• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: Mozilla Browser Cache File Multiple Vulnerabilities

Severity: HIGH

Description:

Mozilla Browser is reported prone to multiple vulnerabilities that could eventually allow for code execution on the local computer.

These vulnerabilities do not represent a significant threat on their own, however, code execution in the context of the user is possible if the two issues are combined.

It is reported that Mozilla browser stores the cache file in a known directory including cached HTML documents with known file names. This issue may arise if a user visits a malicious Web page that includes nefarious script code and then views the contents of the page through the cache file in the local zone. This could execute the malicious code on the local computer and potentially lead to a compromise.

The other vulnerability allows opening cache files that include HTML and script code in the local zone by modifying the mime type using a NULL byte. To open a file properly, Mozilla uses its file extension to determine how to open the file locally. If the user does not specify a file extension, then Mozilla displays a message box to ask the user to download the file. It is reported that by adding a NULL byte (%00) after the file name and specifying the extension .html, it is possible to open a file as an HTML document.

By combining these issues, an attacker can eventually execute arbitrary HTML or script code in the local zone. The attacker would likely exploit these issues by crafting a malicious Web site containing HTML and script code and entice a user to visit the site. If a user visits the site, the malicious page will be cached in the known directory with a known file name. The attacker may then craft a link to this cached local file and entice a user to follow this link. If successful, the script code that is cached in the file will be executed in the local zone.

It should be noted that this issue is reported to exist in all versions of Mozilla and Firefox browsers, however, Symantec was not able to reproduce this on Firefox 0.9.2. Furthermore, the directory names may vary with different platforms.

Update: New reports have stated that the Mozilla Browser is not vulnerable to the first issue as it uses random names for cache directories. This issue does however affect Firefox. It is also reported that an attacker does not have to use a file extension for the second vulnerability as long as a NULL byte is placed after the file name. Arbitrary extensions may be applied as well.

Affected Products:

• Avaya Network Routing
• Compaq Tru64 5.1.0 a PK6(BL24)
• Compaq Tru64 5.1.0 b PK3(BL24)
• Compaq Tru64 5.1.0 b PK4 (BL25)
• Conectiva Linux 6.0.0
• Conectiva Linux 7.0.0
• Conectiva Linux 8.0.0
• Linux kernel 2.4.19
• Linux kernel 2.4.21
• Linux kernel 2.6.5
• MandrakeSoft Linux Mandrake 8.0.0
• MandrakeSoft Linux Mandrake 8.0.0 ppc
• MandrakeSoft Linux Mandrake 8.2.0
• MandrakeSoft Linux Mandrake 8.2.0 ppc
• MandrakeSoft Linux Mandrake 9.2.0
• MandrakeSoft Linux Mandrake 9.2.0 amd64
• Mozilla Browser 0.8.0
• Mozilla Browser 0.9.2
• Mozilla Browser 0.9.2 .1
• Mozilla Browser 0.9.3
• Mozilla Browser 0.9.35
• Mozilla Browser 0.9.4
• Mozilla Browser 0.9.4 .1
• Mozilla Browser 0.9.48
• Mozilla Browser 0.9.5
• Mozilla Browser 0.9.6
• Mozilla Browser 0.9.7
• Mozilla Browser 0.9.8
• Mozilla Browser 0.9.9
• Mozilla Browser 1.0.0
• Mozilla Browser 1.0.0 RC1
• Mozilla Browser 1.0.0 RC2
• Mozilla Browser 1.0.1
• Mozilla Browser 1.0.2
• Mozilla Browser 1.1.0
• Mozilla Browser 1.1.0 Alpha
• Mozilla Browser 1.1.0 Beta
• Mozilla Browser 1.2.0
• Mozilla Browser 1.2.0 Alpha
• Mozilla Browser 1.2.0 Beta
• Mozilla Browser 1.2.1
• Mozilla Browser 1.3.0
• Mozilla Browser 1.3.1
• Mozilla Browser 1.4.0
• Mozilla Browser 1.4.0 a
• Mozilla Browser 1.4.0 b
• Mozilla Browser 1.4.1
• Mozilla Browser 1.4.2
• Mozilla Browser 1.5.0
• Mozilla Browser 1.6.0
• Mozilla Browser 1.7.0
• Mozilla Browser 1.7.0 rc3
• Mozilla Browser 1.7.1
• Mozilla Browser M15
• Mozilla Browser M16
• Mozilla Firebird 0.5.0
• Mozilla Firebird 0.6.1
• Mozilla Firebird 0.7.0
• Mozilla Firefox 0.8.0
• Mozilla Firefox 0.9.0
• Mozilla Firefox 0.9.0 rc
• Mozilla Firefox 0.9.1
• RedHat Advanced Workstation for the Itanium Processor 2.1.0
• RedHat Enterprise Linux AS 2.1
• RedHat Enterprise Linux AS 2.1 IA64
• RedHat Enterprise Linux ES 2.1
• RedHat Enterprise Linux ES 2.1 IA64
• RedHat Enterprise Linux WS 2.1
• RedHat Enterprise Linux WS 2.1 IA64
• RedHat Fedora Core1
• RedHat Linux 7.2.0
• RedHat Linux 7.2.0 i386
• RedHat Linux 7.2.0 i586
• RedHat Linux 7.2.0 i686
• RedHat Linux 7.3.0
• RedHat Linux 7.3.0 i386
• RedHat Linux 7.3.0 i686
• RedHat Linux 8.0.0
• RedHat Linux 8.0.0 i386
• RedHat Linux 9.0.0 i386
• S.u.S.E. Linux 8.1.0
• S.u.S.E. Linux Desktop 1.0.0
• S.u.S.E. Linux Enterprise Server 8
• S.u.S.E. Linux Enterprise Server 9
• S.u.S.E. Linux Personal 8.2.0
• S.u.S.E. Linux Personal 9.0.0
• S.u.S.E. Linux Personal 9.0.0 x86_64
• S.u.S.E. Linux Personal 9.1.0
• SCO Unixware 7.1.4
• SGI Advanced Linux Environment 3.0.0
• Sun Linux 5.0.7

References:

• Mozilla Foundation: Mozilla Homepage
• RedHat: RHSA-2004:421-17 - Updated mozilla packages fix security issues

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.