HOME > ADVISORIES


   ADVISORIES

CERT-In Advisory CIAD-2007-31
Multiple Vulnerabilities in Mozilla Products.

Original issue date: May 31, 2007

Severity Rating: High

Systems Affected

  • Mozilla Firefox versions prior to 2.0.0.4
  • Mozilla Firefox versions prior to 1.5.0.12
  • Mozilla SeaMonkey versions prior to 1.0.9
  • Mozilla SeaMonkey versions prior to 1.1.2
  • Mozilla Thunderbird versions prior to 2.0.0.4
  • Mozilla Thunderbird versions prior to 1.5.0.12

Overview

Multiple vulnerabilities have been reported in Mozilla Firefox, Thunderbird and SeaMonkey which could be exploited by remote attackers to execute arbitrary command on the affected system and possibly compromise the system.

Description

1. Memory Corruption Vulnerability (CVE-2007-2867, CVE-2007-2868)

A memory corruption vulnerability has been reported in Mozilla products due to error in the way JavaScript engine parses malformed JavaScript code. This could be exploited by remote attacker to execute arbitrary command on the affected system.

2. APOP Authentication Mechanism Vulnerability (CVE-2007-1558)

A vulnerability has been reported in APOP authentication mechanism which could be exploited by conducting man-in-middle attack by remote attacker to gain access to the certain portions of a user's authentication credentials.

Applications like Mozilla Thunderbird and SeaMonkey which implements APOP authentication mechanism are vulnerable.

3. addEventListener Method XSS Vulnerability (CVE-2007-2870)

A vulnerability has been reported in Mozilla products due to error in the "nsEventReceiverSH::AddEventListenerHelper ()" function which could be exploited by remote attackers to bypass the browser's same-origin policy by injecting script into another site A remote attacker could trick a user to visit a specially crafted webpage to access or modify data from other sites.

Solution

Upgrade to Mozilla Firefox version 2.0.0.4 or 1.5.0.12 :
http://www.mozilla.com/firefox/

Upgrade to Mozilla SeaMonkey version 1.0.9 or 1.1.2 :
http://www.mozilla.org/projects/seamonkey/

Upgrade to Mozilla Thunderbird version 2.0.0.4 or 1.5.0.12 :
http://www.mozilla.com/thunderbird/

Vendor Information

Mozilla Foundation
http://www.mozilla.org

References

Mozilla Foundation Security Advisories
http://www.mozilla.org/security/announce/2007/mfsa2007-12.html
http://www.mozilla.org/security/announce/2007/mfsa2007-15.html
http://www.mozilla.org/security/announce/2007/mfsa2007-16.html

FrSirt
http://www.frsirt.com/english/advisories/2007/1994

CVE Name
CVE-2007-2867
CVE-2007-2868
CVE-2007-1558
CVE-2007-2870

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003