Alert

Mozilla Products Contain Multiple Vulnerabilities

Last Revised
Alert Code
TA06-208A

Systems Affected

 
  • Mozilla SeaMonkey
  • Mozilla Firefox
  • Mozilla Thunderbird
  • Netscape Browser

Any products based on Mozilla components, specifically Gecko, may also be affected.

 

Overview

 

The Mozilla web browser and derived products contain several vulnerabilities, the most serious of which could allow a remote attacker to execute arbitrary code on an affected system.

 

Description

 

Several vulnerabilities have been reported in the Mozilla web browser and derived products. More detailed information is available in the individual vulnerability notes, including the following:

VU#476724 - Mozilla products fail to properly handle frame references 

Mozilla products fail to properly handle frame or window references. This may allow a remote attacker to execute arbitrary code on a vulnerable system. 
(CVE-2006-3801)

VU#670060 - Mozilla fails to properly release JavaScript references 

Mozilla products fail to properly release memory. This vulnerability may allow a remote attacker to execute code on a vulnerable system. 
(CVE-2006-3677)

VU#239124 - Mozilla fails to properly handle simultaneous XPCOM events 

Mozilla products are vulnerable to memory corruption via simultaneous XPCOM events. This may allow a remote attacker to execute arbitrary code on a vulnerable system. 
(CVE-2006-3113)

VU#265964 - Mozilla products contain a race condition 

Mozilla products contain a race condition. This vulnerability may allow a remote attacker to execute code on a vulnerable system. 
(CVE-2006-3803)

VU#897540 - Mozilla products VCard attachment buffer overflow 

Mozilla products fail to properly handle malformed VCard attachments, allowing a buffer overflow to occur. This vulnerability may allow a remote attacker to execute arbitrary code on a vulnerable system. 
(CVE-2006-3804)

VU#876420 - Mozilla fails to properly handle garbage collection 

The Mozilla JavaScript engine fails to properly perform garbage collection, which may allow a remote attacker to execute arbitrary code on a vulnerable system. 
(CVE-2006-3805)

VU#655892 - Mozilla JavaScript engine contains multiple integer overflows 

The Mozilla JavaScript engine contains multiple integer overflows. This vulnerability may allow a remote attacker to execute arbitrary code on a vulnerable system. 
(CVE-2006-3806)

VU#687396 - Mozilla products fail to properly validate JavaScript constructors 

Mozilla products fail to properly validate references returned by JavaScript constructors. This vulnerability may allow a remote attacker to execute arbitrary code on a vulnerable system. 
(CVE-2006-3807)

VU#527676 - Mozilla contains multiple memory corruption vulnerabilities 

Mozilla products contain multiple vulnerabilities that can cause memory corruption. This may allow a remote attacker to execute arbitrary code on a vulnerable system. 
(CVE-2006-3811)

Impact

A remote, unauthenticated attacker could execute arbitrary code on a vulnerable system. An attacker may also be able to cause the vulnerable application to crash.

Solution

Upgrade

Upgrade to Mozilla Firefox 1.5.0.5, Mozilla Thunderbird 1.5.0.5, or SeaMonkey 1.0.3.

Netscape 8.1 is based on Firefox 1.0.7. Until a fixed version is available, please use the following workarounds:

Disable JavaScript and Java

These vulnerabilities can be mitigated by disabling JavaScript and Java in all affected products. For more information about configuring Firefox, please see the "Securing Your Web Browser" document. Netscape users should see the "Site Controls" document for details.


 

Appendix A. References

  • US-CERT Vulnerability Notes Related to July Mozilla Security Advisories - http://www.kb.cert.org/vuls/byid?searchview&query=firefox_1505
  • CVE-2006-3081 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3801
  • CVE-2006-3677 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3677
  • CVE-2006-3113 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3113
  • CVE-2006-3803 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3803
  • CVE-2006-3804 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3804
  • CVE-2006-3805 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3805
  • CVE-2006-3806 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3806
  • CVE-2006-3807 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3807
  • CVE-2006-3811 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3811
  • Mozilla Foundation Security Advisories - http://www.mozilla.org/security/announce/
  • Known Vulnerabilities in Mozilla Products - http://www.mozilla.org/projects/security/known-vulnerabilities.html
  • Mozilla Hall of Fame - http://www.mozilla.org/university/HOF.html
  • Site Controls - http://browser.netscape.com/ns8/help/options-site.jsp
  • Securing Your Web Browser - http://www.us-cert.gov/reading_room/securing_browser/browser_security.html#Mozilla_Firefox


Revision History

  • July 27, 2006: Initial release
    July 31, 2006: Added Netscape information
     

     

This product is provided subject to this Notification and this Privacy & Use policy.

Please share your thoughts

We recently updated our anonymous product survey; we’d welcome your feedback.