HOME > ADVISORIES


   ADVISORIES

CERT-In Advisory CIAD-2008-17
Multiple Vulnerabilities in Mozilla Products

Original issue date: March 28, 2008

Severity Rating: High

Systems Affected

•  Firefox versions prior to 2.0.0.13
•  SeaMonkey versions prior to 1.1.9
•  Thunderbird versions prior to 2.0.0.13

Overview

Multiple vulnerabilities have been reported in Mozilla based products which could be exploited by remote attacker to execute arbitrary code and launch denial of service, cross site scripting, cross site request forgery and phishing attack on the affected system.

Description

1. Multiple character encoding vulnerabilities ( CVE-2008-0416 )

A vulnerability has been reported in Mozilla HTML parser due to treatment of backspace as whitespace contrary to the HTML specification. This could be exploited by a remote attacker to conduct cross site scripting attack against websites which filter input in accordance with the specification.

2. Privilege escalation via incorrect principal ( CVE-2008-1235 )

An unspecified vulnerability has been reported in Mozilla which could be exploited by remote attacker to execute arbitrary code via unknown vectors that cause JavaScript to execute with the wrong principal.

3. Cross site scripting via event handlers ( CVE-2008-1234 )

A cross site scripting vulnerability has been reported in Mozilla which allows remote attacker to inject arbitrary web script or HTML via event handlers.

4. XPCNative Wrappers JavaScript code execution vulnerability ( CVE-2008-1233 )

An unspecified vulnerability has been reported due to an unspecified error in the handling of XPCNativeWrappers" which could lead to the execution of arbitrary Javascript code with the user's privileges via "setTimeout()" calls.

5. Browser/Javascript engine crashes due to memory corruption ( CVE-2008-1236 , CVE-2008-1237 )

Multiple unspecified vulnerabilities have been reported in browser/Javascript engine which could lead to memory corruption error under certain circumstances. These vulnerabilities could be exploited to crash the engine or possibly execute arbitrary code on the affected system.

6. HTTP refer spoofing via malformed URLs ( CVE-2008-1238 )

A vulnerability has been reported in Firefox and SeaMonkey due to error in handling HTTP “Referer:” headers when sent with requests to URLs containing "Basic Authentication" credentials having an empty username. In these cases a number of leading characters, based on the length of the password in the URL, are removed from the referrer hostname. This allows remote attacker to bypass applications Cross-Site Request Forgery (CSRF) protection mechanism based on the referrer field.

7. Java socket connection to any local port via LiveConnect
(CVE-2008-1240 )

A vulnerability has been reported in LiveConnect in Firefox and SeaMonkey due to improper parsing of the content origin for jar: URIs passed from the browser to the Java plugin. This could be exploited by remote attackers to access arbitrary ports on the local machine.

8. XUL popup spoofing vulnerability ( CVE-2008-1241 )

A vulnerability has been reported in Firefox and SeaMonkey which could be exploited to create a borderless XUL pop-up in front of the active tab in the user's browser from a background tab to spoof form elements such as a login prompt for a site opened in a different tab and steal the user's login credentials for that site (phishing attack).

Workaround

Disable JavaScript in the browser settings.

Solution

Upgrade to Firefox and Thunderbird version 2.0.0.13
Upgrade to SeaMonkey version 1.1.9
http://www.mozilla.org/download.html

Vendor Information

Mozilla Foundation
http://www.mozilla.org

References

Mozilla Foundation Security Advisories
http://www.mozilla.org/security/announce/2008/mfsa2008-13.html
 http://www.mozilla.org/security/announce/2008/mfsa2008-14.html
http://www.mozilla.org/security/announce/2008/mfsa2008-15.html
http://www.mozilla.org/security/announce/2008/mfsa2008-16.html
http://www.mozilla.org/security/announce/2008/mfsa2008-18.html
http://www.mozilla.org/security/announce/2008/mfsa2008-19.html

Secunia
http://secunia.com/advisories/29526/

SecurityFocus
http://www.securityfocus.com/bid/28448

CVE-Name
CVE-2008-0416
CVE-2008-1235
CVE-2008-1234
CVE-2008-1233
CVE-2008-1236
CVE-2008-1237
CVE-2008-1238
CVE-2008-1240
CVE-2008-1241

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003