• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: Mozilla Suite Multiple Remote Vulnerabilities

Severity: HIGH

Description:

Multiple remote vulnerabilities affect Mozilla Suite, Firefox, and Thunderbird:

- 2005-28: An issue affecting the plugin functionality; temporary directories are created in an insecure manner. Apparently, an attacker can guess the name of the directory to carry out symbolic-link attacks.

- 2005-22: A dialog-spoofing vulnerability. This issue is distinct form those outlined in BIDs 12234, 12153, 11643, and 11473. This issue makes it possible to specify a content-disposition header as an executable, or any file type, while using a seemingly innocuous file extension such as '.jpeg'. An attacker may leverage this issue to trick a user into downloading a potentially malicious file.

- 2005-21: A '.lnk' link file arbitrary file-overwrite vulnerability. This issue can be leveraged if an attacker can entice an unsuspecting user to download a malicious link file twice. Apparently, when the Mozilla application processes the file, the link will be followed and proceed to overwrite the attacker-specified file.

- 2005-20: An XSLT stylesheet information-disclosure vulnerability. Apparently, the 'xsl:include' and 'xsl:import' functions can include XSLT stylesheets from any arbitrary computer, including those residing behind the firewall of an unsuspecting user that loads the malicious site. This may facilitate the disclosure of sensitive information.

- 2005-19: An information-disclosure issue affecting the form auto-complete functionality. When an unsuspecting user loads a page containing a form with common field names, such as 'email' or 'SSN', an auto-complete box will pop up, allowing a user to select the text to add to the field. Apparently, any auto-complete values that are selected (e.g. by using the arrow keys to scroll through all the values) are disclosed to the malicious script. An attacker may leverage this issue to access potentially sensitive information.

- 2005-18: A buffer-overflow vulnerability. Apparently, an attacker can execute arbitrary code with the privileges of an affected browser process by causing string allocation to fail. A failure may cause a malicious string to be copied into a previously allocated buffer that may be too small to hold the new string value, facilitating the overflow. Reportedly, exploitation is extremely difficult.

- 2005-17: A dialog-spoofing vulnerability affecting installation confirmation. This dialog displays the source of the installation; this may be spoofed by prepending a long, false 'user:pass' to the true host name. Note that by default 'http://update.mozilla.org' is the only installation source. An unsuspecting user would have to explicitly add the malicious site to the installation source prior to exploitation.

- 2005-15: A heap-overflow vulnerability in UTF8 encoding. Apparently, a vulnerable decoder exists in the application that may allow an attacker to exploit a buffer-overflow condition and to execute arbitrary code. Reportedly, UTF8 processing typically takes place using a secure function, but the vulnerable functionality may still be accessible.


- 2005-15: Multiple spoofing vulnerabilities affecting the SSL 'secure site' lock icon. These issues allow an attacker to present an unsuspecting user with a 'secure site' icon when no valid SSL connection has been established. These issues may help facilitate phishing attacks.

An attacker may leverage these issues to spoof dialog boxes and SSL 'secure site' icons, to carry out symbolic-link attacks, to execute arbitrary code, and to access potentially sensitive information.

Please note that this BID will be separated into individual BIDs as soon as further research into each of the vulnerabilities is completed, at which time this 'umbrella' BID will be retired.

Affected Products:

