Main Index   Search   Register   Login   Who's Online   FAQ   Links
  2 Online, 0 Active   You are not logged in  
Main Index     The HIVE light edition (TM)
This is a historical archive
The forum is read-only. Private information has been removed. It is not possible to login.


The Server Room  

All posts   Subject: Mozilla Security Flaw   Please login to post  

 
    lugh
(Moderator)
09-26-04 02:23
No 533197
      Mozilla Security Flaw     

Multiple vulnerabilities in Mozilla products
Original release date: September 17, 2004
Last revised: --
Source: US-CERT
Systems Affected

Mozilla software, including the following:

    * Mozilla web browser, email and newsgroup client
    * Firefox web browser
    * Thunderbird email client

Overview

Several vulnerabilities exist in the Mozilla web browser and derived products, the most serious of which could allow a remote attacker to execute arbitrary code on an affected system.
I. Description

Several vulnerabilities have been reported in the Mozilla web browser and derived products. More detailed information is available in the individual vulnerability notes:

VU#414240 - Mozilla Mail vulnerable to buffer overflow via writeGroup() function in nsVCardObj.cpp

Mozilla Mail contains a stack overflow vulnerability in the display routines for VCards. By sending an email message with a crafted VCard, a remote attacker may be able to execute arbitrary code on the victim's machine with the privileges of the current user. This can be exploited in the preview mode as well.

VU#847200 - Mozilla contains integer overflows in bitmap image decoder

A vulnerability in the way Mozilla and its derived programs handle certain bitmap images could allow a remote attacker to execute arbitrary code on a vulnerable system.

VU#808216 - Mozilla contains heap overflow in UTF8 conversion of hostname portion of URLs

A vulnerability in the way Mozilla and its derived programs handle certain malformed URLs could allow a remote attacker to execute arbitrary code on a vulnerable system.

VU#125776 - Multiple buffer overflows in Mozilla POP3 protocol handler

There are multiple buffer overflow vulnerabilities in the Mozilla POP3 protocol handler that could allow a malicious POP3 server to execute arbitrary code on the affected system.

VU#327560 - Mozilla "send page" feature contains a buffer overflow vulnerability

There is a buffer overflow vulnerability in the Mozilla "send page" feature that could allow a remote attacker to execute arbitrary code.

VU#651928 - Mozilla allows arbitrary code execution via link dragging

A vulnerability affecting Mozilla web browsers may allow violation of cross-domain scripting policies and possibly execute code originating from a remote source.
II. Impact

These vulnerabilities could allow a remote attacker to execute arbitrary code with the privileges of the user running the affected application.

VU#847200 could also allow a remote attacker to crash an affected application.
III. Solution
Upgrade to a patched version

Mozilla has released versions of the affected software that contain patches for these issues:

http://www.mozilla.org/products/mozilla1.x/

http://www.mozilla.org/products/firefox/

http://www.mozilla.org/products/thunderbird/

    *  Mozilla Security Advisory - <http://www.mozilla.org/projects/security/known-vulnerabilities.html>;
    * Mozilla 1.7.2 non-ascii hostname heap overrun, Gaël Delalleau - <http://www.zencomsec.com/advisories/mozilla-1.7.2-UTF8link.txt>;
    * Security Audit of Mozilla's .bmp image parsing, Gaël Delalleau - <http://www.zencomsec.com/advisories/mozilla-1.7.2-BMP.txt>;
    * Security Audit of Mozilla's POP3 client protocol, Gaël Delalleau - <http://www.zencomsec.com/advisories/mozilla-1.7.2-POP3.txt>;
    * US-CERT Vulnerability Note VU#414240 - <http://www.kb.cert.org/vuls/id/414240>;
    * US-CERT Vulnerability Note VU#847200 - <http://www.kb.cert.org/vuls/id/847200>;
    * US-CERT Vulnerability Note VU#808216 - <http://www.kb.cert.org/vuls/id/808216>;
    * US-CERT Vulnerability Note VU#125776 - <http://www.kb.cert.org/vuls/id/125776>;
    * US-CERT Vulnerability Note VU#327560 - <http://www.kb.cert.org/vuls/id/327560>;
    * US-CERT Vulnerability Note VU#651928 - <http://www.kb.cert.org/vuls/id/651928>;


wink

Chemistry is our Covalent Bond
 
 

All posts   End of thread  
   

 https://the-hive.archive.erowid.org    the-hive@erowid.org
   
Powdered by AlchemyTM Version 3.00.2, Copyright 2014 - 2022, US Mint. All rights reserved.

Links     Erowid     Rhodium

PIHKAL     TIHKAL     Total Synthesis II

Date: 03-03-24, Release: 1.6 (10-04-15), Links: static, unique