CERT-In Vulnerability Note CIVN-2010-78
Mozilla Firefox WOFF Heap Corruption Vulnerability
Original Issue Date: March 25, 2010
Severity Rating:High
System Affected
- Firefox versions 3.6.x prior to 3.6.2
Overview
A vulnerability has been reported in Mozilla Firefox, which could allow a remote attacker to execute arbitrary code on an affected system.
Description
An integer overflow vulnerability exists in the font decompression routine in the WOFF decoder, which result in a small memory buffer being allocated to store a downloadable font. A remote attacker could exploit this vulnerability to cause application crash and execute arbitrary code by tricking a user into visiting a specially crafted web page.
Solution
Upgrade to Firefox 3.6.2 or later
http://www.mozilla.com/firefox/
Vendor Information
Mozilla
http://www.mozilla.org/security/announce/2010/mfsa2010-08.html
References Mozilla
http://www.mozilla.org/security/announce/2010/mfsa2010-08.html
SecurityTracker
http://securitytracker.com/alerts/2010/Mar/1023732.html
F-Secure
http://www.f-secure.com/vulnerabilities/SA201006425
Secunia
http://secunia.com/advisories/38608/
VUPEN
http://www.vupen.com/english/advisories/2010/0684
CVE Name
CVE-2010-1028
Disclaimer The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003
|
