mozilla
/
foundation-security-advisories
зеркало из https://github.com/mozilla/foundation-security-advisories.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Add script to automatically convert MFSAs and initial results.

This commit is contained in:
Paul McLanahan 2014-07-11 16:08:09 -04:00
Родитель f45afe7f32
Коммит e28a7ecf7d
736 изменённых файлов: 32282 добавлений и 0 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

30
README.md
Просмотреть файл

@ -1,3 +1,33 @@
# MFSA: Mozilla Foundation Security Advisories
Canonical source for Mozilla Foundation Security Advisories. http://www.mozilla.org/security/announce/
## Import Script
`import-html.py` is a script that will convert the Mozilla Foundation Security Announcement HTML (PHP) files from [the SVN repository](http://svn.mozilla.org/projects/mozilla.org/trunk/security/) into markdown snippets suitable for inclusion in [bedrock](https://github.com/mozilla/bedrock/) (the new backend for www.mozilla.org).
### Usage
Checkout the source files from SVN:
svn checkout http://svn.mozilla.org/projects/mozilla.org/trunk/security/
Then point the script at the directory the above command created:
./import-html.py /some/path/to/security
Full usage options are available in the help:
```
$ ./import-html.py -h
usage: import-html.py [-h] [-o OUT] DIR
Import and convert security HTML
positional arguments:
DIR Path to "security" directory from mozilla.org SVN.
optional arguments:
-h, --help show this help message and exit
-o OUT Output directory (default: ./security)
```

97
import-html.py Executable file
Просмотреть файл

@ -0,0 +1,97 @@
#!/usr/bin/env python
"""
Import security advisories and known-vulnerabilities from
old HTML/PHP files and convert to snippets of Markdown.
"""
import argparse
import re
import sys
from pathlib import Path
from pyquery import PyQuery as pq
BASE_PATH = Path(__file__).resolve().parent
TITLE_RE = re.compile('\$html_title = [\'"](.*)[\'"];')
DIE_PHP = re.compile(r'<\?.*?\?>', re.DOTALL)
config = {}
def die_php_die(file_path):
"""Return the title and file contents with any PHP sections removed."""
with file_path.open() as fh:
# strip php
contents = fh.read()
m = TITLE_RE.search(contents)
return m.group(1), DIE_PHP.sub('', contents)
def write_file(in_file_path, contents):
out_file_path = config['output_path'] / in_file_path.relative_to(config['input_path'])
out_file_path = out_file_path.with_suffix('.md')
try:
out_file_path.parent.mkdir(parents=True)
except OSError:
pass
with out_file_path.open('w') as fh:
fh.write(contents.decode('utf8'))
sys.stdout.write('.')
sys.stdout.flush()
def process_announce():
announce_path = config['input_path'] / 'announce'
counter = 0
for announcement in announce_path.glob('*/mfsa*.html'):
title, html = die_php_die(announcement)
doc = pq(html)
if doc('#main-content'):
# it's the old style
doc = pq(doc('#main-content').children()[2:])
else:
# it's the new style
doc = pq(doc.children()[2:])
write_file(announcement, 'title: {}\n\n{}'.format(title, doc))
counter += 1
print '\nWrote {} MFSAs.'.format(counter)
def process_vulnerability():
# Not sure these can or should be automatically converted
vuln_path = config['input_path'] / 'known-vulnerabilities'
for vuln in vuln_path.glob('*.html'):
print vuln
def main():
parser = argparse.ArgumentParser(description='Import and convert security HTML')
parser.add_argument('dir', metavar='DIR',
help='Path to "security" directory from mozilla.org SVN.')
parser.add_argument('-o', metavar='OUT', default=str(BASE_PATH / 'security'),
help='Output directory (default: ./security)')
args = parser.parse_args()
config['input_path'] = Path(args.dir).resolve()
config['output_path'] = Path(args.o)
try:
config['output_path'].mkdir(parents=True)
except OSError:
pass
try:
process_announce()
# process_vulnerability()
except Exception as e:
print 'ERROR: {}'.format(e)
return 1
print 'Thanks.'
return 0
if __name__ == '__main__':
sys.exit(main())

29
security/announce/2005/mfsa2005-01.md Normal file
Просмотреть файл

@ -0,0 +1,29 @@
title: MFSA 2005-01: Link opened in new tab can load a local file
<h1>Mozilla Foundation Security Advisory 2005-01</h1>
<p><span class="label">Title:</span> Link opened in new tab can load a local file<br/>
<span class="label">Severity:</span> Low<br/>
<span class="label">Reporter:</span> Jesse Ruderman<br/>
<span class="label">Products:</span> Firefox, Mozilla Suite<br/><br/>
<span class="label">Fixed in:</span> Firefox 1.0<br/>
<span class="label">&#160;</span> Mozilla Suite 1.7.5</p>
<h3>Description</h3>
<p>Links with a custom getter and toString method can bypass checks intended to
prevent web content from linking to local files and "chrome" URIs if the user
can be convinced to middle-click (or control-click) to open it in a new tab.
The browser's "same-origin" policy prevents the attacker's content from taking
advantage of this flaw to read the local file or manipulate privileged chrome.</p>
<h3>Workaround</h3>
<p>Turn off javascript or upgrade to fixed version</p>
<h3>References</h3>
<p><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=249332"> https://bugzilla.mozilla.org/show_bug.cgi?id=249332</a></p>

33
security/announce/2005/mfsa2005-02.md Normal file
Просмотреть файл

@ -0,0 +1,33 @@
title: MFSA 2005-02: Opened attachments are temporarily saved world-readable
<h1>Mozilla Foundation Security Advisory 2005-02</h1>
<p><span class="label">Title:</span> Opened attachments are temporarily saved world-readable<br/>
<span class="label">Severity:</span> Moderate (on a multiuser computer)<br/>
<span class="label">Reporter:</span> danielk<br/><br/>
<span class="label">Fixed in:</span> Firefox 1.0<br/>
<span class="label">&#160;</span> Thunderbird 0.9<br/>
<span class="label">&#160;</span> Mozilla Suite 1.7.5<br/><br/>
<span class="label">Vulnerable:</span> Firefox 0.9<br/>
<span class="label">&#160;</span> Thunderbird 0.6<br/>
<span class="label">&#160;</span> Mozilla 1.7</p>
<h3>Description</h3>
<p>Mozilla software released after March 2004 saves some temporary files with
world-readable permissions. In the browser this is primarily
content fed to helper applications (for example, PDF files), and in
the mail clients it is attachments.</p>
<h3>Workaround</h3>
<p>Do not open sensitive mail attachments on a shared multiuser machine.
Upgrade to fixed version</p>
<h3>References</h3>
<p><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=251297">
https://bugzilla.mozilla.org/show_bug.cgi?id=251297</a></p>

32
security/announce/2005/mfsa2005-03.md Normal file
Просмотреть файл

@ -0,0 +1,32 @@
title: MFSA 2005-03: Secure site lock can be spoofed with a binary download
<h1>Mozilla Foundation Security Advisory 2005-03</h1>
<p><span class="label">Title:</span> Secure site lock can be spoofed with a binary download<br/>
<span class="label">Severity:</span> Low<br/>
<span class="label">Reporter:</span> Kylotan<br/>
<span class="label">Products:</span> Firefox, Mozilla Suite<br/><br/>
<span class="label">Fixed in:</span> Firefox 1.0<br/>
<span class="label">&#160;</span> Mozilla Suite 1.7.5</p>
<h3>Description</h3>
<p>While on an insecure page triggering a load of a binary file from
a secure server will cause the SSL lock icon to appear. The certificate
information is that of the binary file's host, while the location bar URL
correctly shows the original insecure page.</p>
<p>This could potentially be abused by phishers to make their fake login sites
appear more authentic.</p>
<h3>Workaround</h3>
<p>Upgrade to fixed version</p>
<h3>References</h3>
<p><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=257308">
https://bugzilla.mozilla.org/show_bug.cgi?id=257308</a></p>

32
security/announce/2005/mfsa2005-04.md Normal file
Просмотреть файл

@ -0,0 +1,32 @@
title: MFSA 2005-04: Secure site lock can be spoofed with view-source:
<h1>Mozilla Foundation Security Advisory 2005-04</h1>
<p><span class="label">Title:</span> Secure site lock can be spoofed with view-source:<br/>
<span class="label">Severity:</span> Low<br/>
<span class="label">Reporter:</span> Kohei Yoshino<br/>
<span class="label">Products:</span> Firefox, Mozilla Suite<br/><br/>
<span class="label">Fixed in:</span> Firefox 1.0<br/>
<span class="label">&#160;</span> Mozilla Suite 1.7.5</p>
<h3>Description</h3>
<p>Kohei Yoshino reports the secure site lock icon can be spoofed by using
a view-source: URL targetted at the secure site whose credentials you want
to appropriate. An insecure page of the attackers choice can then be loaded
while the lock icon shows the previous secure state.</p>
<p>This could potentially be abused by phishers to make their fake login sites
appear more authentic.</p>
<h3>Workaround</h3>
<p>Upgrade to fixed version</p>
<h3>References</h3>
<p><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=262689">
https://bugzilla.mozilla.org/show_bug.cgi?id=262689</a></p>

41
security/announce/2005/mfsa2005-05.md Normal file
Просмотреть файл

@ -0,0 +1,41 @@
title: MFSA 2005-05: Input stealing from other tabs
<h1>Mozilla Foundation Security Advisory 2005-05</h1>
<p><span class="label">Title:</span> Input stealing from other tabs<br/>
<span class="label">Severity:</span> High<br/>
<span class="label">Reporter:</span> Jakob Balle (Secunia)<br/>
<span class="label">Products:</span> Firefox, Mozilla Suite<br/><br/>
<span class="label">Fixed in:</span> Firefox 1.0<br/>
<span class="label">&#160;</span> Mozilla Suite 1.7.5</p>
<h3>Description</h3>
<p>Jakob Balle of Secunia reported two vulnerabilities in windows with multiple
tabs. Malicious content in a background tab can attempt to steal information
intended for the topmost tab by popping up prompt dialog that appears to come
from the trusted site, or by silently redirecting input focus to a background
tab hoping to catch the user inputting something sensitive.</p>
<p>Jesse Ruderman and Martin Wargers discovered variants</p>
<h3>Workaround</h3>
<p>Do not open sites with sensitive content in the same window as tabs from
untrusted content. Upgrade to fixed version.</p>
<h3>References</h3>
<ul>
<li><a href="http://secunia.com/advisories/12712">
http://secunia.com/advisories/12712</a></li>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=262887">
https://bugzilla.mozilla.org/show_bug.cgi?id=262887</a></li>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=265055">
https://bugzilla.mozilla.org/show_bug.cgi?id=265055</a></li>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=265456">
https://bugzilla.mozilla.org/show_bug.cgi?id=265456</a></li>
</ul>

32
security/announce/2005/mfsa2005-06.md Normal file
Просмотреть файл

@ -0,0 +1,32 @@
title: MFSA 2005-06: Heap overrun handling malicious news: URL
<h1>Mozilla Foundation Security Advisory 2005-06</h1>
<p><span class="label">Title:</span> Heap overrun handling malicious news: URL<br/>
<span class="label">Severity:</span> High<br/>
<span class="label">Reporter:</span> Maurycy Prodeus (iSEC Security Research)<br/>
<span class="label">Products:</span> Thunderbird, Mozilla Suite<br/><br/>
<span class="label">Fixed in:</span> Thunderbird 0.9<br/>
<span class="label">&#160;</span> Mozilla Suite 1.7.5</p>
<h3>Description</h3>
<p>Maurycy Prodeus of iSEC Security Research reports a heap overrun in processing
certain news: URLs. Thunderbird and the Mozilla Suite are affected; Firefox
does not support the news: scheme.</p>
<h3>Workaround</h3>
<p>Upgrade to fixed version.</p>
<h3>References</h3>
<ul>
<li><a class="ex-ref" href="http://isec.pl/vulnerabilities/isec-0020-mozilla.txt">
http://isec.pl/vulnerabilities/isec-0020-mozilla.txt</a></li>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=264388">
https://bugzilla.mozilla.org/show_bug.cgi?id=264388</a></li>
</ul>

32
security/announce/2005/mfsa2005-07.md Normal file
Просмотреть файл

@ -0,0 +1,32 @@
title: MFSA 2005-07: Script-generated event can download without prompting
<h1>Mozilla Foundation Security Advisory 2005-07</h1>
<p><span class="label">Title:</span> Script-generated event can download without prompting<br/>
<span class="label">Severity:</span> High (Firefox)<br/>
<span class="label">Reporter:</span> Omar Khan<br/>
<span class="label">Products:</span> Firefox<br/><br/>
<span class="label">Fixed in:</span> Firefox 1.0</p>
<h3>Description</h3>
<p>Script-generated click events were indistinguishable from true clicks.
Combined with the Firefox Alt+click feature that downloads links to
the default location without prompting this could be used by malicious
sites to place executables or other malware onto a windows user's desktop
without their knowing, or simply attempt to fill their disk.</p>
<p>Mozilla 1.7.5 was also fixed to distinguish synthetic from true clicks,
but didn't suffer from unprompted downloads.</p>
<h3>Workaround</h3>
<p>Disable javascript or upgrade to fixed version.</p>
<h3>References</h3>
<p><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=265176">
https://bugzilla.mozilla.org/show_bug.cgi?id=265176</a></p>

29
security/announce/2005/mfsa2005-08.md Normal file
Просмотреть файл

@ -0,0 +1,29 @@
title: MFSA 2005-08: Synthetic middle-click event can steal clipboard contents
<h1>Mozilla Foundation Security Advisory 2005-08</h1>
<p><span class="label">Title:</span> Synthetic middle-click event can steal clipboard contents<br/>
<span class="label">Severity:</span> Moderate<br/>
<span class="label">Reporter:</span> Jesse Ruderman<br/>
<span class="label">Products:</span> Firefox, Mozilla Suite<br/>
<br/>
<span class="label">Fixed in:</span> Firefox 1.0<br/>
<span class="label">&#160;</span> Mozilla Suite 1.7.5</p>
<h3>Description</h3>
<p>Script-generated middle-click events can steal clipboard contents
on systems where that action is a paste. Middle-click paste is the
default behavior on Unix systems, and a hidden option elsewhere.</p>
<h3>Workaround</h3>
<p>Disable javascript or upgrade to fixed version.</p>
<h3>References</h3>
<p><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=265728">
https://bugzilla.mozilla.org/show_bug.cgi?id=265728</a></p>

30
security/announce/2005/mfsa2005-09.md Normal file
Просмотреть файл

@ -0,0 +1,30 @@
title: MFSA 2005-09: Browser responds to proxy auth request from non-proxy server (ssl/https)
<h1>Mozilla Foundation Security Advisory 2005-09</h1>
<p><span class="label">Title:</span> Browser responds to proxy auth request from non-proxy server (ssl/https)<br/>
<span class="label">Severity:</span> High<br/>
<span class="label">Reporter:</span> Christopher Nebergall<br/>
<span class="label">Products:</span> Firefox, Mozilla Suite<br/>
<br/>
<span class="label">Fixed in:</span> Firefox 1.0<br/>
<span class="label">&#160;</span> Mozilla Suite 1.7.5</p>
<h3>Description</h3>
<p>If a proxy is configured the browser would respond to a 407 proxy auth
request from any SSL-connected server rather than only responding to
the configured proxy server. This could leak NTLM or SPNEGO credentials
outside the organization.</p>
<h3>Workaround</h3>
<p>Upgrade to the fixed version</p>
<h3>References</h3>
<p><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=267263">
https://bugzilla.mozilla.org/show_bug.cgi?id=267263</a></p>

31
security/announce/2005/mfsa2005-10.md Normal file
Просмотреть файл

@ -0,0 +1,31 @@
title: MFSA 2005-10: javascript: links in Thunderbird launch Internet Explorer
<h1>Mozilla Foundation Security Advisory 2005-10</h1>
<p><span class="label">Title:</span> javascript: links in Thunderbird launch Internet Explorer<br/>
<span class="label">Severity:</span> Moderate to Critical<br/>
<span class="label">Reporter:</span> Tom Braun<br/>
<span class="label">Products:</span> Thunderbird<br/><br/>
<span class="label">Fixed in:</span> Thunderbird 0.9</p>
<h3>Description</h3>
<p>Clicking on javascript: links in Thunderbird launched the default
handler for that scheme registered with the OS. On the Windows operating
system Internet Explorer is the default handler for the javascript:
scheme even when Firefox is the default browser.</p>
<p>The risk associated with this depends on vulnerabilities in the
installed version of Internet Explorer.</p>
<h3>Workaround</h3>
<p>Upgrade to the fixed version</p>
<h3>References</h3>
<p><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=263546">
https://bugzilla.mozilla.org/show_bug.cgi?id=263546</a></p>

34
security/announce/2005/mfsa2005-11.md Normal file
Просмотреть файл

@ -0,0 +1,34 @@
title: MFSA 2005-11: Mail responds to cookie requests
<h1>Mozilla Foundation Security Advisory 2005-11</h1>
<p><span class="label">Title:</span> Mail responds to cookie requests<br/>
<span class="label">Severity:</span> High<br/>
<span class="label">Reporter:</span> Michiel van Leeuwen<br/><br/>
<span class="label">Fixed in:</span> Thunderbird 1.0<br/>
<span class="label">&#160;</span> Mozilla Suite 1.7.5<br/><br/>
<span class="label">Vulnerable:</span> Thunderbird 0.6 - 0.9<br/>
<span class="label">&#160;</span> Mozilla Suite 1.7 - 1.7.3</p>
<h3>Description</h3>
<p>Mozilla mail clients from March to December 2004 responded to cookie
requests accompanying content loaded over HTTP, ignoring the setting
of the preference "network.cookie.disableCookieForMailNews" (disabled
cookies are the default in mail).</p>
<p>Cookies in mail (for example, spam) could be used to track people.</p>
<h3>Workaround</h3>
<p>Set the mail client not to load remote content at all (the default
setting in Thunderbird, the "View as Simple text" option in the Mozilla Suite).
Upgrade to the fixed version</p>
<h3>References</h3>
<p><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=268107">
https://bugzilla.mozilla.org/show_bug.cgi?id=268107</a></p>

34
security/announce/2005/mfsa2005-12.md Normal file
Просмотреть файл

@ -0,0 +1,34 @@
title: MFSA 2005-12: javascript: Livefeed bookmarks can steal cookies
<h1>Mozilla Foundation Security Advisory 2005-12</h1>
<p><span class="label">Title:</span> javascript: Livefeed bookmarks can steal cookies<br/>
<span class="label">Severity:</span> High<br/>
<span class="label">Reporter:</span> Omar Khan<br/>
<span class="label">Products:</span> Firefox<br/>
<br/>
<span class="label">Fixed in:</span> Firefox 1.0</p>
<h3>Description</h3>
<p>Earlier versions of Firefox allowed <code>javascript:</code> and
<code>data: URLs</code> as Livefeed bookmarks. When they updated the URL
would be run in the context of the current page and could be used to
steal cookies or data displayed on the page.</p>
<p>If the user were on a page with elevated privileges (for example,
<code class="filename">about:config</code>) when the Livefeed was updated,
the feed URL could potentially run arbitrary code on the user's machine.</p>
<h3>Workaround</h3>
<p>Do not add non-http URLs as a Livefeed bookmark. Upgrade to the fixed
version</p>
<h3>References</h3>
<p><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=265668">
https://bugzilla.mozilla.org/show_bug.cgi?id=265668</a></p>

