[ GLSA 200505-11 ] Mozilla Suite, Mozilla Firefox: Remote compromise

From: Sune Kloppenborg Jeppesen (jaervosz_at_gentoo.org)
Date: 05/15/05

  • Next message: Sune Kloppenborg Jeppesen: "[ GLSA 200505-12 ] PostgreSQL: Multiple vulnerabilities"
    To: gentoo-announce@gentoo.org
    Date: Sun, 15 May 2005 10:16:39 +0200
    
    
    

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Gentoo Linux Security Advisory GLSA 200505-11
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                                http://security.gentoo.org/
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

      Severity: Normal
         Title: Mozilla Suite, Mozilla Firefox: Remote compromise
          Date: May 15, 2005
          Bugs: #91859, #92393, #92394
            ID: 200505-11

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Synopsis
    ========

    Several vulnerabilities in the Mozilla Suite and Firefox allow an
    attacker to conduct cross-site scripting attacks or to execute
    arbitrary code.

    Background
    ==========

    The Mozilla Suite is a popular all-in-one web browser that includes a
    mail and news reader. Mozilla Firefox is the next-generation browser
    from the Mozilla project.

    Affected packages
    =================

        -------------------------------------------------------------------
         Package / Vulnerable / Unaffected
        -------------------------------------------------------------------
      1 www-client/mozilla-firefox < 1.0.4 >= 1.0.4
      2 www-client/mozilla-firefox-bin < 1.0.4 >= 1.0.4
      3 www-client/mozilla < 1.7.8 >= 1.7.8
      4 www-client/mozilla-bin < 1.7.8 >= 1.7.8
        -------------------------------------------------------------------
         4 affected packages on all of their supported architectures.
        -------------------------------------------------------------------

    Description
    ===========

    The Mozilla Suite and Firefox do not properly protect "IFRAME"
    JavaScript URLs from being executed in context of another URL in the
    history list (CAN-2005-1476). The Mozilla Suite and Firefox also fail
    to verify the "IconURL" parameter of the "InstallTrigger.install()"
    function (CAN-2005-1477). Michael Krax and Georgi Guninski discovered
    that it is possible to bypass JavaScript-injection security checks by
    wrapping the javascript: URL within the view-source: or jar:
    pseudo-protocols (MFSA2005-43).

    Impact
    ======

    A malicious remote attacker could use the "IFRAME" issue to execute
    arbitrary JavaScript code within the context of another website,
    allowing to steal cookies or other sensitive data. By supplying a
    javascript: URL as the "IconURL" parameter of the
    "InstallTrigger.Install()" function, a remote attacker could also
    execute arbitrary JavaScript code. Combining both vulnerabilities with
    a website which is allowed to install software or wrapping javascript:
    URLs within the view-source: or jar: pseudo-protocols could possibly
    lead to the execution of arbitrary code with user privileges.

    Workaround
    ==========

    Affected systems can be protected by disabling JavaScript. However, we
    encourage Mozilla Suite or Mozilla Firefox users to upgrade to the
    latest available version.

    Resolution
    ==========

    All Mozilla Firefox users should upgrade to the latest version:

        # emerge --sync
        # emerge --ask --oneshot --verbose ">=www-client/mozilla-firefox-1.0.4"

    All Mozilla Firefox binary users should upgrade to the latest version:

        # emerge --sync
        # emerge --ask --oneshot --verbose
    ">=www-client/mozilla-firefox-bin-1.0.4"

    All Mozilla Suite users should upgrade to the latest version:

        # emerge --sync
        # emerge --ask --oneshot --verbose ">=www-client/mozilla-1.7.8"

    All Mozilla Suite binary users should upgrade to the latest version:

        # emerge --sync
        # emerge --ask --oneshot --verbose ">=www-client/mozilla-bin-1.7.8"

    References
    ==========

      [ 1 ] CAN-2005-1476
            http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1476
      [ 2 ] CAN-2005-1477
            http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1477
      [ 3 ] Mozilla Foundation Security Advisory 2005-43
            http://www.mozilla.org/security/announce/mfsa2005-43.html

    Availability
    ============

    This GLSA and any updates to it are available for viewing at
    the Gentoo Security Website:

      http://security.gentoo.org/glsa/glsa-200505-11.xml

    Concerns?
    =========

    Security is a primary focus of Gentoo Linux and ensuring the
    confidentiality and security of our users machines is of utmost
    importance to us. Any security concerns should be addressed to
    security@gentoo.org or alternatively, you may file a bug at
    http://bugs.gentoo.org.

    License
    =======

    Copyright 2005 Gentoo Foundation, Inc; referenced text
    belongs to its owner(s).

    The contents of this document are licensed under the
    Creative Commons - Attribution / Share Alike license.

    http://creativecommons.org/licenses/by-sa/2.0

    
    



  • Next message: Sune Kloppenborg Jeppesen: "[ GLSA 200505-12 ] PostgreSQL: Multiple vulnerabilities"

    Relevant Pages

    • Re: Non-intel benchmarks on Conroe vs AMDs AM2 FX62
      ... (The little lost angel) ... Firefox 1.5 wouldn't work on it. ... the name Mozilla was not allowed for the Mozilla suite after Firefox ... adopted the name the project had during development: Seamonkey... ...
      (comp.sys.ibm.pc.hardware.chips)
    • Re: New query for low cost PCB CAD that *works*
      ... if you want to switch mail client too). ... The mozilla suite itself is pretty much dead-end - all its developers are concentrating on firefox. ... Even combined with thunderbird, firefox cannot do even one half of what ...
      (sci.electronics.cad)
    • [Full-disclosure] [ GLSA 200505-11 ] Mozilla Suite, Mozilla Firefox: Remote compromise
      ... The Mozilla Suite is a popular all-in-one web browser that includes a ... Mozilla Firefox is the next-generation browser ... JavaScript URLs from being executed in context of another URL in the ... A malicious remote attacker could use the "IFRAME" issue to execute ...
      (Full-Disclosure)
    • Re: How to Stop Windows Hijacking??
      ... I'd like to say "Move to Linux", but that's probably not a reasonable ... It also doesn't hurt that Firefox is lean, ... Note, however, that Firefox is *not* the Mozilla suite; ... *just* a web browser, whereas the Mozilla suite includes the browser, ...
      (microsoft.public.internet.explorer.ieak)
    • Re: is it possible to call vbs file with js?
      ... Firefox doesn't support VBScript (nor any other browser except IE). ... side script to execute in firefox" and the answer is quite simple. ... Javascript Best Practices - http://www.JavascriptToolbox.com/bestpractices/ ...
      (comp.lang.javascript)