[NEWS] Gecko Based Browsers Multiple Vulnerabilities (Code Execution, Cross Site Scripting, Window Spoofing)

From: SecuriTeam (support_at_securiteam.com)
Date: 08/02/05

  • Next message: SecuriTeam: "[NT] Mozilla Firefox and Suite "setWallpaper()" Code Execution (Exploit)" 
    To: list@securiteam.com
Date: 2 Aug 2005 18:05:59 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Gecko Based Browsers Multiple Vulnerabilities (Code Execution, Cross Site
    Scripting, Window Spoofing)
    ------------------------------------------------------------------------

    SUMMARY

    Multiple execution vulnerabilities where found in Gecko based browsers
    that allow web sites to cause arbitrary code execution on users' system
    and steal their information.

    DETAILS

    Vulnerable Systems:
     * Mozilla Firefox version 1.0.4 and prior
     * Mozilla Suite version 1.7.8 and prior
     * Thunderbird version 1.0.2 and prior

    Immune Systems:
     * Mozilla Firefox version 1.0.5
     * Mozilla Suite version 1.7.9

    Twelve vulnerabilities were identified in Gecko based browsers, which may
    be exploited by malicious web sites to execute arbitrary commands or
    conduct spoofing and cross site scripting attacks.

    Code Execution:
     * An improper cloning of base objects could allow web content scripts to
    walk up the prototype chain to get to a privileged object, which could be
    exploited by attackers to execute arbitrary code.

     * An input validation error in the processing of XHTML documents
    containing fake <IMG> elements could be exploited by malicious web sites
    to execute scripting code with elevated "chrome" privileges.

     * An input validation error in the processing of JavaScript URLs opened
    by media players could be exploited by attackers to execute arbitrary
    code.

     * A regression error could be exploited by attackers to inject arbitrary
    JavaScript code from one page into the frameset of another site.

     * An input validation error in the "InstallVersion.compareTo()" function
    when handling specially crafted objects could be exploited by attackers to
    run arbitrary code or conduct denial of service attacks.

     * An error when handling Wallpapers could be exploited by attackers to
    run arbitary code on a vulnerable system by convincing a user to use the
    "Set As Wallpaper" context menu item on a specially crafted image.

     * An error in the browser UI when handling user/synthetic events could be
    exploited by attackers to execute arbitrary code.

    Window Spoofing:
     * JavaScript dialog boxes do not display or include their origin, which
    allows a new window to open e.g. a prompt dialog box, which appears to be
    from a trusted site.

    Cross Site Scripting:
     * An error in the processing of "top.focus()" calls could be exploited by
    attackers to conduct spoofing and/or cross site scripting attacks.

     * An input validation error in the processing of "data:" URLs could be
    exploited by attackers to conduct cross site scripting attacks.

     * An error in the "InstallTrigger.install()" method could be exploited to
    conduct cross site scripting attacks.

     * Scripts in XBL controls from web content are run even when Javascript
    was disabled.

    ADDITIONAL INFORMATION

    The information has been provided by FrSIRT.
    The original article can be found at:
    <http://www.frsirt.com/english/advisories/2005/1075>
    http://www.frsirt.com/english/advisories/2005/1075

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NT] Mozilla Firefox and Suite "setWallpaper()" Code Execution (Exploit)"

    Relevant Pages