• Gentoo Linux
• HP HP-UX B.11.00
• HP HP-UX B.11.11
• HP HP-UX B.11.11
• HP HP-UX B.11.22
• HP HP-UX B.11.23
• HP Tru64 5.1.0 A PK6
• HP Tru64 5.1.0 A PK6 (BL24)
• HP Tru64 5.1.0 B-2 PK4
• HP Tru64 5.1.0 B-2 PK4 (BL25)
• HP Tru64 5.1.0 b PK4
• Mozilla Browser 1.7.0
• Mozilla Browser 1.7.1
• Mozilla Browser 1.7.2
• Mozilla Browser 1.7.3
• Mozilla Browser 1.7.4
• Mozilla Browser 1.7.5
• Mozilla Firefox 0.10.0
• Mozilla Firefox 0.10.1
• Mozilla Firefox 0.8.0
• Mozilla Firefox 0.9.0
• Mozilla Firefox 0.9.0 rc
• Mozilla Firefox 0.9.1
• Mozilla Firefox 0.9.2
• Mozilla Firefox 0.9.3
• Mozilla Firefox 1.0.0
• Mozilla Thunderbird 0.6.0
• Mozilla Thunderbird 0.7.0
• Mozilla Thunderbird 0.7.1
• Mozilla Thunderbird 0.7.2
• Mozilla Thunderbird 0.7.3
• Mozilla Thunderbird 0.8.0
• Mozilla Thunderbird 0.9.0
• Mozilla Thunderbird 1.0.0
• Netscape Netscape 7.0.0
• Netscape Netscape 7.1.0
• Netscape Netscape 7.2.0
• RedHat Advanced Workstation for the Itanium Processor 2.1.0
• RedHat Advanced Workstation for the Itanium Processor 2.1.0 IA64
• RedHat Desktop 3.0.0
• RedHat Desktop 4.0.0
• RedHat Enterprise Linux AS 2.1
• RedHat Enterprise Linux AS 2.1 IA64
• RedHat Enterprise Linux AS 3
• RedHat Enterprise Linux AS 4
• RedHat Enterprise Linux ES 2.1
• RedHat Enterprise Linux ES 2.1 IA64
• RedHat Enterprise Linux ES 3
• RedHat Enterprise Linux ES 4
• RedHat Enterprise Linux WS 2.1
• RedHat Enterprise Linux WS 2.1 IA64
• RedHat Enterprise Linux WS 3
• RedHat Enterprise Linux WS 4
• RedHat Fedora Core1
• RedHat Fedora Core2
• RedHat Fedora Core3
• RedHat Linux 7.3.0
• RedHat Linux 7.3.0 i386
• RedHat Linux 7.3.0 i686
• RedHat Linux 9.0.0 i386
• S.u.S.E. Linux Personal 10.0.0 OSS
• S.u.S.E. Linux Personal 9.0.0
• S.u.S.E. Linux Personal 9.0.0 x86_64
• S.u.S.E. Linux Personal 9.1.0
• S.u.S.E. Linux Personal 9.1.0 x86_64
• S.u.S.E. Linux Personal 9.2.0
• S.u.S.E. Linux Personal 9.2.0 x86_64
• S.u.S.E. Linux Personal 9.3.0
• S.u.S.E. Linux Personal 9.3.0 x86_64
• S.u.S.E. Linux Professional 10.0.0
• S.u.S.E. Linux Professional 10.0.0 OSS
• S.u.S.E. Linux Professional 9.1.0
• S.u.S.E. Linux Professional 9.1.0 x86_64
• S.u.S.E. Linux Professional 9.2.0
• S.u.S.E. Linux Professional 9.2.0 x86_64
• S.u.S.E. Linux Professional 9.3.0
• S.u.S.E. Linux Professional 9.3.0 x86_64
• SGI ProPack 3.0.0
• Slackware Linux -current
• Slackware Linux 10.0.0
• Slackware Linux 10.1.0
• Slackware Linux 9.1.0

References:

• Mozilla: Firefox Release Notes
• Mozilla: MFSA 2005-14: SSL "secure site" indicator spoofing
• Mozilla: MFSA 2005-15: Heap overflow possible in UTF8 to Unicode conversion
• Mozilla: MFSA 2005-17: Install source spoofing with user:pass@host
• Mozilla: MFSA 2005-18: Memory overwrite in string library
• Mozilla: MFSA 2005-19: Autocomplete data leak
• Mozilla: MFSA 2005-20: XSLT can include stylesheets from arbitrary hosts
• Mozilla: MFSA 2005-21: Overwrite arbitrary files downloading .lnk twice
• Mozilla: MFSA 2005-22: Download dialog spoofing using Content-Disposition header
• Mozilla: MFSA 2005-28: Unsafe /tmp/plugtmp directory exploitable to erase user's files
• Mozilla: Mozilla Firefox Home Page
• Mozilla: Thunderbird Home Page
• Mozilla: browser accepts dragged javascript: links (same-origin security hole)
• Mozilla Foundation: Mozilla Homepage
• Netscape: Security Alerts
• Red Hat: RHSA-2005:384-11 - Mozilla security update
• RedHat: RHSA-2005:277 Critical: mozilla security update
• RedHat: RHSA-2005:337-02 Critical: thunderbird security update
• iDEFENSE: Mozilla Firefox and Mozilla Browser Out Of Memory Heap Corruption Design Error

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.