Diary of a Techie

Several vulnerabilities exist in the Mozilla web browser and derived products, the most serious of which could allow a remote attacker to execute arbitrary code on an affected system.Systems Affected

Mozilla software, including the following, is affected:

* Mozilla web browser, email and newsgroup client

* Mozilla SeaMonkey

* Firefox web browser

* Thunderbird email client

I. Description

Several vulnerabilities have been reported in the Mozilla web browser and derived products. More detailed information is available in the individual vulnerability notes, including:

VU#592425 - Mozilla-based products fail to validate user input to the attribute name in “XULDocument.persist” A vulnerability in some Mozilla products that could allow a remote attacker to execute Javascript commands with the permissions of the user running the affected application.

(CVE-2006-0296)

VU#759273 - Mozilla QueryInterface memory corruption vulnerability

Mozilla Firefox web browser and Thunderbird mail client contain a memory corruption vulnerability that may allow a remote attacker to execute arbitrary code.

(CVE-2006-0295)

II. Impact

The most severe impact of these vulnerabilities could allow a remote attacker to execute arbitrary code with the privileges of the user running the affected application. Other impacts include a denial of service or local information disclosure.

III. Solution

Upgrade

Upgrade to Mozilla Firefox 1.5.0.1 or SeaMonkey 1.0.

For Mozilla-based products that have no updates available, users are strongly encouraged to disable JavaScript.

Appendix A. References

* Mozilla Foundation Security Advisories -

<http://www.mozilla.org/projects/security/known-vulnerabilities.ht

* US-CERT Vulnerability Note VU#592425 -

Advisories -

<http://www.kb.cert.org/vuls/byid?searchview&query=mozilla_feb_200

* US-CERT Vulnerability Note VU#604745 -

<http://www.mozilla.org/projects/seamonkey/>