[NEWS] Mozilla Firefox Tag Parsing Code Execution Vulnerability

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Mozilla Firefox Tag Parsing Code Execution Vulnerability
------------------------------------------------------------------------


SUMMARY

<http://www.mozilla.com/firefox/> Mozilla Firefox is "a free, open
source, cross-platform, graphical web browser developed by the Mozilla
Corporation and hundreds of volunteers".

This vulnerability allows attackers to execute arbitrary code on
vulnerable installations of the Mozilla/Firefox web browser and
Thunderbird e-mail client. User interaction is required to exploit this
vulnerability in that the target must visit a malicious page or open a
malicious e-mail.

DETAILS

Vulnerable Systems:
* Firefox versions 1.0 - 1.0.7
* Thunderbird versions 1.5 - 1.5.0.1
* Thunderbird versions 1.0 - 1.0.7
* SeaMonkey version 1.0
* Mozilla Suite versions 1.7 - 1.7.12

The specific flaw exists within nsHTMLContentSink.cpp, during the parsing
of HTML tags as they appear in a specific order. The flaw results in a
memory corruption that leads to an attacker controlled function pointer
dereference from the stack and eventually execution of arbitrary code.

Vendor Response:
Mozilla has issued an update to correct this vulnerability. Further
details are available at:
<http://www.mozilla.org/security/announce/2006/mfsa2006-18.html>
http://www.mozilla.org/security/announce/2006/mfsa2006-18.html

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0749>
CVE-2006-0749

Disclosure Timeline:
2005.12.13 - Vulnerability reported to vendor
2005.12.13 - Digital Vaccine released to TippingPoint customers
2006.04.14 - Coordinated public release of advisory


ADDITIONAL INFORMATION

The information has been provided by ZDI.
The original article can be found at:
<http://www.zerodayinitiative.com/advisories/ZDI-06-009.html>
http://www.zerodayinitiative.com/advisories/ZDI-06-009.html



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages