HOME > ADVISORIES


   ADVISORIES

CERT-In Advisory CIAD-2008-08
Multiple Vulnerabilities in Mozilla Products

Original issue date: February 11, 2008

Severity Rating: High

Systems Affected

•  Firefox versions prior to 2.0.0.12
•  SeaMonkey versions prior to 1.1.8
•  Thunderbird versions prior to 2.0.0.12

Overview

Multiple vulnerabilities have been reported in Mozilla which could be exploited by remote attacker to execute arbitrary code, conduct cross-site scripting attack and disclose sensitive information on the affected system.

Description

1. Crashes with evidence of memory corruption (CVE-2008-0412) (CVE-2008-0413)

A vulnerability has been reported in the browser, JavaScript engine due to memory corruption error. The vulnerability could be exploited by remote attacker to run arbitrary code on the affected system.

2. Multiple file input focus stealing vulnerabilities
(CVE-2008-0414)

Multiple vulnerabilities have been reported in Mozilla due to error within the focus handling. A remote attacker could exploit the vulnerability to trick user into uploading arbitrary files from the user system.

3. Cross-site scripting, remote code execution vulnerability
(CVE-2008-0415)

A vulnerability has been reported in JavaScript engine which could be exploited by remote attackers to execute script outside of the sandbox and conduct cross-site scripting (XSS) attacks via multiple vectors including the XMLDocument.load function.

4. Stored password corruption in Mozilla Firefox
(CVE-2008-0417)

A vulnerability has been reported in Mozilla Firefox when a user saves passwords for some malicious website. A remote attacker could inject newlines into Firefox's password store and corrupt saved passwords for other sites.

5. Directory traversal via chrome: URI vulnerability
(CVE-2008-0418)
A vulnerability has been reported in the chrome: URI scheme in Mozilla Firefox when the browser had installed add-ons which used "flat" packaging rather than .jar packaging. A remote attacker could exploit this vulnerability to cause directory traversal and load JavaScript, images, and stylesheets from a predictable location on the disk of affected user system. Further attacker can steal the contents of the browser's sessionstore.js file, which contains session cookie data and information about currently open web pages.

6. Web browsing history and forward navigation stealing vulnerability
(CVE-2008-0419)

A vulnerability has been reported in Mozilla Firefox in the way images are treated by the browser when a user leaves a page which utilizes designMode frames. A remote attacker could exploit the vulnerability via creating specially crafted HTML containing designMode frames. When user navigates away from the page, the crafted html page can steal user' navigation history, forward navigation information, and crash the user browser or potentially run arbitrary code.

7. File action dialog tampering vulnerability
(CVE-2008-0591)

A vulnerability has been reported in Mozilla which cause timer-enabled security dialogs to be subverted by an attacker using JavaScript to change the window focus. A remote attacker could exploit the vulnerability by tricking user into confirming a security dialog of this type by bringing the dialog back into focus right before a user clicked in a predictable time and place.

Workarounds

  • Disable "flat-packaged" add-ons from the browser settings.
  • Disable JavaScript in browser settings.
  • Do not ask Firefox to save passwords on untrusted sites.

Solution

Upgrade to Firefox and Thunderbird version 2.0.0.12
Upgrade to SeaMonkey version 1.1.8
http://www.mozilla.org/download.html

Vendor Information

Mozilla Foundation
http://www.mozilla.org

References

Mozilla Foundation Security Advisories
http://www.mozilla.org/security/announce/2008/mfsa2008-01.html
http://www.mozilla.org/security/announce/2008/ mfsa2008-02.html
http://www.mozilla.org/security/announce/2008/ mfsa2008-03.html
http://www.mozilla.org/security/announce/2008/ mfsa2008-04.html
http://www.mozilla.org/security/announce/2008/ mfsa2008-05.html
http://www.mozilla.org/security/announce/2008/ mfsa2008-06.html
http://www.mozilla.org/security/announce/2008/ mfsa2008-08.html


Secunia
http://secunia.com/advisories/28758/

CVE-Name
CVE-2008-0412
CVE-2008-0413
CVE-2008-0414
CVE-2008-0415
CVE-2008-0417
CVE-2008-0418
CVE-2008-0419
CVE-2008-0591

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003