38
security/announce/2005/mfsa2005-13.md Normal file
Просмотреть файл

@ -0,0 +1,38 @@
title: MFSA 2005-13: Window Injection Spoofing
<h1>Mozilla Foundation Security Advisory 2005-13</h1>
<p><span class="label">Title:</span> Window Injection Spoofing<br/>
<span class="label">Severity:</span> Low<br/>
<span class="label">Risk:</span> Low<br/>
<span class="label">Reporter:</span> Secunia<br/>
<span class="label">Products:</span> Firefox, Mozilla Suite<br/>
<br/>
<span class="label">Fixed in:</span> Firefox 1.0.1<br/>
<span class="label">&#160;</span> Mozilla Suite 1.7.6</p>
<h3>Description</h3>
<p>A website can inject content into a popup opened by another site if the
target name of the popup window is known. An attacker who knows you are
going to visit that other site could spoof the contents of the popup.</p>
<p>Open windows can now be targeted by name only by the site whose content
is in the window and the site which opened the window if different.
Other sites attempting to target the same named window will instead
get a new unnamed window.</p>
<h3>Workaround</h3>
<p>Do not browse trusted sites after browsing untrusted sites</p>
<h3>References</h3>
<ul>
<li><a class="ex-ref" href="http://secunia.com/advisories/13129/">http://secunia.com/advisories/13129/</a></li>
<li><a class="ex-ref" href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1156">CAN-2004-1156</a></li>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=273699">https://bugzilla.mozilla.org/show_bug.cgi?id=273699</a></li>
</ul>

56
security/announce/2005/mfsa2005-14.md Normal file
Просмотреть файл

@ -0,0 +1,56 @@
title: MFSA 2005-14: SSL "secure site" indicator spoofing
<h1>Mozilla Foundation Security Advisory 2005-14</h1>
<p><span class="label">Title:</span> SSL "secure site" indicator spoofing<br/>
<span class="label">Severity:</span> Moderate<br/>
<span class="label">Risk:</span> Moderate<br/>
<span class="label">Reporter:</span> Mook, Doug Turner, Kohei Yoshino, M. Deaudelin<br/>
<span class="label">Products:</span> Firefox, Mozilla Suite<br/>
<br/>
<span class="label">Fixed in:</span> Firefox 1.0.1<br/>
<span class="label">&#160;</span> Mozilla Suite 1.7.6</p>
<h3>Description</h3>
<p>Various schemes were reported that could cause the "secure site" lock icon
to appear and show certificate details for the wrong site. These could be
used by phishers to make their spoofs look more legitimate, particularly in
windows that hide the address bar showing the true location.</p>
<p>Mook reports that opening a spoof site that never finishes loading in a
window displaying a secure site will continue to show the security indicators
of the original site. Kohei Yoshino accomplishes the same result using
document.write() to create the spoof in the secure window.</p>
<p>Doug Turner demonstrates that faked security indicators can be turned
on for the current window contents by attempting to load content from a
non-HTTP server that supports SSL (for example, a mail server). The SSL
indicator was set based on the successful SSL handshake despite the
failure to load the requested content.</p>
<p>Similarly M. Deaudelin demonstrates that a spoofer could use a
URL that returns an HTTP 204 error to set both the SSL icon and update
the location while still showing the original content, presumably a spoof.</p>
<h3>Workaround</h3>
<p>Do not browse trusted sites in the same session as untrusted sites.
Do not use or trust links from untrusted sites that "helpfully" link
to financial institutions or similar sites with high-value information.</p>
<h3>References</h3>
<ul>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=258048">
https://bugzilla.mozilla.org/show_bug.cgi?id=258048</a></li>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=268483">
https://bugzilla.mozilla.org/show_bug.cgi?id=268483</a></li>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=277564">
https://bugzilla.mozilla.org/show_bug.cgi?id=277564</a></li>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=276720">
https://bugzilla.mozilla.org/show_bug.cgi?id=276720</a></li>
</ul>

36
security/announce/2005/mfsa2005-15.md Normal file
Просмотреть файл

@ -0,0 +1,36 @@
title: MFSA 2005-15: Heap overflow possible in UTF8 to Unicode conversion
<h1>Mozilla Foundation Security Advisory 2005-15</h1>
<p><span class="label">Title:</span> Heap overflow possible in UTF8 to Unicode conversion<br/>
<span class="label">Severity:</span> High<br/>
<span class="label">Risk:</span> Low<br/>
<span class="label">Reporter:</span> wind li<br/>
<span class="label">Products:</span> Firefox, Thunderbird, Mozilla Suite<br/>
<br/>
<span class="label">Fixed in:</span> Firefox 1.0.1<br/>
<span class="label">&#160;</span> Thunderbird 1.0.2<br/>
<span class="label">&#160;</span> Mozilla Suite 1.7.6</p>
<h3>Description</h3>
<p>It is possible for a UTF8 string with invalid sequences to
trigger a heap overflow of converted Unicode data. Exploitability
would depend on the attackers ability to get the string
into the buggy converter. General web content is converted
elsewhere but we can't rule out the possibility of a successful
attack.</p>
<h3>Workaround</h3>
<p>Upgrade to a version that contains this fix.</p>
<h3>References</h3>
<ul>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=241440">
https://bugzilla.mozilla.org/show_bug.cgi?id=241440</a></li>
</ul>

59
security/announce/2005/mfsa2005-16.md Normal file
Просмотреть файл

@ -0,0 +1,59 @@
title: MFSA 2005-16: Spoofing download and security dialogs with overlapping windows
<h1>Mozilla Foundation Security Advisory 2005-16</h1>
<p><span class="label">Title:</span> Spoofing download and security dialogs with overlapping windows<br/>
<span class="label">Severity:</span> High<br/>
<span class="label">Risk:</span> Low<br/>
<span class="label">Reporter:</span> Michael Krax<br/>
<span class="label">Products:</span> Firefox, Mozilla Suite<br/>
<br/>
<span class="label">Fixed in:</span> Firefox 1.0.1<br/>
<span class="label">&#160;</span> Mozilla Suite 1.7.6</p>
<h3>Description</h3>
<p>Michael Krax demonstrates that the download dialog and security dialogs
can be spoofed by partially covering them with an overlapping window.
Some users may not notice the OS window border and browser statusbar
bisecting what appears to be a single dialog, and be convinced by the
spoofing text of the top-most window to click on the "Allow" or "Open"
button of the window below.</p>
<p>If the security dialog button is clicked signed scripts could perform
any action on the users machine.</p>
<p>If the download button is clicked a file could be downloaded to the
default download location. If the target file MIME type is one handled
by a helper app clicking the button could launch that helper app. If
there's a known exploit in a popular or default helper app then opening
the attackers file in that app could take advantage of that exploit.</p>
<h3>Workaround</h3>
<p>Carefully inspect dialogs triggered by web content.</p>
<p>Disable the ability of web pages to resize and position windows:</p>
<ol>
<li>Select the "Options..." item on the "Tools" menu</li>
<li>Select the "Web Features" icon</li>
<li>Press the "Advanced..." button on the line with the Javascript checkbox</li>
<li>Uncheck "Raise or lower windows"</li>
<li>Uncheck "Move or resize existing windows"</li>
<li>Click OK on both dialogs to save the settings</li>
</ol>
<h3>References</h3>
<ul>
<li><a class="ex-ref" href="http://www.mikx.de/firespoofing/">
http://www.mikx.de/firespoofing/</a></li>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=260560">
https://bugzilla.mozilla.org/show_bug.cgi?id=260560</a></li>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=283103">
https://bugzilla.mozilla.org/show_bug.cgi?id=283103</a></li>
</ul>

41
security/announce/2005/mfsa2005-17.md Normal file
Просмотреть файл

@ -0,0 +1,41 @@
title: MFSA 2005-17: Install source spoofing with user:pass@host
<h1>Mozilla Foundation Security Advisory 2005-17</h1>
<p><span class="label">Title:</span> Install source spoofing with user:pass@host<br/>
<span class="label">Severity:</span> Low<br/>
<span class="label">Risk:</span> Low<br/>
<span class="label">Reporter:</span> Phil Ringnalda<br/>
<span class="label">Products:</span> Firefox, Thunderbird, Mozilla Suite<br/>
<br/>
<span class="label">Fixed in:</span> Firefox 1.0.1<br/>
<span class="label">&#160;</span> Thunderbird 1.0.2<br/>
<span class="label">&#160;</span> Mozilla Suite 1.7.6</p>
<h3>Description</h3>
<p>The installation confirmation dialog shows the source of the software.
By adding a long, fake "user:pass" in front of the true hostname the
user might be convinced to trust software that comes from an untrustworthy
source. This is similar to attempts used in some phishing mail:
"http://www.mozilla.org@attacker.com/install.xpi".</p>
<p>By default Firefox only allows install attempts from http://update.mozilla.org,
a user would need to explicitly allow the spoofing host to initiate
installs before it could try this trick.</p>
<h3>Workaround</h3>
<p>Do not install software when prompted by untrusted sites. Enlarge
the install confirmation dialog and verify that "@" does not
appear before the first "/" character.</p>
<h3>References</h3>
<ul>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=268059">
https://bugzilla.mozilla.org/show_bug.cgi?id=268059</a></li>
</ul>

