US-CERT Technical Cyber Security Alert TA06-038A -- Multiple Vulnerabilities in Mozilla Products

National Cyber Alert System

Technical Cyber Security Alert TA06-038A

Multiple Vulnerabilities in Mozilla Products

Original release date: February 7, 2006
Last revised: --
Source: US-CERT

Systems Affected

Mozilla software, including the following, is affected:

Mozilla web browser, email and newsgroup client
Mozilla SeaMonkey
Firefox web browser
Thunderbird email client

Overview

Several vulnerabilities exist in the Mozilla web browser and derived products, the most serious of which could allow a remote attacker to execute arbitrary code on an affected system.

I. Description

Several vulnerabilities have been reported in the Mozilla web browser and derived products. More detailed information is available in the individual vulnerability notes, including:

VU#592425 - Mozilla-based products fail to validate user input to the attribute name in "XULDocument.persist"

A vulnerability in some Mozilla products that could allow a remote attacker to execute Javascript commands with the permissions of the user running the affected application.
(CVE-2006-0296)

VU#759273 - Mozilla QueryInterface memory corruption vulnerability

Mozilla Firefox web browser and Thunderbird mail client contain a memory corruption vulnerability that may allow a remote attacker to execute arbitrary code.
(CVE-2006-0295)

II. Impact

The most severe impact of these vulnerabilities could allow a remote attacker to execute arbitrary code with the privileges of the user running the affected application. Other impacts include a denial of service or local information disclosure.

III. Solution

Upgrade

Upgrade to Mozilla Firefox 1.5.0.1 or SeaMonkey 1.0.

For Mozilla-based products that have no updates available, users are strongly encouraged to disable JavaScript.

Appendix A. References

Mozilla Foundation Security Advisories - <http://www.mozilla.org/security/announce/>
Mozilla Foundation Security Advisories - <http://www.mozilla.org/projects/security/known-vulnerabilities.html>
US-CERT Vulnerability Note VU#592425 - <http://www.kb.cert.org/vuls/id/592425>
US-CERT Vulnerability Note VU#759273 - <http://www.kb.cert.org/vuls/id/759273>
US-CERT Vulnerability Notes Related to February Mozilla Security Advisories - <http://www.kb.cert.org/vuls/byid?searchview&query=mozilla_feb_2006>
CVE-2006-0296 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0296>
CVE-2006-0295 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0295>
Firefox - Rediscover the Web - <http://www.mozilla.com/firefox/>
The SeaMonkey Project - <http://www.mozilla.org/projects/seamonkey/>

Feedback can be directed to the US-CERT Technical Staff

Produced 2006 by US-CERT, a government organization. Terms of use

Revision History

February 7, 2006: Initial release

Last updated February 08, 2008

US-CERT: United States Computer Emergency Readiness Team

Information For

Sign Up

Reporting

DHS Threat Advisory