CERT-In Advisory
CIAD-2005-0011
Multiple Vulnerabilities in Mozilla Suite and Netscape
Original Issue Date: May 06, 2005
Severity Rating: High
Systems Affected
- Mozilla prior to 1.7.6
- Mozilla Firefox 0.x, 1.x
- Netscape 7.x
Overview
Multiple vulnerabilities have been discovered in Mozilla Suite and Mozilla Firefox which could be exploited by malicious people to compromise the vulnerable systems.
Description
1. PLUGINSPAGE privileged JavaScript execution vulnerability
(
CAN-2005-0752
)
Plugin Finder Service PFS is invoked when a required plugin for a web page is not found to be installed. If the PFS does not have an appropriate plug-in, then the EMBED tag is checked for a PLUGINSPAGE attribute, and if one is found the PFS dialog will contain a "manual install" button that will load the PLUGINSPAGE url.
2. Code execution vulnerability through JavaScript
(
CAN-2005-1153
)
It has been seen that Firefox and the Mozilla Suite support custom "favicons" through the <LINK rel="icon"> tag. By using the JavaScript: URL an attacker could programmatically add link tag to the page, and can run any script or install malicious code with elevated privileges.
3. Mozilla Browser Remote Insecure XUL Start Up Script Loading Vulnerability
(
CAN-2005-0401
)
Mozilla Suite and Mozilla Firefox contain a remote insecure XUL script loading vulnerability. This issue is due to an access validation flaw that causes the script to be loaded with elevated privileges.
An attacker may use this vulnerability to execute XUL startup scripts with elevated privileges.
4. Arbitrary code execution from Firefox sidebar panel
(
CAN-2005-0402
)
Two missing security checks have been discovered in the Mozilla Firefox. It has been seen that a user may execute arbitrary programs by opening a privileged page and injecting JavaScript into it if a user bookmarks a malicious page as a Firefox sidebar panel. Sites can use the _search target to open links in the Firefox sidebar. This could be used to install malicious code or steal data without user interaction.
5. Showing blocked JavaScript: popup uses wrong privilege context
(
CAN-2005-1153
)
When a popup is blocked the user is provided an ability to open that popup through the popup-blocking. If the popup URL is JavaScript: selecting "Show JavaScript:. " would run the JavaScript with elevated privileges which could be used to install malicious software.
6. Cross-site scripting through global scope pollution
(
CAN-2005-1154
)
It has been seen that a malicious script could define a setter function for a variable used by a popular web site, and if the user does browse to that site the malicious script will run in that page. This would allows the setter script to steal cookies or the contents of the page, or potentially perform actions on the user's behalf such as make purchases or delete web mail depending heavily on how the site was designed.
7. Mozilla Firefox InstallTrigger command execution
(
CAN-2005-1159
)
It has been reported that the native implementations of InstallTrigger and other XPInstall-related JavaScript objects did not properly validate that they were called on instances of the correct type. By passing other objects, even raw numbers, the JavaScript interpreter would jump to the wrong place in memory.
8. Privilege escalation vulnerability via DOM property overrides
(
CAN-2005-1160
)
It has been seen that the chrome UI code in the Mozilla was overly trusting DOM nodes from the content window, which allows the attacker to gain privilege escalation via DOM property overrides. Similar vulnerability has also been reported in Netscape 7.x.
9. JavaScript Engine Information Discloser Vulnerability
(
CAN-2005-0989
)
This vulnerability exists due to an error in the JavaScript regex parsing engine. The browser's JavaScript implementation does not properly parse lambda list regular expressions, which may cause disclosure of sensitive system information in memory.
Solution
Update software version or apply appropriate patches/workarounds as suggested by the vendors.
http://www.mozilla.org/products/firefox/
http://www.mozilla.org/security/announce/mfsa2005-31.html
http://www.mozilla.org/security/announce/mfsa2005-32.html
http://www.mozilla.org/security/announce/mfsa2005-33.html
http://www.mozilla.org/security/announce/mfsa2005-34.html
http://www.mozilla.org/security/announce/mfsa2005-35.html
http://www.mozilla.org/security/announce/mfsa2005-36.html
http://www.mozilla.org/security/announce/mfsa2005-37.html
http://www.mozilla.org/security/announce/mfsa2005-39.html
http://www.mozilla.org/security/announce/mfsa2005-40.html
http://www.mozilla.org/security/announce/mfsa2005-41.html
References
Securityfocus
http://www.securityfocus.com/bid/12885
Secunia
http://secunia.com/advisories/14820/
http://www.securityfocus.com/bid/14992
http://www.securityfocus.com/bid/14938
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Email: info@cert-in.org.in Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India
|