41
security/announce/2005/mfsa2005-18.md Normal file
Просмотреть файл

@ -0,0 +1,41 @@
title: MFSA 2005-18: Memory overwrite in string library
<h1>Mozilla Foundation Security Advisory 2005-18</h1>
<p><span class="label">Title:</span> Memory overwrite in string library<br/>
<span class="label">Severity:</span> High<br/>
<span class="label">Risk:</span> Low<br/>
<span class="label">Reporter:</span> Daniel de Wildt<br/>
<span class="label">Products:</span> Firefox, Thunderbird, Mozilla Suite<br/>
<br/>
<span class="label">Fixed in:</span> Firefox 1.0.1<br/>
<span class="label">&#160;</span> Thunderbird 1.0.2<br/>
<span class="label">&#160;</span> Mozilla Suite 1.7.6</p>
<h3>Description</h3>
<p>Daniel de Wildt discovered a memory handling flaw in Mozilla string
classes that could overwrite memory at a fixed location if
reallocation fails during string growth. This could theoretically
lead to arbitrary code execution. Creating the exact conditions
for exploitation--including running out of memory at just the right
moment--is unlikely.</p>
<p>This flaw was independently discovered by Ga&#235;l Delalleau and
reported by iDEFENSE</p>
<h3>Workaround</h3>
<p>Upgrade to a fixed version</p>
<h3>References</h3>
<ul>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=277549">
https://bugzilla.mozilla.org/show_bug.cgi?id=277549</a></li>
<li><a class="ex-ref" href="http://www.idefense.com/application/poi/display?id=200&amp;type=vulnerabilities">
http://www.idefense.com/application/poi/display?id=200&amp;type=vulnerabilities</a></li>
</ul>

34
security/announce/2005/mfsa2005-19.md Normal file
Просмотреть файл

@ -0,0 +1,34 @@
title: MFSA 2005-19: Autocomplete data leak
<h1>Mozilla Foundation Security Advisory 2005-19</h1>
<p><span class="label">Title:</span> Autocomplete data leak<br/>
<span class="label">Severity:</span> Moderate<br/>
<span class="label">Risk:</span> Moderate<br/>
<span class="label">Reporter:</span> Matt Brubeck<br/>
<span class="label">Products:</span> Firefox<br/>
<br/>
<span class="label">Fixed in:</span> Firefox 1.0.1</p>
<h3>Description</h3>
<p>As users downarrow through autocomplete choices each is copied in turn
into the input control. A malicious site could create a page that
autocompletes some common data (such as phone number or SSN) and
potentially convince a user to arrow through the values. Script on
the page could watch the values as they are added and copy them into
a hidden field for submission to the site.</p>
<h3>Workaround</h3>
<p>Turn off the Form Fill feature.</p>
<h3>References</h3>
<ul>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=270697">
https://bugzilla.mozilla.org/show_bug.cgi?id=270697</a></li>
</ul>

33
security/announce/2005/mfsa2005-20.md Normal file
Просмотреть файл

@ -0,0 +1,33 @@
title: MFSA 2005-20: XSLT can include stylesheets from arbitrary hosts
<h1>Mozilla Foundation Security Advisory 2005-20</h1>
<p><span class="label">Title:</span> XSLT can include stylesheets from arbitrary hosts<br/>
<span class="label">Severity:</span> Low<br/>
<span class="label">Risk:</span> High<br/>
<span class="label">Reporter:</span> Georgi Guninski<br/>
<span class="label">Products:</span> Firefox, Mozilla Suite<br/>
<br/>
<span class="label">Fixed in:</span> Firefox 1.0.1<br/>
<span class="label">&#160;</span> Mozilla Suite 1.7.6</p>
<h3>Description</h3>
<p>xsl:include and xsl:import can include XSLT stylesheets from arbitrary
domains including those behind the user's firewall. This at least allows
for existence checking of these files; it's not clear how
much, if any, data could be extracted from arbitrary XML files.</p>
<h3>Workaround</h3>
<p>Upgrade to a fixed build.</p>
<h3>References</h3>
<ul>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=271209">
https://bugzilla.mozilla.org/show_bug.cgi?id=271209</a></li>
</ul>

45
security/announce/2005/mfsa2005-21.md Normal file
Просмотреть файл

@ -0,0 +1,45 @@
title: MFSA 2005-21: Overwrite arbitrary files downloading .lnk twice
<h1>Mozilla Foundation Security Advisory 2005-21</h1>
<p><span class="label">Title:</span> Overwrite arbitrary files downloading .lnk twice<br/>
<span class="label">Severity:</span> Critical<br/>
<span class="label">Risk:</span> Low<br/>
<span class="label">Reporter:</span> Masayuki Nakano<br/>
<span class="label">Products:</span> Firefox, Thunderbird, Mozilla Suite<br/>
<br/>
<span class="label">Fixed in:</span> Firefox 1.0.1<br/>
<span class="label">&#160;</span> Thunderbird 1.0.2<br/>
<span class="label">&#160;</span> Mozilla Suite 1.7.6</p>
<h3>Description</h3>
<p>If a windows user can be convinced to download a .lnk file
<strong>twice</strong> to the same location an attacker can overwrite
(essentially delete) arbitrary files on the user's machine: the file
<em>referenced</em> by the first .lnk will be overwritten by the
second download rather than replacing the .lnk itself.
On some older versions of windows .pif and .url files can be used to
accomplish the same thing.</p>
<p>If an attacker knows the user will download twice and is able to
send different content the second time then attackers could
replace the targeted file with content of their choosing. The first
.lnk would point to the target file and the second download would
contain the compromised version of the target.</p>
<h3>Workaround</h3>
<p>Do not download .pif, .lnk, or .url files. If running Windows XP
use a limited (non-administrator) account to prevent malicious
access to critical operating system files.</p>
<h3>References</h3>
<ul>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=271732">
https://bugzilla.mozilla.org/show_bug.cgi?id=271732</a></li>
</ul>

42
security/announce/2005/mfsa2005-22.md Normal file
Просмотреть файл

@ -0,0 +1,42 @@
title: MFSA 2005-22: Download dialog spoofing using Content-Disposition header
<h1>Mozilla Foundation Security Advisory 2005-22</h1>
<p><span class="label">Title:</span> Download dialog spoofing using Content-Disposition header<br/>
<span class="label">Severity:</span> Low<br/>
<span class="label">Risk:</span> Low<br/>
<span class="label">Reporter:</span> Andreas Sandblad (Secunia)<br/>
<span class="label">Products:</span> Firefox, Mozilla Suite<br/>
<br/>
<span class="label">Fixed in:</span> Firefox 1.0.1<br/>
<span class="label">&#160;</span> Mozilla Suite 1.7.5</p>
<h3>Description</h3>
<p>Andreas Sandblad of Secunia Research demonstrated a method to spoof the
download dialog for saving files by supplying a Content-Disposition header
with a different extension than the extension visible in the link and
download dialog. Users could be tricked into downloading a safe-looking file
such as a JPEG image and have it actually be saved with
an executable extension.</p>
<p>Windows hides file extensions by default. If the user did not notice the
incorrect icon they might at some later time double-click on the saved
file and execute it instead of having it open in the expected media
application.</p>
<h3>Workaround</h3>
<p>Use caution when downloading files from an untrusted site, un-hide file
extensions on windows.</p>
<h3>References</h3>
<ul>
<li><a class="ex-ref" href="http://secunia.com/advisories/13258"> http://secunia.com/advisories/13258</a></li>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=273498">
https://bugzilla.mozilla.org/show_bug.cgi?id=273498</a></li>
</ul>

38
security/announce/2005/mfsa2005-23.md Normal file
Просмотреть файл

@ -0,0 +1,38 @@
title: MFSA 2005-23: Download dialog source spoofing
<h1>Mozilla Foundation Security Advisory 2005-23</h1>
<p><span class="label">Title:</span> Download dialog source spoofing<br/>
<span class="label">Severity:</span> Low<br/>
<span class="label">Risk:</span> Low<br/>
<span class="label">Reporter:</span> Jakob Balle (Secunia)<br/>
<span class="label">Products:</span> Firefox, Mozilla Suite<br/>
<br/>
<span class="label">Fixed in:</span> Firefox 1.0.1<br/>
<span class="label">&#160;</span> Mozilla Suite 1.7.6</p>
<h3>Description</h3>
<p>The true source of a download can be disguised by using a host
name long enough that the most significant parts are truncated.
Spoofing can be made even more convincing on windows if the subdomain
labels contain a string of non-breaking space characters.</p>
<h3>Workaround</h3>
<p>Do not download files from untrusted sites. Be suspicious if
the download dialog shows the file comes from a different site
than the one you are on. If the download source is a trusted
one visit that site yourself to get the file by typing the address
into the location bar rather than trust 3rd-party links to content.</p>
<h3>References</h3>
<ul>
<li><a class="ex-ref" href="http://secunia.com/advisories/13599">http://secunia.com/advisories/13599</a></li>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=275417">
https://bugzilla.mozilla.org/show_bug.cgi?id=275417</a></li>
</ul>

37
security/announce/2005/mfsa2005-24.md Normal file
Просмотреть файл

@ -0,0 +1,37 @@
title: MFSA 2005-24: HTTP auth prompt tab spoofing
<h1>Mozilla Foundation Security Advisory 2005-24</h1>
<p><span class="label">Title:</span> HTTP auth prompt tab spoofing<br/>
<span class="label">Severity:</span> Low<br/>
<span class="label">Risk:</span> Low<br/>
<span class="label">Reporter:</span> Christian Schmidt<br/>
<span class="label">Products:</span> Firefox, Mozilla Suite<br/>
<br/>
<span class="label">Fixed in:</span> Firefox 1.0.1<br/>
<span class="label">&#160;</span> Mozilla Suite 1.7.6</p>
<h3>Description</h3>
<p>The HTTP authentication prompt appears above the currently open tab
regardless of which tab triggered it. A spoofer who could get a user
to open a high value target in another tab might be able to capture the
user's ID and password. HTTP auth dialogs are visually distinct from the
web form logins used by most commercial sites, and the HTTP auth dialog
clearly states which host it's for. Exploitation of this seems unlikely.</p>
<h3>Workaround</h3>
<p>Do not browse trusted and untrusted sites in the same session. When
presented with a site login dialog double-check that it is for the
site you think it's for.</p>
<h3>References</h3>
<ul>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=277574">
https://bugzilla.mozilla.org/show_bug.cgi?id=277574</a></li>
</ul>

