thunderbird 1.5.0.4
-
Mozilla Mozilla Thunderbird 1.5.0.12
http://www.mozilla.com/en-US/thunderbird/all.html
Mozilla Thunderbird 1.5.0.2
-
Mozilla Mozilla Thunderbird 1.5.0.12
http://www.mozilla.com/en-US/thunderbird/all.html
Mozilla SeaMonkey 1.1 beta
-
Mozilla Mozilla SeaMonkey 1.1.2
http://www.mozilla.org/projects/seamonkey/releases/
Mozilla Firefox 1.5.0.6
-
Mozilla Mozilla Firefox 1.5.0.12
http://www.mozilla.com/en-US/firefox/all.html
Mozilla Thunderbird 1.5.0.10
-
Mozilla Mozilla Thunderbird 1.5.0.12
http://www.mozilla.com/en-US/thunderbird/all.html
Mozilla Firefox 2.0.0.2
-
Mozilla Mozilla Firefox 2.0.0.4
http://www.mozilla.com/en-US/firefox/all.html
Mozilla SeaMonkey 1.0 dev
-
Mozilla Mozilla Seamonkey 1.0.9
http://www.mozilla.org/projects/seamonkey/releases/
Mozilla SeaMonkey 1.0
-
Mozilla Mozilla Seamonkey 1.0.9
http://www.mozilla.org/projects/seamonkey/releases/
Mozilla Camino 0.8
-
Mozilla camino-1.5.1
http://download.mozilla.org/?product=camino-1.5.1&os=osx&lang=en-US
Mozilla Camino 0.8.3
-
Mozilla camino-1.5.1
http://download.mozilla.org/?product=camino-1.5.1&os=osx&lang=en-US
Mozilla SeaMonkey 1.0.1
-
Mozilla Mozilla Seamonkey 1.0.9
http://www.mozilla.org/projects/seamonkey/releases/
Mozilla Camino 1.0.2
-
Mozilla camino-1.5.1
http://download.mozilla.org/?product=camino-1.5.1&os=osx&lang=en-US
Mozilla SeaMonkey 1.0.2
-
Mozilla Mozilla Seamonkey 1.0.9
http://www.mozilla.org/projects/seamonkey/releases/
Mozilla Firefox 1.0.2
-
Mozilla Mozilla Firefox 1.5.0.12
http://www.mozilla.com/en-US/firefox/all.html
Mozilla Firefox 1.0.4
-
Mozilla Mozilla Firefox 1.5.0.12
http://www.mozilla.com/en-US/firefox/all.html
Mozilla Firefox 1.0.5
-
Mozilla Mozilla Firefox 1.5.0.12
http://www.mozilla.com/en-US/firefox/all.html
Mozilla SeaMonkey 1.0.5
-
Mozilla Mozilla Seamonkey 1.0.9
http://www.mozilla.org/projects/seamonkey/releases/
Mozilla SeaMonkey 1.0.6
-
Mozilla Mozilla Seamonkey 1.0.9
http://www.mozilla.org/projects/seamonkey/releases/
Mozilla SeaMonkey 1.0.7
-
Mozilla Mozilla Seamonkey 1.0.9
http://www.mozilla.org/projects/seamonkey/releases/
Mozilla Firefox 1.0.7
-
Mozilla Mozilla Firefox 1.5.0.12
http://www.mozilla.com/en-US/firefox/all.html
Mozilla Firefox 1.5 .6
-
Mozilla Mozilla Firefox 1.5.0.12
http://www.mozilla.com/en-US/firefox/all.html
Mozilla Firefox 1.5 .8
-
Mozilla Mozilla Firefox 1.5.0.12
http://www.mozilla.com/en-US/firefox/all.html
Mozilla Firefox 1.5 beta 2
-
Mozilla Mozilla Firefox 1.5.0.12
http://www.mozilla.com/en-US/firefox/all.html
Mozilla Thunderbird 1.5 .9
-
Mozilla Mozilla Thunderbird 1.5.0.12
http://www.mozilla.com/en-US/thunderbird/all.html
Mozilla Thunderbird 1.5
-
Mozilla Mozilla Thunderbird 1.5.0.12
http://www.mozilla.com/en-US/thunderbird/all.html
Slackware Linux 10.2
-
Slackware mozilla-firefox-1.5.0.12-i686-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-10.2/patches/packages/ mozilla-firefox-1.5.0.12-i686-1.tgz -
Slackware mozilla-thunderbird-1.5.0.12-i686-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-10.2/patches/packages/ mozilla-thunderbird-1.5.0.12-i686-1.tgz
Mozilla Firefox 2.0 .1
-
Mozilla Mozilla Firefox 2.0.0.4
http://www.mozilla.com/en-US/firefox/all.html
Mozilla Firefox 2.0 .3
-
Mozilla Mozilla Firefox 2.0.0.4
http://www.mozilla.com/en-US/firefox/all.html
References
Mozilla Products Multiple Remote Vulnerabilities
References:
References:
- 1.5.1 Release Notes (Camino)
- Cisco NX-OS Download Page (Cisco)
- RHSA-2007:0400-3 - firefox security update (RedHat)
- RHSA-2007:0401-2 - thunderbird security update (RedHat)
- RHSA-2007:0402-4 - seamonkey security update (RedHat)
- Sun Alert ID: 103136 Multiple Security Vulnerabilities in the Layout Engine in M (Sun Microsystems)
- Sun Alert ID: 201505 Multiple Security Vulnerabilities in JavaScript Engine in M (Sun)
- US-CERT Vulnerability Notes (Mozilla) (US-CERT)
- Vendor Homepage (Mozilla Foundation)
- Vulnerability Note VU#609956 Mozilla products vulnerable to memory corruption in (US-CERT)
- ASA-2007-291 Firefox security update (RHSA-2007-0400) (Avaya)
- ASA-2007-469 Multiple Security Vulnerabilities in JavaScript Engine in Mozilla 1 (Avaya)
- Foresight Linux Essential Advisory: FLEA-2007-0023-1 (Foresight Linux)
- HPSBUX02153 SSRT061181 rev.5 - HP-UX Running Firefox, Remote Unauthorized Access (HP)
- HPSBUX02156 SSRT061236 rev.4 - HP-UX Running Thunderbird, Remote Unauthorized Ac (HP)
- MFSA 2007-12 Crashes with evidence of memory corruption (rv:1.8.0.12/1.8.1.4) (Mozilla Foundation)
- MFSA 2007-13 Persistent Autocomplete Denial of Service (Mozilla Foundation)
- MFSA 2007-14 Path Abuse in Cookies (Mozilla Foundation)
- MFSA 2007-16 XSS using addEventListener (Mozilla Foundation)
- MFSA 2007-17 XUL Popup Spoofing (Mozilla Foundation)
- Multiple Security Vulnerabilities in the Layout Engine in Mozilla 1.7 for Solari (Avaya)
- rPath Linux Security Advisory RPL-1425 (rPath)
- Solution 201505 : Multiple Security Vulnerabilities in JavaScript Engine in M (Sun Microsystems)
- Sun Alert ID: 103125 Multiple Security Vulnerabilities in JavaScript Engine in M (Sun)
- Vulnerability Note VU#751636 Mozilla Layout Engine memory corruption vulnerabili (US-CERT)