CERT-In:Indian Computer Emergency Response Team

HOME > ADVISORIES

ADVISORIES

CERT-In Advisory CIAD-2006-23
Multiple Vulnerabilities in Mozilla Products

Original issue date: July 28, 2006

Severity Rating: High

Systems Affected

Mozilla Firefox version 1.5.0.4 and prior
Mozilla Thunderbird version 1.5.0.4 and prior
Mozilla SeaMonkey version 1.0.2 and prior

Overview

Multiple vulnerabilities have been reported in Mozilla products, which could be exploited by attackers to execute arbitrary commands and to conduct cross site scripting attacks.

Description

Deleted frame reference content remote Code execution vulnerability ( CVE-2006-3801 )

A vulnerability has been reported in Mozilla Firefox because it fails to properly handle JavaScript reference to “frame” or “window” objects when the referenced content is deleted. This could allow remote attackers to execute arbitrary code to compromise an affected system.

JavaScript navigator remote code execution vulnerability ( CVE-2006-3677 )

A vulnerability has been reported in Mozilla Firefox due to an error occurred while assigning specially crafted values to the "window.navigator" object when visit the malicious web page. This could be exploited by remote attackers to compromise a vulnerable system by enticing the user to visit the same.

Memory corruption error via simultaneous XPCOM events ( CVE-2006-3113 )

A vulnerability has been reported in Mozilla Firefox due to a memory corruption error while handling simultaneous XPCOM events, which leads to use of a deleted timer object.
This could be exploited by remote attackers to execute arbitrary commands via a malicious web page or email and compromise an affected system.

Native DOM method accessing vulnerability ( CVE-2006-3802 )

A vulnerability has been reported in Mozilla Firefox due to an error occurred while accessing native DOM methods (e.g. "document.getElementById()").

This could be exploited by remote attackers to gain unauthorized access to sensitive data (e.g. cookies).

JavaScript new Function race condition error ( CVE-2006-3803 )

A JavaScript new function race condition error occurs while deleting temporary variables being used in the creation of new Function objects while the variable is still in use. This could be exploited by remote attackers to execute arbitrary code and compromise a vulnerable system via a malicious web page or email message.

A heap overflows vulnerability in VCard Attachment ( CVE-2006-3804 )

A heap overflow vulnerability exists due to flaw in processing a VCard attachment containing a malformed base64 field (e.g. photo). This could be exploited by remote attackers to execute arbitrary commands and compromise an affected system.

JavaScript engine fails to properly perform garbage collection ( CVE-2006-3805 )

Garbage collection is generally used to refer to algorithms that

Determine which objects are still needed by starting from a set of roots and finding all objects reachable from those objects.
Returning all remaining objects to the heap. The roots include things like global variables and variables on the current call stack.

Mozilla's JavaScript engine uses one of the most common garbage collection algorithms, mark and sweep, in which the garbage collector clears the mark bit on each object, sets the mark bits on all roots and all objects reachable from them, and then finalizes all objects not marked and returns the memory they used to the heap.

A vulnerability has been reported in Mozilla Firefox due to JavaScript engine failing to properly perform garbage collection. This could allow attackers to execute arbitrary code and compromise an affected system.

Mozilla JavaScript engine contains multiple integer overflows ( CVE-2006-3806 )

A multiple integer overflows in JavaScript engine of Mozilla because it fails to properly handle malformed strings in the toSource() methods of the object, Array and String objects as well as string function arguments.

This could allow attackers to execute arbitrary code and compromise an affected system.

Privilege escalation using named-functions and redefined "new Object()" ( CVE-2006-3807)

A vulnerability has been reported in mozilla due to an error in the "Object()" This could be exploited by remote attackers to execute arbitrary code and compromise an affected system.

JavaScript functions have a parent object created using the standard Object() constructor and that this constructor can be redefined by script. If the Object() constructor is changed to return a reference to a privileged object with useful properties it is possible to have attacker-supplied script executed with elevated privileges by calling the function. This could be used to install malware or take other malicious actions.

PAC privilege escalation using Function.prototype.call ( CVE-2006-3808)

A vulnerability has been reported in mozilla due a malicious Proxy AutoConfig (PAC) server. A malicious proxy serve a PAC script with execution of code and FindProxyForURL function to the eval method on a privileged object that leaked into the PAC sandbox and redirecting the victim to a specially-crafted URL. This could be exploited by remote attackers to compromise an affected system.

UniversalBrowserRead privilege escalation ( CVE-2006-3809)

A vulnerability has been reported in mozilla due errors in the "UniversalBrowserRead" and "UniversalBrowserWrite" permissions.

This could be exploited by remote attackers using malicious scripts to obtain elevated full privileges and possibly installing malware or snooping on private data on an affected system.

Cross site scripting vulnerability in "XPCNativeWrapper" objects ( CVE-2006-3810 )

A vulnerability has been reported in Mozilla Firefox due to error occurred in crafted "XPCNativeWrapper" object. This could be exploited by remote attackers to perform cross site scripting attack using XPCNativeWrapper(window).Function(...) which is being used later.

Memory corruption error in Mozilla product ( CVE-2006-3811 )

A vulnerability has been reported in Mozilla Firefox due to memory corruption error. This could be exploited by remote attacker to execute arbitrary code to compromise an affected system via a malicious web page.

Vulnerability in chrome URLs ( CVE-2006-3812 )

A vulnerability has been reported in Mozilla Firefox due to chrome URLs which would run script with full privilege. This vulnerability could be exploited by remote attacker to execute arbitrary script with elevated privileges to compromise an affected system.

Solution

Upgrade to the latest versions.
http://www.mozilla.com/firefox/
http://www.mozilla.com/thunderbird/releases/1.5.0.5.html
http://www.mozilla.org/projects/seamonkey/

Vendor Information

Mozilla Foundation
http://www.mozilla.org

References

FrSIRT Advisories
http://www.frsirt.com/english/advisories/2006/2998

Secunia
http://secunia.com/advisories/19873/

Security Focus
http://www.securityfocus.com/bid/19181

CVE-Name

CVE-2006-3801
CVE-2006-3677
CVE-2006-3113
CVE-2006-3802
CVE-2006-3803
CVE-2006-3804
CVE-2006-3805
CVE-2006-3806
CVE-2006-3807
CVE-2006-3808
CVE-2006-3809
CVE-2006-3810
CVE-2006-3811
CVE-2006-3812

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003

Home || Feedback || FAQ || Disclaimer

CERT-In Advisory CIAD-2006-23 Multiple Vulnerabilities in Mozilla Products

CERT-In Advisory CIAD-2006-23
Multiple Vulnerabilities in Mozilla Products