42
security/announce/2005/mfsa2005-25.md Normal file
Просмотреть файл

@ -0,0 +1,42 @@
title: MFSA 2005-25: Image drag and drop executable spoofing
<h1>Mozilla Foundation Security Advisory 2005-25</h1>
<p><span class="label">Title:</span> Image drag and drop executable spoofing<br/>
<span class="label">Severity:</span> Critical<br/>
<span class="label">Risk:</span> Moderate<br/>
<span class="label">Reporter:</span> Michael Krax<br/>
<span class="label">Products:</span> Firefox, Thunderbird, Mozilla Suite<br/>
<br/>
<span class="label">Fixed in:</span> Firefox 1.0.1<br/>
<span class="label">&#160;</span> Thunderbird 1.0.2<br/>
<span class="label">&#160;</span> Mozilla Suite 1.7.6</p>
<h3>Description</h3>
<p>Images dragged and dropped from a webpage to the desktop preserved
their original name and extension. If this were an executable extension
then the file would be executed rather than opened in a media application.</p>
<p>In order to exploit this the attacker would have to construct a valid
image that was also a valid executable. On windows this can be done
using a GIF image concatenated with a batch file. The attacker must
convince the user to drag the image to their desktop and sometime later
double click on it without noticing it has an executable icon rather than
the expected media type image.</p>
<h3>Workaround</h3>
<p>Do not hide windows extensions. Be cautious downloading files from untrusted
sites.</p>
<h3>References</h3>
<ul>
<li><a class="ex-ref" href="http://www.mikx.de/firedragging/">http://www.mikx.de/firedragging/</a></li>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=279945">
https://bugzilla.mozilla.org/show_bug.cgi?id=279945</a></li>
</ul>

37
security/announce/2005/mfsa2005-26.md Normal file
Просмотреть файл

@ -0,0 +1,37 @@
title: MFSA 2005-26: Cross-site scripting by dropping javascript: link on tab
<h1>Mozilla Foundation Security Advisory 2005-26</h1>
<p><span class="label">Title:</span> Cross-site scripting by dropping javascript: link on tab<br/>
<span class="label">Severity:</span> Critical<br/>
<span class="label">Risk:</span> Low<br/>
<span class="label">Reporter:</span> Michael Krax<br/>
<span class="label">Products:</span> Firefox, Mozilla Suite<br/>
<br/>
<span class="label">Fixed in:</span> Firefox 1.0.1<br/>
<span class="label">&#160;</span> Mozilla Suite 1.7.6</p>
<h3>Description</h3>
<p>Dropping a javascript: or data: link on a tab executes in the context
of the site already loaded in the tab. If an attacker could convince a
user to drag and drop such a link on a particular tab this could be used
to steal information or credentials associated with the site in that tab.</p>
<p>If the target tab contained privileged content, such as about:config, the
dropped javascript link could run arbitrary code on the user's machine.</p>
<h3>Workaround</h3>
<p>Don't drag and drop opaque links. Disable Javascript.</p>
<h3>References</h3>
<ul>
<li><a href="http://www.mikx.de/firetabbing/">http://www.mikx.de/firetabbing/</a></li>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=280056">
https://bugzilla.mozilla.org/show_bug.cgi?id=280056</a></li>
</ul>

42
security/announce/2005/mfsa2005-27.md Normal file
Просмотреть файл

@ -0,0 +1,42 @@
title: MFSA 2005-27: Plugins can be used to load privileged content
<h1>Mozilla Foundation Security Advisory 2005-27</h1>
<p><span class="label">Title:</span> Plugins can be used to load privileged content<br/>
<span class="label">Severity:</span> Critical<br/>
<span class="label">Risk:</span> Moderate<br/>
<span class="label">Reporter:</span> Michael Krax<br/>
<span class="label">Products:</span> Firefox, Mozilla Suite<br/>
<br/>
<span class="label">Fixed in:</span> Firefox 1.0.1<br/>
<span class="label">&#160;</span> Mozilla Suite 1.7.6</p>
<h3>Description</h3>
<p>Plugins (such as flash) can be used to load privileged content into a frame.
Once loaded various spoofs can be applied to get the user to interact
with the privileged content. Michael Krax's "Fireflashing" example
demonstrates that an attacker can open about:config in a frame, hide it
with an opacity setting, and if the attacker can get the victim to click
at a particular spot (design some kind of simple game) you could toggle
boolean preferences, some of which would make further attacks easier.</p>
<p>The "firescrolling" example demonstrates arbitrary code execution
(in this case downloading a file) by convincing the user to scroll twice.</p>
<h3>Workaround</h3>
<p>Upgrade to a fixed version. Disable JavaScript.</p>
<h3>References</h3>
<ul>
<li><a class="ex-ref" href="http://www.mikx.de/fireflashing/">http://www.mikx.de/fireflashing/</a></li>
<li><a class="ex-ref" href="http://www.mikx.de/firescrolling/">http://www.mikx.de/firescrolling/</a></li>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=280664">
https://bugzilla.mozilla.org/show_bug.cgi?id=280664</a></li>
<li><a class="ex-ref" href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0527">CAN-2005-0527</a></li>
</ul>

33
security/announce/2005/mfsa2005-28.md Normal file
Просмотреть файл

@ -0,0 +1,33 @@
title: MFSA 2005-28: Unsafe /tmp/plugtmp directory exploitable to erase user\'s files
<h1>Mozilla Foundation Security Advisory 2005-28</h1>
<p><span class="label">Title:</span> Unsafe /tmp/plugtmp directory exploitable to erase user's files<br/>
<span class="label">Severity:</span> Critical (local)<br/>
<span class="label">Risk:</span> High (on shared machine, low otherwise)<br/>
<span class="label">Reporter:</span> Tavis Ormandy<br/>
<span class="label">Products:</span> Firefox, Mozilla Suite<br/>
<br/>
<span class="label">Fixed in:</span> Firefox 1.0.1<br/>
<span class="label">&#160;</span> Mozilla Suite 1.7.6</p>
<h3>Description</h3>
<p>A predictable name is used for the plugin temporary directory. A malicious
local user could symlink this to the victim's home directory and wait for
the victim to run Firefox. When Firefox shuts down the victim's directory
would be erased.</p>
<h3>Workaround</h3>
<p>None.</p>
<h3>References</h3>
<ul>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=281284">
https://bugzilla.mozilla.org/show_bug.cgi?id=281284</a></li>
</ul>

45
security/announce/2005/mfsa2005-29.md Normal file
Просмотреть файл

@ -0,0 +1,45 @@
title: MFSA 2005-29: Internationalized Domain Name (IDN) homograph spoofing
<h1>Mozilla Foundation Security Advisory 2005-29</h1>
<p><span class="label">Title:</span> Internationalized Domain Name (IDN) homograph spoofing<br/>
<span class="label">Severity:</span> High<br/>
<span class="label">Risk:</span> Moderate<br/>
<span class="label">Reporter:</span> Eric Johanson<br/>
<span class="label">Products:</span> Firefox, Mozilla Suite<br/>
<br/>
<span class="label">Fixed in:</span> Firefox 1.0.1<br/>
<span class="label">&#160;</span> Mozilla Suite 1.7.6</p>
<h3>Description</h3>
<p><dfn>Internationalized Domain Names (IDN)</dfn> allow non-English speakers to use
domains in their local language. Because many supported characters
are similar to other (if not identical in some fonts) there is
the possibility this could be used to construct perfect,
indistinguishable phishing sites.</p>
<p>As a temporary measure the Mozilla Foundation has decided
to turn off <abbr title="Internationalized Domain Names">IDN</abbr>
and instead will display such domains
in their raw "punycode" form.
IDN will be re-enabled when the domain registries, standards
bodies, and browser vendors can agree on a plan to prevent
the use of <abbr title="Internationalized Domain Names">IDN</abbr>
domains in phishing scams.</p>
<h3>Workaround</h3>
<p>Upgrade to a fixed version.</p>
<h3>References</h3>
<ul>
<li><a class="ex-ref" href="http://www.shmoo.com/idn/homograph.txt">
http://www.shmoo.com/idn/homograph.txt</a></li>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=282270">
https://bugzilla.mozilla.org/show_bug.cgi?id=282270</a></li>
</ul>

46
security/announce/2005/mfsa2005-30.md Normal file
Просмотреть файл

@ -0,0 +1,46 @@
title: MFSA 2005-30: GIF heap overflow parsing Netscape extension 2
<h1>Mozilla Foundation Security Advisory 2005-30</h1>
<p><span class="label">Title:</span> GIF heap overflow parsing Netscape extension 2<br/>
<span class="label">Severity:</span> Critical<br/>
<span class="label">Risk:</span> High<br/>
<span class="label">Reporter:</span> Mark Dowd (ISS X-Force)<br/>
<span class="label">Products:</span> Firefox, Thunderbird, Mozilla Suite<br/>
<br/>
<span class="label">Fixed in:</span> Firefox 1.0.2<br/>
<span class="label">&#160;</span> Thunderbird 1.0.2<br/>
<span class="label">&#160;</span> Mozilla Suite 1.7.6</p>
<h3>Description</h3>
<p>An GIF processing error when parsing the obsolete Netscape extension 2
can lead to an exploitable heap overrun, allowing an attacker to run
arbitrary code on the user's machine.</p>
<h3>Workaround</h3>
<p>Turn off image display. Upgrade to the fixed version.</p>
<p class="important">Important Note: The image blocking used in Mozilla Thunderbird and the
mail client in the Mozilla Suite only blocks images loaded from
remote servers. It will still display "in-line" images and is insufficient
to protect against a potential attack. Instead, on the View menu choose
"Message Body As" and set it to "Plain Text".</p>
<p>We, of course, recommend upgrading to the fixed version.</p>
<h3>References</h3>
<ul>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=285595">
https://bugzilla.mozilla.org/show_bug.cgi?id=285595</a></li>
<li><a class="ex-ref" href="http://xforce.iss.net/xforce/alerts/id/191">
http://xforce.iss.net/xforce/alerts/id/191</a></li>
<li><a class="ex-ref" href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0399">CAN-2005-0399</a></li>
</ul>

