BID:51139

Mozilla Firefox and Thunderbird CVE-2011-3666 Remote Code Execution Vulnerability

Info

Mozilla Firefox and Thunderbird CVE-2011-3666 Remote Code Execution Vulnerability

Bugtraq ID:	51139
Class:	Design Error
CVE:	CVE-2011-3666
Remote:	Yes
Local:	No
Published:	Dec 20 2011 12:00AM
Updated:	Apr 13 2015 10:01PM
Credit:	Mariusz Mlynski
Vulnerable:	Mozilla Thunderbird 3.1.14 Mozilla Thunderbird 3.1.13 Mozilla Thunderbird 3.1.12 Mozilla Thunderbird 3.1.7 Mozilla Thunderbird 3.1.5 Mozilla Thunderbird 3.1.4 Mozilla Thunderbird 3.1.9 Mozilla Thunderbird 3.1.8 Mozilla Thunderbird 3.1.7 Mozilla Thunderbird 3.1.6 Mozilla Thunderbird 3.1.3 Mozilla Thunderbird 3.1.2 Mozilla Thunderbird 3.1.15 Mozilla Thunderbird 3.1.11 Mozilla Thunderbird 3.1.10 Mozilla Thunderbird 3.1.1 Mozilla Thunderbird 3.1 Mozilla Firefox 3.6.22 Mozilla Firefox 3.6.13 Mozilla Firefox 3.6.10 Mozilla Firefox 3.6.9 Mozilla Firefox 3.6.8 Mozilla Firefox 3.6.6 Mozilla Firefox 3.6.4 Mozilla Firefox 3.6.3 Mozilla Firefox 3.6.2 Mozilla Firefox 3.6.7 Mozilla Firefox 3.6.6 Mozilla Firefox 3.6.24 Mozilla Firefox 3.6.23 Mozilla Firefox 3.6.21 Mozilla Firefox 3.6.20 Mozilla Firefox 3.6.19 Mozilla Firefox 3.6.18 Mozilla Firefox 3.6.17 Mozilla Firefox 3.6.16 Mozilla Firefox 3.6.15 Mozilla Firefox 3.6.14 Mozilla Firefox 3.6.12 Mozilla Firefox 3.6.11

Not Vulnerable:	Mozilla Thunderbird 3.1.17 Mozilla Firefox 3.6.25

Discussion

Mozilla Firefox and Thunderbird CVE-2011-3666 Remote Code Execution Vulnerability

Mozilla Firefox and Thunderbird are prone to a remote code-execution vulnerability.

An attacker could exploit this issue to execute arbitrary code in the context of the user running an affected application. Failed attempts could lead to a denial-of-service condition.

This issue is fixed in:

Firefox 3.6.25
Thunderbird 3.1.17

Note: This issue is due to an incomplete patch introduced on Firefox and Thunderbird for Mac OS X.

Exploit / POC

Mozilla Firefox and Thunderbird CVE-2011-3666 Remote Code Execution Vulnerability

Currently, we are not aware of any working exploits. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].

Solution / Fix

Mozilla Firefox and Thunderbird CVE-2011-3666 Remote Code Execution Vulnerability

Solution:
Updates are available. Please see the references for more information.

References

Mozilla Firefox and Thunderbird CVE-2011-3666 Remote Code Execution Vulnerability

References:

Cisco NX-OS Software TACACS+ Command Authorization Vulnerability (Cisco)
Mozilla Foundation Security Advisory 2011-59 (Mozilla)