Hello all,
Yesterday, I received a notice from US-CERT regarding Technical Cyber
Security Alert TA06-153A -- Mozilla Products Contain Multiple
Vulnerabilities, (available at
<
http://www.us-cert.gov/cas/techalerts/TA06-153A.html>).
It mentions a bunch of vulnerabilities (all of which seem to affect
Seamonkey, Thunderbird, and Firefox). After looking at each VU#, it appears
that none of the announcements mention the Mozilla suite. Also, at least as
of last night, none of them mention any CVE #'s.
What's going on with this? Are any Mozilla Suite products affected by these
vulnerabilities? Some of these sound critical -- and if there are no
patches available for mozilla-1.7.13, well, it seems bad!
"Several vulnerabilities have been reported in the Mozilla web browser
and derived products. More detailed information is available in the
individual vulnerability notes, including:
"VU#237257 - Mozilla privilege escalation using addSelectionListener
A privilege escalation vulnerability exists in the Mozilla
addSelectionListener method. This may allow a remote attacker to
execute arbitrary code.
"VU#421529 - Mozilla contains a buffer overflow vulnerability in
crypto.signText()
Mozilla products contain a buffer overflow in the crypto.signText()
method. This may allow a remote attacker to execute arbitrary code.
"VU#575969 - Mozilla may process content-defined setters on object
prototypes with elevated privileges
Mozilla allows content-defined setters on object prototypes to execute
with elevated privileges. This may allow a remote attacker to execute
arbitrary code.
"VU#243153 - Mozilla may associate persisted XUL attributes with an
incorrect URL
Mozilla can allow persisted XUL attributes to associate with the wrong
URL. This may allow a remote attacker to execute arbitrary code.
"VU#466673 - Mozilla contains multiple memory corruption
vulnerabilities
Mozilla contains several memory corruption vulnerabilities. This may
allow a remote attacker to execute arbitrary code."
-David