33
security/announce/2005/mfsa2005-31.md Normal file
Просмотреть файл

@ -0,0 +1,33 @@
title: MFSA 2005-31: Arbitrary code execution from Firefox sidebar panel
<h1>Mozilla Foundation Security Advisory 2005-31</h1>
<p><span class="label">Title:</span> Arbitrary code execution from Firefox sidebar panel<br/>
<span class="label">Severity:</span> Critical<br/>
<span class="label">Risk:</span> Moderate<br/>
<span class="label">Reporter:</span> Kohei Yoshino<br/>
<span class="label">Products:</span> Firefox<br/>
<br/>
<span class="label">Fixed in:</span> Firefox 1.0.2</p>
<h3>Description</h3>
<p>If a user bookmarked a malicious page as a Firefox sidebar panel that page
could execute arbitrary programs by opening a privileged page and injecting
javascript into it.</p>
<h3>Workaround</h3>
<p>Do not add sidebar panels. Upgrade to fixed version</p>
<h3>References</h3>
<ul>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=284627">
https://bugzilla.mozilla.org/show_bug.cgi?id=284627</a></li>
<li><a class="ex-ref" href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0402">CAN-2005-0402</a></li>
</ul>

36
security/announce/2005/mfsa2005-32.md Normal file
Просмотреть файл

@ -0,0 +1,36 @@
title: MFSA 2005-32: Drag and drop loading of privileged XUL
<h1>Mozilla Foundation Security Advisory 2005-32</h1>
<p><span class="label">Title:</span> Drag and drop loading of privileged XUL<br/>
<span class="label">Severity:</span> Low<br/>
<span class="label">Reporter:</span> Michael Krax<br/>
<span class="label">Products:</span> Firefox, Mozilla Suite<br/>
<br/>
<span class="label">Fixed in:</span> Firefox 1.0.2<br/>
<span class="label">&#160;</span> Mozilla Suite 1.7.7</p>
<h3>Description</h3>
<p>A malicious page that could lure a user into dragging something (such as a
fake scrollbar) can bypass the restriction on opening privileged XUL. The
startup scripts in the XUL will run with enhanced privilege, though the
actions taken upon merely opening most XUL are benign. So far no way to
run arbitrary code supplied by the attacker has been found, but this
could be a stepping-stone to future attacks.</p>
<h3>Workaround</h3>
<p>Disable Javascript. Upgrade to the fixed version.</p>
<h3>References</h3>
<ul>
<li><a class="ex-ref" href="http://mikx.de/firescrolling2/">http://mikx.de/firescrolling2/</a></li>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=285438">
https://bugzilla.mozilla.org/show_bug.cgi?id=285438</a></li>
<li><a class="ex-ref" href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0401">CAN-2005-0401</a></li>
</ul>

39
security/announce/2005/mfsa2005-33.md Normal file
Просмотреть файл

@ -0,0 +1,39 @@
title: MFSA 2005-33: Javascript "lambda" replace exposes memory contents
<h1>Mozilla Foundation Security Advisory 2005-33</h1>
<p><span class="label">Title:</span> Javascript "lambda" replace exposes memory contents<br/>
<span class="label">Severity:</span> Moderate<br/>
<span class="label">Reporter:</span> Azafran/Vladimir V. Perepelitsa<br/>
<span class="label">Products:</span> Firefox, Mozilla Suite<br/>
<br/>
<span class="label">Fixed in:</span> Firefox 1.0.3<br/>
<span class="label">&#160;</span> Mozilla Suite 1.7.7</p>
<h3>Description</h3>
<p>A bug in javascript's regular expression string replacement when using an
anonymous function as the replacement argument allows a malicious script
to capture blocks of memory allocated to the browser. A web site could
capture data and transmit it to a server without user interaction or
knowledge.</p>
<p>The attacker cannot control what will be captured, but the data returned
sometimes contains bits of websites the user has recently visited and
their addresses. The data could be sifted to find the occasional valuable
bits of information.</p>
<h3>Workaround</h3>
<p>Disable Javascript.</p>
<h3>References</h3>
<ul>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=288688">
https://bugzilla.mozilla.org/show_bug.cgi?id=288688</a></li>
<li><a href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0989">CAN-2005-0989</a></li>
</ul>

47
security/announce/2005/mfsa2005-34.md Normal file
Просмотреть файл

@ -0,0 +1,47 @@
title: MFSA 2005-34: javascript: PLUGINSPAGE code execution
<h1>Mozilla Foundation Security Advisory 2005-34</h1>
<p><span class="label">Title:</span> PLUGINSPAGE privileged javascript execution<br/>
<span class="label">Severity:</span> High<br/>
<span class="label">Reporter:</span> Omar Khan<br/>
<span class="label">Products:</span> Firefox<br/>
<br/>
<span class="label">Fixed in:</span> Firefox 1.0.3</p>
<h3>Description</h3>
<p>When a webpage requires a plugin that is not installed the user can click to
launch the <dfn>Plugin Finder Service (PFS)</dfn> to find an appropriate plugin. If the
service does not have an appropriate plugin the EMBED tag is checked for a
PLUGINSPAGE attribute, and if one is found the
<abbr title="Plugin Finder Service">PFS</abbr> dialog will contain a
"manual install" button that will load the PLUGINSPAGE url.</p>
<p>Omar Khan reported that if the PLUGINSPAGE attribute contains a javascript: url
then pressing the button could launch arbitrary code capable of stealing local
data or installing malicious code.</p>
<p>Doron Rosenberg reported a variant that injects script by
appending it to a malformed URL of any protocol.</p>
<p>The plugin finder in the Mozilla Suite is not affected by this issue.</p>
<h3>Workaround</h3>
<p>Do not press the "Manual Install" button on the Firefox plugin finder.
Use a search engine to find an appropriate plugin for the content.</p>
<h3>References</h3>
<ul>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=288556">
https://bugzilla.mozilla.org/show_bug.cgi?id=288556</a></li>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=289171">
https://bugzilla.mozilla.org/show_bug.cgi?id=289171</a></li>
<li><a class="ex-ref" href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0752">
CAN-2005-0752</a></li>
</ul>

35
security/announce/2005/mfsa2005-35.md Normal file
Просмотреть файл

@ -0,0 +1,35 @@
title: MFSA 2005-35: Showing blocked javascript: popup uses wrong privilege context
<h1>Mozilla Foundation Security Advisory 2005-35</h1>
<p><span class="label">Title:</span> Showing blocked javascript: popup uses wrong privilege context<br/>
<span class="label">Severity:</span> Moderate<br/>
<span class="label">Reporter:</span> Doron Rosenberg<br/>
<span class="label">Products:</span> Firefox, Mozilla Suite<br/>
<br/>
<span class="label">Fixed in:</span> Firefox 1.0.3<br/>
<span class="label">&#160;</span> Mozilla Suite 1.7.7</p>
<h3>Description</h3>
<p>When a popup is blocked the user is given the ability to open that one popup
through the popup-blocking status bar icon and, in Firefox, through
the infobar. If the popup URL were javascript: selecting "Show javascript:..."
from the infobar or popup blocking status bar icon menus would run the
javascript with elevated privileges which could be used to install malicious
software.</p>
<h3>Workaround</h3>
<p>Do not show blocked popups, or, if you must, show individual popups
only if the menu item starts with "Show http://" or "Show https://"</p>
<h3>References</h3>
<ul>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=289204">
https://bugzilla.mozilla.org/show_bug.cgi?id=289204</a></li>
</ul>

41
security/announce/2005/mfsa2005-36.md Normal file
Просмотреть файл

@ -0,0 +1,41 @@
title: MFSA 2005-36: Cross-site scripting through global scope pollution
<h1>Mozilla Foundation Security Advisory 2005-36</h1>
<p><span class="label">Title:</span> Cross-site Scripting through global scope pollution<br/>
<span class="label">Severity:</span> High<br/>
<span class="label">Reporter:</span> shutdown<br/>
<span class="label">Products:</span> Firefox, Mozilla Suite<br/>
<br/>
<span class="label">Fixed in:</span> Firefox 1.0.3<br/>
<span class="label">&#160;</span> Mozilla Suite 1.7.7</p>
<h3>Description</h3>
<p>As you browse from site to site each new page should start with a clean
slate. shutdown reports a technique that pollutes the global scope of
a window in a way that persists from page to page.
A malicious script could define a setter function
for a variable known to be used by a popular site, and if the user
does browse to that site the malicious script will run in that page.
This would allows the setter script to steal cookies or the contents
of the page, or potentially perform actions on the user's behalf
(such as make purchases or delete webmail) depending heavily on
how the site was designed.</p>
<p>The objects persist until the window or tab is closed.</p>
<h3>Workaround</h3>
<p>Open a new window or tab before going to any site requiring a log in
or containing sensitive information. Or disable javascript.</p>
<h3>References</h3>
<ul>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=289675">
https://bugzilla.mozilla.org/show_bug.cgi?id=289675</a></li>
</ul>

35
security/announce/2005/mfsa2005-37.md Normal file
Просмотреть файл

@ -0,0 +1,35 @@
title: MFSA 2005-37: Code execution through javascript: favicons
<h1>Mozilla Foundation Security Advisory 2005-37</h1>
<p><span class="label">Title:</span> Code execution through javascript: favicons<br/>
<span class="label">Severity:</span> Critical<br/>
<span class="label">Reporter:</span> Michael Krax<br/>
<span class="label">Products:</span> Firefox, Mozilla Suite<br/>
<br/>
<span class="label">Fixed in:</span> Firefox 1.0.3<br/>
<span class="label">&#160;</span> Mozilla Suite 1.7.7</p>
<h3>Description</h3>
<p>Firefox and the Mozilla Suite support custom "favicons"
through the &lt;LINK rel="icon"&gt; tag. If a link tag
is added to the page programmatically and a javascript: url is used,
then script will run with elevated privileges and could run or
install malicious software.</p>
<h3>Workaround</h3>
<p>Disable javascript.</p>
<h3>References</h3>
<ul>
<li><a class="ex-ref" href="http://www.mikx.de/firelinking/">http://www.mikx.de/firelinking/</a></li>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=290036">
https://bugzilla.mozilla.org/show_bug.cgi?id=290036</a></li>
</ul>

