HOME > ADVISORIES


   ADVISORIES

CERT-In Advisory CIAD-2007-62
Multiple Vulnerabilities in Mozilla Products

Original issue date: November 29, 2007

Severity Rating: High

Systems Affected

  • Mozilla Firefox version 2.0.0.9 and prior
  • Mozilla SeaMonkey version 1.1.6 and prior

Overview

Multiple vulnerabilities have been reported in Mozilla Firefox and Seamonkey which could be exploited by remote attacker to gain elevated privileges, cause denial of service or execute arbitrary code on the affected system.

Description

1. Memory corruption vulnerability in Mozilla
( CVE-2007-5959 )

A vulnerability has been reported in Mozilla products due to memory corruption errors in browser and JavaScript engine while parsing malformed data which could be exploited by remote attacker to crash browser and cause denial of service on the affected system.

Successful exploitation of these vulnerabilities may allow execution of arbitrary code.

2. Cross Site Request Forgery vulnerability in Mozilla
( CVE-2007-5960 )

A vulnerability has been reported in Mozilla products due to a race condition error while setting a “window.location” property which could be exploited to generate a fake HTTP Referer header . This vulnerability could be exploited by attacker to conduct cross-site request forgeries against sites that relied only on Referer headers for protection from such attacks. .

Solution

Upgrade to Firefox version 2.0.0.10:
http://www.mozilla.com/en-US/firefox/

Upgrade to Mozilla SeaMonkey version 1.1.7 :
http://www.mozilla.org/projects/seamonkey/

Vendor Information

Mozilla Foundation
http://www.mozilla.org/security/announce/2007/mfsa2007-38.html http://www.mozilla.org/security/announce/2007/mfsa2007-39.html

References

Frsirt
http://www.frsirt.com/english/advisories/2007/4002

Secunia
http://secunia.com/advisories/27725/

CVE-Name
CVE-2007-5959
CVE-2007-5960

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003