Mailing List Archive
tlug.jp
Mailing List
tlug archive
tlug Mailing List Archive
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [tlug] FireFox Update (1.5.0.5)
- Date: Sat, 29 Jul 2006 22:48:04 +0900
- From: "Lyle H Saxon" <llletters@example.com>
- Subject: Re: [tlug] FireFox Update (1.5.0.5)
- References: <ea4e853e0607281905m7517d41akde5a7e3747ef25a@example.com> <20060728222437.5673d4f7.jep200404@example.com>
On 7/29/06, Jim <jep200404@example.com> wrote:
Lyle wrote: > there's an update for both FireFox and Thunderbird. There are often updates for FireFox and Thunderbird, so by itself, that updates are available is not noteworthy. It would be helpful to say what is special about the recent updates, so we'll know why we should care.
I wasn't going to go into this, but since you request more details,
here they are. Being from the PR industry, this warning from CERT
positively reeks of attack PR. I guess they've been damaged by...
some corrupting force - use your imagination as to what it might be.
Notice how many times they hammer in phrases like:
"Mozilla products fail to....",
"Mozilla products are vulnerable to....",
"Mozilla products contain multiple vulnerabilities...."
- etc. etc.
I just mentioned it to the list for those of us who are using FireFox
and/or Thunderbird - who are generally interested in paying attention
to security updates.
As for the CERT letter - here's the full text for your reading
pleasure. From other sources, I head that it affects our beloved
product from Brand-W as well, interesting that there's no mention of
that in the CERT letter.....
National Cyber Alert System
Technical Cyber Security Alert TA06-208A
Mozilla Products Contain Multiple Vulnerabilities
Original release date: July 27, 2006
Last revised: --
Source: US-CERT
Systems Affected
* Mozilla SeaMonkey
* Mozilla Firefox
* Mozilla Thunderbird
Any products based on Mozilla components, specifically Gecko, may also
be affected.
Overview
The Mozilla web browser and derived products contain several
vulnerabilities, the most serious of which could allow a remote
attacker to execute arbitrary code on an affected system.
I. Description
Several vulnerabilities have been reported in the Mozilla web browser
and derived products. More detailed information is available in the
individual vulnerability notes, including the following:
VU#476724 - Mozilla products fail to properly handle frame references
Mozilla products fail to properly handle frame or window references.
This may allow a remote attacker to execute arbitrary code on a
vulnerable system.
(CVE-2006-3801)
VU#670060 - Mozilla fails to properly release JavaScript references
Mozilla products fail to properly release memory. This vulnerability
may allow a remote attacker to execute code on a vulnerable system.
(CVE-2006-3677)
VU#239124 - Mozilla fails to properly handle simultaneous XPCOM events
Mozilla products are vulnerable to memory corruption via simultaneous
XPCOM events. This may allow a remote attacker to execute arbitrary
code on a vulnerable system.
(CVE-2006-3113)
VU#265964 - Mozilla products contain a race condition
Mozilla products contain a race condition. This vulnerability may
allow a remote attacker to execute code on a vulnerable system.
(CVE-2006-3803)
VU#897540 - Mozilla products VCard attachment buffer overflow
Mozilla products fail to properly handle malformed VCard attachments,
allowing a buffer overflow to occur. This vulnerability may allow a
remote attacker to execute arbitrary code on a vulnerable system.
(CVE-2006-3804)
VU#876420 - Mozilla fails to properly handle garbage collection
The Mozilla JavaScript engine fails to properly perform garbage
collection, which may allow a remote attacker to execute arbitrary
code on a vulnerable system.
(CVE-2006-3805)
VU#655892 - Mozilla JavaScript engine contains multiple integer
overflows
The Mozilla JavaScript engine contains multiple integer overflows.
This vulnerability may allow a remote attacker to execute arbitrary
code on a vulnerable system.
(CVE-2006-3806)
VU#687396 - Mozilla products fail to properly validate JavaScript
constructors
Mozilla products fail to properly validate references returned by
JavaScript constructors. This vulnerability may allow a remote
attacker to execute arbitrary code on a vulnerable system.
(CVE-2006-3807)
VU#527676 - Mozilla contains multiple memory corruption
vulnerabilities
Mozilla products contain multiple vulnerabilities that can cause
memory corruption. This may allow a remote attacker to execute
arbitrary code on a vulnerable system.
(CVE-2006-3811)
II. Impact
A remote, unauthenticated attacker could execute arbitrary code on a
vulnerable system. An attacker may also be able to cause the
vulnerable application to crash.
III. Solution
Upgrade
Upgrade to Mozilla Firefox 1.5.0.5, Mozilla Thunderbird 1.5.0.5, or
SeaMonkey 1.0.3.
Disable JavaScript and Java
These vulnerabilities can be mitigated by disabling JavaScript and
Java in all affected products. Instructions for disabling Java in
Firefox can be found in the "Securing Your Web Browser" document.
Appendix A. References
* US-CERT Vulnerability Notes Related to July Mozilla Security
Advisories -
<http://www.kb.cert.org/vuls/byid?searchview&query=firefox_1505>
* CVE-2006-3081 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3801>
* CVE-2006-3677 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3677>
* CVE-2006-3113 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3113>
* CVE-2006-3803 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3803>
* CVE-2006-3804 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3804>
* CVE-2006-3805 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3805>
* CVE-2006-3806 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3806>
* CVE-2006-3807 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3807>
* CVE-2006-3811 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3811>
* Mozilla Foundation Security Advisories -
<http://www.mozilla.org/security/announce/>
* Known Vulnerabilities in Mozilla Products -
<http://www.mozilla.org/projects/security/known-vulnerabilities.html>
* Securing Your Web Browser -
<http://www.us-cert.gov/reading_room/securing_browser/browser_security.html#Mozilla_Firefox>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA06-208A.html>
____________________________________________________________________
Produced 2006 by US-CERT, a government organization.
- Follow-Ups:
- Re: [tlug] FireFox Update (1.5.0.5)
- From: Josh Glover
- Re: [tlug] FireFox Update (1.5.0.5)
- References:
- [tlug] FireFox Update (1.5.0.5)
- From: Lyle H Saxon
- Re: [tlug] FireFox Update (1.5.0.5)
- From: Jim
- [tlug] FireFox Update (1.5.0.5)
- Prev by Date: Re: [tlug] Linux Kanji Optical Character Recognition (OCR) software? [SOLVED]
- Next by Date: [tlug] Portable Endianness . . . . . . . . (was Re: Portability of Misaligned Data Access)
- Previous by thread: Re: [tlug] FireFox Update (1.5.0.5)
- Next by thread: Re: [tlug] FireFox Update (1.5.0.5)
- Index(es):
| Home Page | Mailing List | Linux and Japan | TLUG Members | Links |