52
security/announce/2005/mfsa2005-38.md Normal file
Просмотреть файл

@ -0,0 +1,52 @@
title: MFSA 2005-38: Search plugin cross-site scripting
<h1>Mozilla Foundation Security Advisory 2005-38</h1>
<p><span class="label">Title:</span> Search plugin cross-site scripting<br/>
<span class="label">Severity:</span> Moderate<br/>
<span class="label">Reporter:</span> Michael Krax<br/>
<span class="label">Products:</span> Firefox, Mozilla Suite<br/>
<br/>
<span class="label">Fixed in:</span> Firefox 1.0.3<br/>
<span class="label">&#160;</span> Mozilla Suite 1.7.7</p>
<h3>Description</h3>
<p>A malicious search plugin could run javascript in the context of the
displayed page each time a search is run. This could be used to steal
cookies or page contents, or issue commands to that site on the user's
behalf. If the open page has elevated privileges (about:plugins,
about:config) then the script could install malicious software when
a search is performed. javascript: urls are no longer supported as
a search action.</p>
<p>If the user installs a search plugin from a malicious site the
new search plugin could silently replace an existing one by
choosing the same filename and using a long enough server path to push the
filename part off the edge of the confirmation dialog. To the user it
would appear as if the new plugin failed to install, but searches performed
using the overwritten plugin would be handled by the malicious one. If the
ultimate results came from redirecting to the original site this could
remain undetected for some time. The malicious site could use this to
track people's search history, or perhaps to add their own paid results
at the top of what the user would assume to be a reputable search site.</p>
<p>New search plugins no longer overwrite existing ones. If
you need to reinstall or upgrade an existing search plugin
you will have to find and manually delete the old one first</p>
<h3>Workaround</h3>
<p>Do not install search plugins from untrusted sources.</p>
<h3>References</h3>
<ul>
<li><a class="ex-ref" href="http://www.mikx.de/firesearching/">http://www.mikx.de/firesearching/</a></li>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=290037">
https://bugzilla.mozilla.org/show_bug.cgi?id=290037</a></li>
</ul>

31
security/announce/2005/mfsa2005-39.md Normal file
Просмотреть файл

@ -0,0 +1,31 @@
title: MFSA 2005-39: Arbitrary code execution from Firefox sidebar panel II
<h1>Mozilla Foundation Security Advisory 2005-39</h1>
<p><span class="label">Title:</span> Arbitrary code execution from Firefox sidebar panel II<br/>
<span class="label">Severity:</span> Critical<br/>
<span class="label">Reporter:</span> Kohei Yoshino<br/>
<span class="label">Products:</span> Firefox<br/>
<br/>
<span class="label">Fixed in:</span> Firefox 1.0.3</p>
<h3>Description</h3>
<p>Sites can use the _search target to open links in the Firefox sidebar. Two
missing security checks allow malicious scripts to first open a privileged
page (such as about:config) and then inject script using a javascript: url.
This could be used to install malicious code or steal data without user interaction.</p>
<h3>Workaround</h3>
<p>Disable Javascript</p>
<h3>References</h3>
<ul>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=290079">
https://bugzilla.mozilla.org/show_bug.cgi?id=290079</a></li>
</ul>

34
security/announce/2005/mfsa2005-40.md Normal file
Просмотреть файл

@ -0,0 +1,34 @@
title: MFSA 2005-40: Missing Install object instance checks
<h1>Mozilla Foundation Security Advisory 2005-40</h1>
<p><span class="label">Title:</span> Missing Install object instance checks<br/>
<span class="label">Severity:</span> Moderate<br/>
<span class="label">Reporter:</span> Georgi Guninski<br/>
<span class="label">Products:</span> Firefox, Mozilla Suite<br/>
<br/>
<span class="label">Fixed in:</span> Firefox 1.0.3<br/>
<span class="label">&#160;</span> Mozilla Suite 1.7.7</p>
<h3>Description</h3>
<p>The native implementations of InstallTrigger and other XPInstall-related
javascript objects did not properly validate that they were called on
instances of the correct type. By passing other objects, even raw numbers,
the javascript interpreter would jump to the wrong place in memory.
Although no proof of concept has been developed we believe this could
be exploited.</p>
<h3>Workaround</h3>
<p>Disable Javascript.</p>
<h3>References</h3>
<ul>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=290162">
https://bugzilla.mozilla.org/show_bug.cgi?id=290162</a></li>
</ul>

55
security/announce/2005/mfsa2005-41.md Normal file
Просмотреть файл

@ -0,0 +1,55 @@
title: MFSA 2005-41: Privilege escalation via DOM property overrides
<h1>Mozilla Foundation Security Advisory 2005-41</h1>
<p><span class="label">Title:</span> Privilege escalation via DOM property overrides<br/>
<span class="label">Severity:</span> Critical<br/>
<span class="label">Reporter:</span> moz_bug_r_a4<br/>
<span class="label">Products:</span> Firefox, Mozilla Suite<br/>
<br/>
<span class="label">Fixed in:</span> Firefox 1.0.3<br/>
<span class="label">&#160;</span> Mozilla Suite 1.7.7</p>
<h3>Description</h3>
<p>moz_bug_r_a4 reported several exploits giving an attacker
the ability to install malicious code or steal data, requiring only
that the user do commonplace actions like click on a link or open
the context menu. The common cause in each case was privileged UI code
("chrome") being overly trusting of DOM nodes from the content window.
Scripts in the web page can override properties and methods of DOM
nodes and shadow the native values, unless steps are taken to get the
true underlying values.</p>
<p>We found that most extensions also interacted with content DOM in a
natural, but unsafe, manner.
Changes were made so that chrome code using this natural DOM coding style
will now automatically use the native DOM value if it exists without having
to use cumbersome wrapper objects.</p>
<p>Most of the specific exploits involved tricking the privileged code
into calling eval() on an attacker-supplied script string, or the equivalent
using the Script() object. Checks were added in the security manager
to make sure eval and Script objects are run with the privileges of the
context that created them, not the potentially elevated privileges of
the context calling them.</p>
<h3>Workaround</h3>
<p>Disable Javascript</p>
<h3>References</h3>
<ul>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=289074">
https://bugzilla.mozilla.org/show_bug.cgi?id=289074</a></li>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=289083">
https://bugzilla.mozilla.org/show_bug.cgi?id=289083</a></li>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=289961">
https://bugzilla.mozilla.org/show_bug.cgi?id=289961</a></li>
</ul>

72
security/announce/2005/mfsa2005-42.md Normal file
Просмотреть файл

@ -0,0 +1,72 @@
title: MFSA 2005-42: Code execution via javascript: IconURL
<h1>Mozilla Foundation Security Advisory 2005-42</h1>
<p><span class="label">Title:</span> Code execution via javascript: IconURL<br/>
<span class="label">Severity:</span> Critical<br/>
<span class="label">Reporter:</span> Paul (Greyhats)<br/>
<span class="label">Products:</span> Firefox 1.0.3, Mozilla Suite 1.7.7<br/>
<br/>
<span class="label">Fixed in:</span> Firefox 1.0.4<br/>
<span class="label">&#160;</span> Mozilla Suite 1.7.8</p>
<h3>Description</h3>
<p>Two vulnerabilities found in Mozilla Firefox 1.0.3 when combined allow
an attacker to run arbitrary code. The Mozilla Suite version 1.7.7
is only partially vulnerable.</p>
<p>A vulnerability in the Firefox install confirmation dialog
allows an attacker to supply a <code>javascript:</code> URL as
the IconURL property, which will execute code.
By using an eval() call in that URL arbitrary code can be
executed with elevated privilege.
By default only the Mozilla Update site is allowed
to attempt software installation but users can allow other sites.</p>
<p>A second flaw in Firefox 1.0.3 and the Mozilla Suite 1.7.7 allows
an attacker to inject script into any site by loading it in a frame
and navigating back to a previous <code>javascript:</code> URL
containing an eval() call. This can be used to steal cookies or
other confidential data from the target site. If the target site
is allowed to raise the install confirmation dialog in Firefox
then this attack can be combined with the first to execute
arbitrary code.</p>
<p>The default Mozilla Update site has been modified to prevent
its use in this attack.</p>
<h3>Workaround</h3>
<p>Changes were made to the default Mozilla Update site to protect users
from these attacks shortly after this attack became public.
Users who have added other extension or theme sites to the software
installation whitelist should remove them until they have upgraded to a
fixed version of Firefox.</p>
<ol>
<li>Select the "Options" dialog from the "Tools" menu</li>
<li>Select the "Web Features" icon</li>
<li>Click the "Allowed Sites" button on the same line as the
"Allow web sites to install software" checkbox</li>
<li>Click the "Remove All Sites" button</li>
<li>Click "OK"</li>
</ol>
<p>Disabling Javascript will prevent both attacks.</p>
<h3>References</h3>
<p>Bug and exploit details withheld until May 18, 2005</p>
<ul>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=292691">
https://bugzilla.mozilla.org/show_bug.cgi?id=292691</a></li>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=292499">
https://bugzilla.mozilla.org/show_bug.cgi?id=292499</a></li>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=291745">
https://bugzilla.mozilla.org/show_bug.cgi?id=291745</a></li>
</ul>

