[NEWS] Gecko Based Browsers Multiple Vulnerabilities (Code Execution, Cross Site Scripting, Window Spoofing)

• Previous message: SecuriTeam: "[NT] Prevx Pro Multiple Vulnerabilities (File Protection Bypass, Command Bypass)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 2 Aug 2005 18:05:59 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  Gecko Based Browsers Multiple Vulnerabilities (Code Execution, Cross Site
Scripting, Window Spoofing)
------------------------------------------------------------------------

SUMMARY

Multiple execution vulnerabilities where found in Gecko based browsers
that allow web sites to cause arbitrary code execution on users' system
and steal their information.

DETAILS

Vulnerable Systems:
 * Mozilla Firefox version 1.0.4 and prior
 * Mozilla Suite version 1.7.8 and prior
 * Thunderbird version 1.0.2 and prior

Immune Systems:
 * Mozilla Firefox version 1.0.5
 * Mozilla Suite version 1.7.9

Twelve vulnerabilities were identified in Gecko based browsers, which may
be exploited by malicious web sites to execute arbitrary commands or
conduct spoofing and cross site scripting attacks.

Code Execution:
 * An improper cloning of base objects could allow web content scripts to
walk up the prototype chain to get to a privileged object, which could be
exploited by attackers to execute arbitrary code.

 * An input validation error in the processing of XHTML documents
containing fake <IMG> elements could be exploited by malicious web sites
to execute scripting code with elevated "chrome" privileges.

 * An input validation error in the processing of JavaScript URLs opened
by media players could be exploited by attackers to execute arbitrary
code.

 * A regression error could be exploited by attackers to inject arbitrary
JavaScript code from one page into the frameset of another site.

 * An input validation error in the "InstallVersion.compareTo()" function
when handling specially crafted objects could be exploited by attackers to
run arbitrary code or conduct denial of service attacks.

 * An error when handling Wallpapers could be exploited by attackers to
run arbitary code on a vulnerable system by convincing a user to use the
"Set As Wallpaper" context menu item on a specially crafted image.

 * An error in the browser UI when handling user/synthetic events could be
exploited by attackers to execute arbitrary code.

Window Spoofing:
 * JavaScript dialog boxes do not display or include their origin, which
allows a new window to open e.g. a prompt dialog box, which appears to be
from a trusted site.

Cross Site Scripting:
 * An error in the processing of "top.focus()" calls could be exploited by
attackers to conduct spoofing and/or cross site scripting attacks.

 * An input validation error in the processing of "data:" URLs could be
exploited by attackers to conduct cross site scripting attacks.

 * An error in the "InstallTrigger.install()" method could be exploited to
conduct cross site scripting attacks.

 * Scripts in XBL controls from web content are run even when Javascript
was disabled.

ADDITIONAL INFORMATION

The information has been provided by FrSIRT.
The original article can be found at:
<http://www.frsirt.com/english/advisories/2005/1075>
http://www.frsirt.com/english/advisories/2005/1075

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[NT] Prevx Pro Multiple Vulnerabilities (File Protection Bypass, Command Bypass)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]