Multiple Mozilla Vulnerabilities

Overview

Several vulnerabilities exist in the Mozilla web browser and derived products, the most serious of which could allow a remote attacker to execute arbitrary code on an affected system.Systems Affected

Mozilla software, including the following, is affected:

* Mozilla web browser, email and newsgroup client

* Mozilla SeaMonkey

* Firefox web browser

* Thunderbird email client

I. Description

Several vulnerabilities have been reported in the Mozilla web browser and derived products. More detailed information is available in the individual vulnerability notes, including:

VU#592425 – Mozilla-based products fail to validate user input to the attribute name in “XULDocument.persist” A vulnerability in some Mozilla products that could allow a remote attacker to execute Javascript commands with the permissions of the user running the affected application.

(CVE-2006-0296)

VU#759273 – Mozilla QueryInterface memory corruption vulnerability

Mozilla Firefox web browser and Thunderbird mail client contain a memory corruption vulnerability that may allow a remote attacker to execute arbitrary code.

(CVE-2006-0295)

II. Impact

The most severe impact of these vulnerabilities could allow a remote attacker to execute arbitrary code with the privileges of the user running the affected application. Other impacts include a denial of service or local information disclosure.

III. Solution

Upgrade

Upgrade to Mozilla Firefox 1.5.0.1 or SeaMonkey 1.0.

For Mozilla-based products that have no updates available, users are strongly encouraged to disable JavaScript.

Appendix A. References

* Mozilla Foundation Security Advisories –

<http://www.mozilla.org/security/announce/>* Mozilla Foundation Security Advisories –

<http://www.mozilla.org/projects/security/known-vulnerabilities.ht

ml>

* US-CERT Vulnerability Note VU#592425 –

<http://www.kb.cert.org/vuls/id/592425>* US-CERT Vulnerability Note VU#759273 –

<http://www.kb.cert.org/vuls/id/759273>* US-CERT Vulnerability Notes Related to February Mozilla Security

Advisories –

<http://www.kb.cert.org/vuls/byid?searchview&query=mozilla_feb_200

6>

* US-CERT Vulnerability Note VU#604745 –

<http://www.kb.cert.org/vuls/id/604745>* CVE-2006-0296 –

<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0296>* CVE-2006-0295 –

<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0295>* Firefox – Rediscover the Web – <http://www.mozilla.com/firefox/>* The SeaMonkey Project –

<http://www.mozilla.org/projects/seamonkey/>