J-Security Center

Latest Attack Object Updates
  • IDP Daily Update #1546
    posted: 11/23/09
  • NSM Daily Update #1546
    posted: 11/23/09
  • Deep Inspection 5.3r5 and above, 5.4, 6.0 #1546
    posted: 11/23/09
  • Deep Inspection 5.1 and 5.2 #1435
    posted: 11/23/09
  • Deep Inspection 5.0, 5.3r4 and below #1132
    posted: 03/28/08 (04/01/08 for 5.0)
  • Antivirus
    posted: 11/22/09

Title: Mozilla Firefox 2.0.0.14 Multiple Remote Vulnerabilities

Severity: HIGH

Description:

The Mozilla Foundation has released multiple advisories regarding security vulnerabilities in Firefox 2.0.0.14 and prior versions.

The following issues have been reported:

1. MFSA 2008-33. A vulnerability that affects the block reflow may result in a denial of service or remote code execution.

2. MFSA 2008-32. A vulnerability may allow a remote site to run as a local file via a Windows URL shortcut. This may allow for cross-zone attacks and scripts running with elevated privileges.

3. MFSA 2008-31. A security-bypass vulnerability may allow peer-trusted certificates to use alternative names for spoofing attacks.

4. MFSA 2008-30. A vulnerability that affects the file location URL in directory listings may be used to perform cross-site scripting or HTML-injection attacks.

5. MFSA 2008-29. A vulnerability resulting from a faulty '.properties' file may allow access to uninitialized memory.

6. MFSA 2008-28. Java LiveConnect on Mac OS X is affected by an issue that may allow attackers to violate the same-origin policy and open arbitrary socket connections.

7. MFSA 2008-27. Multiple file-upload vulnerabilities occur because of errors in 'originalTarget' and 'DOM Range'.

8. MFSA 2008-25. The 'mozIJSSubScriptLoader.loadSubScript()' function is affected by an arbitrary-code-execution vulnerability.

9. MFSA 2008-24. Nonprivileged XUL (XML User Interface Language) files can be used to run arbitrary JavaScript code with chrome privileges by loading scripts via the fastload file.

10. MFSA 2008-23. A vulnerability affecting the JavaScript engine allows arbitrary scripts to be injected into signed JAR files. This can allow malicious script code to run in the context of arbitrary sites or allow attackers to link JAR file content to malicious script code.

11. MFSA 2008-22. A cross-site scripting vulnerability occurs because of errors in the JavaScript engine's mechanisms that enforce the same-origin policy.

12. MFSA 2008-21. Multiple memory-corruption vulnerabilities affecting the browser engine can be exploited to cause denial-of-service conditions or potentially to execute arbitrary code.

No further details are currently available. We will update this BID as more information becomes available.

Exploiting these issues can allow attackers to steal authentication credentials, obtain potentially sensitive information, bypass security restrictions, crash the application, upload arbitrary files, execute scripts with elevated privileges, potentially execute arbitrary code, and compromise the browser. Other attacks are possible.

These issues are present in Firefox 2.0.0.14 and prior versions.

Mozilla Thunderbird is affected by the issues described in Mozilla advisories MFSA 2008-21, MFSA 2008-24, and MFSA 2008-25. Note that these issues arise in Thunderbird only when JavaScript is enabled. JavaScript is not enabled in the default installation.

Affected Products:

  • Avaya Interactive Response 4.0
  • Avaya Intuity LX
  • Avaya Intuity LX 2.0
  • Avaya Message Networking
  • Avaya Message Networking 3.1
  • Avaya Message Networking MN 3.1
  • Avaya Messaging Storage Server 3.1
  • Debian Iceweasel
  • Debian Linux 4.0
  • Debian Linux 4.0 alpha
  • Debian Linux 4.0 amd64
  • Debian Linux 4.0 arm
  • Debian Linux 4.0 hppa
  • Debian Linux 4.0 ia-32
  • Debian Linux 4.0 ia-64
  • Debian Linux 4.0 m68k
  • Debian Linux 4.0 mips
  • Debian Linux 4.0 mipsel
  • Debian Linux 4.0 powerpc
  • Debian Linux 4.0 s/390
  • Debian Linux 4.0 sparc
  • Debian Xulrunner
  • Gentoo Linux
  • MandrakeSoft Corporate Server 3.0.0
  • MandrakeSoft Corporate Server 3.0.0 x86_64
  • MandrakeSoft Corporate Server 4.0
  • MandrakeSoft Corporate Server 4.0.0 x86_64
  • MandrakeSoft Linux Mandrake 2008.0
  • MandrakeSoft Linux Mandrake 2008.0 x86_64
  • MandrakeSoft Linux Mandrake 2008.1
  • MandrakeSoft Linux Mandrake 2008.1 x86_64
  • Mozilla Firefox 2.0
  • Mozilla Firefox 2.0 RC2
  • Mozilla Firefox 2.0 RC3
  • Mozilla Firefox 2.0 beta 1
  • Mozilla Firefox 2.0.0.1
  • Mozilla Firefox 2.0.0.10
  • Mozilla Firefox 2.0.0.11
  • Mozilla Firefox 2.0.0.12
  • Mozilla Firefox 2.0.0.13
  • Mozilla Firefox 2.0.0.14
  • Mozilla Firefox 2.0.0.2
  • Mozilla Firefox 2.0.0.3
  • Mozilla Firefox 2.0.0.4
  • Mozilla Firefox 2.0.0.5
  • Mozilla Firefox 2.0.0.6
  • Mozilla Firefox 2.0.0.7
  • Mozilla Firefox 2.0.0.8
  • Mozilla Firefox 2.0.0.9
  • Mozilla SeaMonkey 1.1 beta
  • Mozilla SeaMonkey 1.1.1
  • Mozilla SeaMonkey 1.1.2
  • Mozilla SeaMonkey 1.1.3
  • Mozilla SeaMonkey 1.1.4
  • Mozilla SeaMonkey 1.1.5
  • Mozilla SeaMonkey 1.1.6
  • Mozilla SeaMonkey 1.1.7
  • Mozilla SeaMonkey 1.1.8
  • Mozilla SeaMonkey 1.1.9
  • Mozilla Thunderbird 2.0.0.12
  • Mozilla Thunderbird 2.0.0.13
  • Mozilla Thunderbird 2.0.0.14
  • Mozilla Thunderbird 2.0.0.4
  • Mozilla Thunderbird 2.0.0.5
  • Mozilla Thunderbird 2.0.0.6
  • Mozilla Thunderbird 2.0.0.8
  • Mozilla Thunderbird 2.0.0.9
  • Pardus Linux 2007
  • Pardus Linux 2007.1
  • RedHat Advanced Workstation for the Itanium Processor 2.1.0
  • RedHat Desktop 3.0.0
  • RedHat Desktop 4.0.0
  • RedHat Enterprise Linux 5 server
  • RedHat Enterprise Linux AS 2.1
  • RedHat Enterprise Linux AS 3
  • RedHat Enterprise Linux AS 4
  • RedHat Enterprise Linux Desktop 5 client
  • RedHat Enterprise Linux Desktop Workstation 5 client
  • RedHat Enterprise Linux ES 2.1
  • RedHat Enterprise Linux ES 3
  • RedHat Enterprise Linux ES 4
  • RedHat Enterprise Linux Optional Productivity Application 5 server
  • RedHat Enterprise Linux WS 2.1
  • RedHat Enterprise Linux WS 3
  • RedHat Enterprise Linux WS 4
  • RedHat Fedora 8
  • RedHat Fedora 9
  • S.u.S.E. SUSE Linux Enterprise 10 SP1 DEBUGINFO
  • S.u.S.E. SUSE Linux Enterprise 10 SP2 DEBUGINFO
  • S.u.S.E. SUSE Linux Enterprise Desktop 10 SP1
  • S.u.S.E. SUSE Linux Enterprise Desktop 10 SP2
  • S.u.S.E. SUSE Linux Enterprise Server 10 SP1
  • S.u.S.E. SUSE Linux Enterprise Server 10 SP2
  • S.u.S.E. openSUSE 10.2
  • S.u.S.E. openSUSE 10.3
  • Slackware Linux -current
  • Slackware Linux 10.2.0
  • Slackware Linux 11.0
  • Slackware Linux 12.0
  • Slackware Linux 12.1
  • Sun OpenSolaris build snv_89
  • Sun OpenSolaris build snv_90
  • Sun OpenSolaris build snv_91
  • Sun OpenSolaris build snv_92
  • Sun OpenSolaris build snv_93
  • Sun OpenSolaris build snv_94
  • Sun Solaris 10.0
  • Sun Solaris 10.0_x86
  • Ubuntu Ubuntu Linux 6.06 LTS amd64
  • Ubuntu Ubuntu Linux 6.06 LTS i386
  • Ubuntu Ubuntu Linux 6.06 LTS powerpc
  • Ubuntu Ubuntu Linux 6.06 LTS sparc
  • Ubuntu Ubuntu Linux 7.04 amd64
  • Ubuntu Ubuntu Linux 7.04 i386
  • Ubuntu Ubuntu Linux 7.04 powerpc
  • Ubuntu Ubuntu Linux 7.04 sparc
  • Ubuntu Ubuntu Linux 7.10 amd64
  • Ubuntu Ubuntu Linux 7.10 i386
  • Ubuntu Ubuntu Linux 7.10 lpia
  • Ubuntu Ubuntu Linux 7.10 powerpc
  • Ubuntu Ubuntu Linux 7.10 sparc
  • Ubuntu Ubuntu Linux 8.04 LTS amd64
  • Ubuntu Ubuntu Linux 8.04 LTS i386
  • Ubuntu Ubuntu Linux 8.04 LTS lpia
  • Ubuntu Ubuntu Linux 8.04 LTS powerpc
  • Ubuntu Ubuntu Linux 8.04 LTS sparc
  • rPath rPath Linux 1

References:

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.