CERT-In Advisory CIAD-2010-20
Multiple Vulnerabilities in Mozilla Products
Original issue date:
March 26, 2010
Severity Rating: High
Systems Affected
- Mozilla Firefox versions 3.5.x prior to 3.5.8
- Mozilla Firefox versions 3.6.x prior to 3.6.2
- Mozilla Firefox versions 3.0.x prior to 3.0.18
- Mozilla SeaMonkey versions prior to 2.0.3
- Mozilla Thunderbird versions prior to 3.0.2
Overview
Multiple vulnerabilities have been reported in Mozilla Firefox, Thunderbird and SeaMonkey, which could be exploited by attackers to manipulate or disclose sensitive information , bypass security restrictions or compromise a vulnerable system.
Description
Details of these vulnerabilities are given in the following CERT-In Vulnerability Notes:
1. 'multipart/x-mixed-replace' Image Memory Corruption Vulnerability (CIVN-2010-85)
2. 'window.location' Same Origin Policy Security Bypass Vulnerability (CIVN-2010-86)
3. Multiple Memory Corruption Vulnerabilities (CIVN-2010-87)
4. Cross Domain Scripting Vulnerabilities (CIVN-2010-88)
5. Firefox Image Preloading Content-Policy Check Security Bypass Vulnerability (CIVN-2010-89)
6. Cached XUL Stylesheets Security Bypass Vulnerability (CIVN-2010-90)
7. Firefox Asynchronous HTTP Authorization Prompt Information Disclosure Vulnerability (CIVN-2010-91) Solution
Upgrade to Mozilla Firefox version 3.6.2, 3.5.8 or 3.0.18 or later
http://www.mozilla.com/firefox/
Upgrade to Mozilla SeaMonkey version 2.0.3
http://www.mozilla.org/projects/seamonkey/
Upgrade to Mozilla Thunderbird version 3.0.2
http://www.mozilla.com/thunderbird
Vendor Information
Mozilla
http://www.mozilla.org/security/announce/2010/mfsa2010-09.html
http://www.mozilla.org/security/announce/2010/mfsa2010-10.html
http://www.mozilla.org/security/announce/2010/mfsa2010-11.html
http://www.mozilla.org/security/announce/2010/mfsa2010-12.html
http://www.mozilla.org/security/announce/2010/mfsa2010-13.html
http://www.mozilla.org/security/announce/2010/mfsa2010-14.html
http://www.mozilla.org/security/announce/2010/mfsa2010-15.html
References
Mozilla
http://www.mozilla.org/security/announce/2010/mfsa2010-09.html
http://www.mozilla.org/security/announce/2010/mfsa2010-10.html
http://www.mozilla.org/security/announce/2010/mfsa2010-11.html
http://www.mozilla.org/security/announce/2010/mfsa2010-12.html
http://www.mozilla.org/security/announce/2010/mfsa2010-13.html
http://www.mozilla.org/security/announce/2010/mfsa2010-14.html
http://www.mozilla.org/security/announce/2010/mfsa2010-15.html
CERT-In
http://www.cert-in.org.in/vulnerability/civn-2010-85.htm
http://www.cert-in.org.in/vulnerability/civn-2010-86.htm
http://www.cert-in.org.in/vulnerability/civn-2010-87.htm
http://www.cert-in.org.in/vulnerability/civn-2010-88.htm
http://www.cert-in.org.in/vulnerability/civn-2010-89.htm
http://www.cert-in.org.in/vulnerability/civn-2010-90.htm
http://www.cert-in.org.in/vulnerability/civn-2010-91.htm
Bugzilla
https://bugzilla.mozilla.org/show_bug.cgi?id=547143
https://bugzilla.mozilla.org/show_bug.cgi?id=541530
https://bugzilla.mozilla.org/show_bug.cgi?id=542849
https://bugzilla.mozilla.org/show_bug.cgi?id=538065
https://bugzilla.mozilla.org/buglist.cgi?bug_id=535641,534082
https://bugzilla.mozilla.org/show_bug.cgi?id=531364
https://bugzilla.mozilla.org/show_bug.cgi?id=540642
https://bugzilla.mozilla.org/show_bug.cgi?id=535806
https://bugzilla.mozilla.org/show_bug.cgi?id=537862
Secunia
http://secunia.com/advisories/38608
SecurityFocus
http://www.securityfocus.com/bid/38918
VUPEN
http://www.vupen.com/english/advisories/2010/0692
Juniper Networks
http://www.juniper.net/security/auto/vulnerabilities/vuln38918.html
CVE Name
CVE-2010-0164
CVE-2010-0165
CVE-2010-0166
CVE-2010-0167
CVE-2010-0168
CVE-2010-0169
CVE-2010-0170
CVE-2010-0171
CVE-2010-0172
Disclaimer The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003
|
