The majority of the vulnerabilities are considered critical, which Mozilla defines as vulnerabilities that "can be used to run attacker code and install software, requiring no user interaction beyond normal browsing."
Mozilla's update addresses the following problems:
- Security check of
js_ValueToFunctionObject()can be circumvented
- Privilege escalation through Print Preview
- Privilege escalation using crypto.generateCRMFRequest
- CSS Letter-Spacing Heap Overflow Vulnerability
- Crashes with evidence of memory corruption (rv:22.214.171.124)
- Accessing XBL compilation scope via
- Mozilla Firefox Tag Order Vulnerability
- Privilege escalation via XBL.method.eval
- Crashes with evidence of memory corruption (rv:1.8)
- Cross-site scripting using
- Cross-site scripting through window.controllers
- File stealing by changing input type
- Spoofing with translucent windows
- Downloading executables with “Save Image As...”
- Mail Multiple Information Disclosure
- Secure-site spoof (requires security warning dialog)
Vendors released updates addressing these issues for the following distributions and packages: Fedora Firefox, Red Hat Firefox and Mozilla Suite, Ubuntu Firefox and Mozilla-Firefox, SUSE Mozilla Firefox and Mozilla Suite.
valueOf.apply() are called with no arguments on the method of that binding. The call returns the Object class prototype instead of the caller's global window object.
The problem in the XBL bindings leaves Firefox vulnerable to cross-site scripting (XSS) attacks. An attacker could inject script into another window in order to steal sensitive information such as passwords and cookies. The attacker could trick an unsuspecting user into visiting a malicious Web site or downloading malicious files, allowing the attacker to gain the privileges of the targeted user or alter the content of another window.
Second, it is possible to call the
input form elements. According to Jørgensen, a text input box can be pre-loaded with a file name and turned into a file-upload control, leaving the content intact. An attacker could create a malicious Web site, tricking users into submitting information to a form. If the user submits the form, arbitrary files could be uploaded from the targeted machine to the malicious Web site.
The Firefox updates also addressed several other vulnerabilities, including two security problems an attacker could use to trick users into compromising their machines or revealing sensitive information. For example, Tristor found a vulnerability in the way Firefox indicates that a site is secure. When Firefox is set to display the "Entering secure site" modal warning dialog, an attacker could change the window location while the dialog is displayed.
The attacker simply loads the targeted secure site into a pop-up window, changing the location to a different, insecure site. Consequently, a user believes the site is secure since it displays the padlock icon, the site name in the URL bar, and the yellow background in the URL bar.
Michael Krax reported that it is possible to layer a transparent image over a visible image, with the transparently image linked to an executable file. An attacker could exploit the bug by offering a desirable image, tricking visitors into downloading the image by creating a file name with a lot of spaces before the extension. The long file name and spaces hide the extension information from the user, pushing it beyond the boundaries of the file-saving dialog box. Instead of downloading an image, the user actually downloads an executable file.
Since most of the bugs are critical- or high-risk vulnerabilities, if you run Firefox or Mozilla be sure to update your packages as soon as possible.
Red Hat's security team asks affected users to update their packages to Mozilla version 1.7.13 and Firefox version 1.0.8.
Ubuntu users should upgrade the affected packages to the following: 1.0.8-0ubuntu4.10 (for Ubuntu 4.10), 1.0.8-0ubuntu5.04 (for Ubuntu 5.04), or 1.0.8-0ubuntu5.10 (for Ubuntu 5.10). But sure to restart Firefox after the standard system upgrade. Doing so will ensure that the update took effect.
Vulnerabilities affecting several distributions
Package: mozilla, firefox -- several vulnerabilities
CVE: CVE-2006-0749, CVE-2006-1724, CVE-2006-1727, CVE-2006-1728, CVE-2006-1729, CVE-2006-1730, CVE-2006-1731, CVE-2006-1732, CVE-2006-1733, CVE-2006-1734, CVE-2006-1735, CVE-2006-1737, CVE-2006-1738, CVE-2006-1739, CVE-2006-1740, CVE-2006-1741, CVE-2006-1742
April 14, 2006
Vulnerabilities listed by distribution
Debian: horde2 -- several vulnerabilities
April 14, 2006
Horde, a Web application framework, contains several vulnerabilities. An attacker could exploit the problems in order to gain access to sensitive information. Debian has issued an update that fixes the following problems:
- There is a an input validation error in the services/go.php script. Consequently, the URL parameter is not correctly validated before being passed a
readfile()call. An attacker could exploit the problem to read via the php:// URI handler.
eval()injection vulnerability could allow a remote attacker to execute arbitrary code by exploiting the weakness in the help viewer.
Debian: fcheck -- insecure temporary file
April 15, 2006
The Debian Security Audit project's Steve Kemp located a problem in FCheck, a host-based Intrusion Detection System (IDS). A cronjob contained in FCheck creates an insecure temporary file, which could enable a remote attacker to create or overwrite arbitrary files and escalate access privileges.
Debian: bsdgames -- buffer overflow
April 17, 2006
Sail, a game included in the BSD games 2.17-7 package, contains a buffer overflow vulnerability in pl_main.c A local user could exploit the problem to execute arbitrary code.
Fedora: gdm -- update
April 19, 2006
Fedora issued an advisory with numerous fixes and updates for the Fedora Core 5 GNOME Display Manager (GDM). If you run this package please be sure to apply the updates, following recommendations issued by Fedora.
Fedora: kernel -- update
April 19, 2006
Fedora has issued a Linux kernel update for version 2.6.16, release 1.2096_FC4. This update includes fixes that address multiple security issues, including several vulnerabilities which local users could exploit to cause a Denial of Service (kernel panic) or to gain escalated privileges.
FreeBSD: sys -- vulnerability
April 19, 2006
Jan Beulich discovered a vulnerability in 7th generation and 8th generation AMD processors. According to the update, "the fxsave and fxrstor instructions do not save and restore the FOP, FIP, and FDP registers unless the exception summary bit (ES) in the x87 status word is set to 1." The vulnerability could be exploited by a local attacker to steal cryptographic keys or other sensitive data.
Gentoo: cacti -- multiple vulnerabilities
April 14, 2006
The ADODB database abstraction layer for PHP, libphp-adodb, a library included in Cacti has several vulnerabilities. Debian has released an update to fix the following problems:
- Andreas Sandblad discovered a remote SQL injection vulnerability. When the MySQL root password is empty, an attacker could exploit the vulnerability in order to access or tamper with data, compromise the application, or obtain access to database vulnerabilities to escalate privileges.
- A dynamic code evaluation vulnerability could be exploited by an attacker in order to execute arbitrary SQL commands via the
- An SQL injection vulnerability, discovered by Andy Staudacher, is due to insufficient input sanitizing. The problem could allow an attacker to launch arbitrary SQL commands.
- The GulfTech Security Research team located several cross-site scripting (XSS) vulnerabilities. An attacker could exploit the vulnerabilities to launch arbitrary scripts in a targeted user's Web browser.
Gentoo: libapreq2 -- denial of service vulnerability
April 17, 2006
There is a Denial of Service vulnerability in the the
apreq_parse_urlencoded() functions of Apache2::Request. An attacker could exploit the vulnerability to launch a Denial of Service by using unknown attack vectors, which could result in quadratic computational complexity.