48
security/announce/2005/mfsa2005-43.md Normal file
Просмотреть файл

@ -0,0 +1,48 @@
title: MFSA 2005-43: "Wrapped" javascript: urls bypass security checks
<h1>Mozilla Foundation Security Advisory 2005-43</h1>
<p><span class="label">Title:</span> "Wrapped" javascript: urls bypass security checks<br/>
<span class="label">Severity:</span> Critical<br/>
<span class="label">Reporter:</span> Michael Krax, Georgi Guninski, L. David Baron<br/>
<span class="label">Products:</span> Firefox, Mozilla Suite<br/>
<br/>
<span class="label">Fixed in:</span> Firefox 1.0.4<br/>
<span class="label">&#160;</span> Mozilla Suite 1.7.8</p>
<h3>Description</h3>
<p>Some security checks intended to prevent script injection were incorrect
and could be bypassed by wrapping a <code>javascript:</code> url in the
<code>view-source:</code> pseudo-protocol. Michael Krax demonstrated
that a variant of his <a href="mfsa2005-37.html">favicon</a> exploit
could still execute arbitrary code, and the same technique could also
be used to perform cross-site scripting.</p>
<p>Georgi Guninski demonstrated the same flaw wrapping <code>javascript:</code> urls
with the <code>jar:</code> pseudo-protocol.</p>
<p>L. David Baron discovered a nested variant that defeated checks
in the script security manager.</p>
<h3>Workaround</h3>
<p>Disable Javascript</p>
<h3>References</h3>
<p>Bug and exploit details withheld until May 18, 2005</p>
<ul>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=290949">
https://bugzilla.mozilla.org/show_bug.cgi?id=290949</a></li>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=290982">
https://bugzilla.mozilla.org/show_bug.cgi?id=290982</a></li>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=291150">
https://bugzilla.mozilla.org/show_bug.cgi?id=291150</a></li>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=293671">
https://bugzilla.mozilla.org/show_bug.cgi?id=293671</a></li>
</ul>

35
security/announce/2005/mfsa2005-44.md Normal file
Просмотреть файл

@ -0,0 +1,35 @@
title: MFSA 2005-44: Privilege escalation via non-DOM property overrides
<h1>Mozilla Foundation Security Advisory 2005-44</h1>
<p><span class="label">Title:</span> Privilege escalation via non-DOM property overrides<br/>
<span class="label">Severity:</span> Critical<br/>
<span class="label">Reporter:</span> moz_bug_r_a4<br/>
<span class="label">Products:</span> Firefox, Mozilla Suite<br/>
<br/>
<span class="label">Fixed in:</span> Firefox 1.0.4<br/>
<span class="label">&#160;</span> Mozilla Suite 1.7.8</p>
<h3>Description</h3>
<p>Additional checks were added to make sure Javascript eval and Script
objects are run with the privileges of the context that created them,
not the potentially elevated privilege of the context calling them
in order to protect against an additional variant of
<a href="mfsa2005-41.html">MFSA 2005-41</a>.</p>
<h3>Workaround</h3>
<p>Upgrade to Firefox 1.0.4 or Mozilla 1.7.8</p>
<h3>References</h3>
<p>Bug and exploit details withheld until May 18, 2005</p>
<ul>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=290908">
https://bugzilla.mozilla.org/show_bug.cgi?id=290908</a></li>
</ul>

34
security/announce/2005/mfsa2005-45.md Normal file
Просмотреть файл

@ -0,0 +1,34 @@
title: MFSA 2005-45: Content-generated event vulnerabilities
<h1>Mozilla Foundation Security Advisory 2005-45</h1>
<p><span class="label">Title:</span> Content-generated event vulnerabilities<br/>
<span class="label">Severity:</span> High<br/>
<span class="label">Reporter:</span> Omar Khan, Jochen, shutdown, Matthew Mastracci<br/>
<span class="label">Products:</span> Firefox, Mozilla Suite<br/>
<br/>
<span class="label">Fixed in:</span> Firefox 1.0.5<br/>
<span class="label">&#160;</span> Mozilla Suite 1.7.10</p>
<h3>Description</h3>
<p>In several places the browser UI did not correctly distinguish between true
user events, such as mouse clicks or keystrokes, and synthetic events
genenerated by web content. The problems ranged from minor annoyances like
switching tabs or entering full-screen mode, to a variant on <a href="mfsa2005-34.html">MFSA 2005-34</a></p>
<p>Synthetic events are now prevented from reaching the browser UI entirely
rather than depend on each potentially spoofed function to protect
itself from untrusted events.</p>
<h3>Workaround</h3>
<h3>References</h3>
<ul>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=289940">
https://bugzilla.mozilla.org/show_bug.cgi?id=289940</a></li>
</ul>

40
security/announce/2005/mfsa2005-46.md Normal file
Просмотреть файл

@ -0,0 +1,40 @@
title: MFSA 2005-46: XBL scripts ran even when Javascript disabled
<h1>Mozilla Foundation Security Advisory 2005-46</h1>
<p><span class="label">Title:</span> XBL scripts ran even when Javascript disabled<br/>
<span class="label">Severity:</span> Low<br/>
<span class="label">Reporter:</span> moz_bug_r_a4<br/>
<span class="label">Products:</span> Firefox, Thunderbird, Mozilla Suite<br/>
<br/>
<span class="label">Fixed in:</span> Firefox 1.0.5<br/>
<span class="label">&#160;</span> Thunderbird 1.0.5<br/>
<span class="label">&#160;</span> Mozilla Suite 1.7.10</p>
<h3>Description</h3>
<p>Scripts in XBL controls from web content continued to be run even when
Javascript was disabled. By itself this causes no harm, but it could be
combined with most script-based exploits to attack people running
vulnerable versions who thought disabling javascript would protect them.</p>
<p>In the Thunderbird and Mozilla Suite mail clients Javascript is disabled by
default for protection against denial-of-service attacks and worms; this
vulnerability could be used to bypass that protection.</p>
<h3>Workaround</h3>
<p>Upgrade to a fixed version</p>
<h3>References</h3>
<ul>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=292591">
https://bugzilla.mozilla.org/show_bug.cgi?id=292591</a></li>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=292589">
https://bugzilla.mozilla.org/show_bug.cgi?id=292589</a></li>
</ul>

43
security/announce/2005/mfsa2005-47.md Normal file
Просмотреть файл

@ -0,0 +1,43 @@
title: MFSA 2005-47: Code execution via "Set as Wallpaper"
<h1>Mozilla Foundation Security Advisory 2005-47</h1>
<p><span class="label">Title:</span> Code execution via "Set as Wallpaper"<br/>
<span class="label">Severity:</span> High<br/>
<span class="label">Reporter:</span> Michael Krax<br/>
<span class="label">Products:</span> Firefox 1.0.3<br/>
<br/>
<span class="label">Fixed in:</span> Firefox 1.0.5</p>
<h3>Description</h3>
<p>If an attacker can convince a victim to use the "Set As Wallpaper" context
menu item on a specially crafted image then they can run arbitary code on the
user's computer. The image "source" must be a javascript: url containing an
eval() statement and such an image would get the "broken image" icon, but with
CSS it could be made transparent and placed on top of a real image.</p>
<p>The attacker would have to convince the user to change their desktop background
to the exploit image, and to do so by using the Firefox context menu rather than
first saving the image locally and using the normal mechanism provided by their
operating system.</p>
<p>This affects only Firefox 1.0.3 and 1.0.4; earlier versions are unaffected.
The implementation of this feature in the Mozilla Suite is also unaffected.</p>
<h3>Workaround</h3>
<p>To use an image as your desktop background save it as a file first and then
use the operating system's features to make the image your desktop wallpaper.</p>
<h3>References</h3>
<ul>
<li><a class="ex-ref" href="http://www.mikx.de/firewalling/">http://www.mikx.de/firewalling/</a></li>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=292737">
https://bugzilla.mozilla.org/show_bug.cgi?id=292737</a></li>
</ul>

66
security/announce/2005/mfsa2005-48.md Normal file
Просмотреть файл

@ -0,0 +1,66 @@
title: MFSA 2005-48: Same-origin violation with InstallTrigger callback
<h1>Mozilla Foundation Security Advisory 2005-48</h1>
<p><span class="label">Title:</span> Same-origin violation with InstallTrigger callback<br/>
<span class="label">Severity:</span> Low (High for Mozilla Suite)<br/>
<span class="label">Reporter:</span> Matthew Mastracci<br/>
<span class="label">Products:</span> Firefox, Mozilla Suite<br/>
<br/>
<span class="label">Fixed in:</span> Firefox 1.0.5<br/>
<span class="label">&#160;</span> Mozilla Suite 1.7.10</p>
<h3>Description</h3>
<p>The <code>InstallTrigger.install()</code> method for launching an install
accepts a callback function that will be called with the final success
or error status. By forcing a page navigation immediately after
calling the install method this callback function can end up running
in the context of the new page selected by the attacker. This is true
even if the user cancels the unwanted install dialog: cancel is an
error status. This callback script can steal data from the new page such
as cookies or passwords, or perform actions on the user's behalf such
as make a purchase if the user is already logged into the target site.</p>
<p>In Firefox the default settings allow only http://addons.mozilla.org to
bring up this install dialog. This could only be exploited if users have
added questionable sites to the install whitelist, and if a malicious site
can convince you to install from their site that's a much more powerful
attack vector.</p>
<p>In the Mozilla Suite the whitelist feature is turned off by default, any site
can prompt the user to install software and exploit this vulnerability.</p>
<p>The browser has been fixed to clear any pending callback function when switching
to a new site.</p>
<h3>Workaround</h3>
<p>Firefox: Remove untrustworthy sites from the list of those allowed to install,
or turn off software installation entirely.</p>
<ol>
<li>Open the Options dialog from the Tools menu</li>
<li>Select the Web Features icon in the left panel</li>
<li>Uncheck the "Allow web sites to install software" box, or click the
"allowed sites" button on that line to remove untrusted sites.</li>
</ol>
<p>Mozilla Suite: Turn off the software installation feature.</p>
<ol>
<li>Open the Preferences dialog from the Edit menu</li>
<li>Select "Software Installation" in the "Advanced" group in
the left panel.</li>
<li>Uncheck the "Enable software installation" checkbox.</li>
</ol>
<h3>References</h3>
<ul>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=293331">
https://bugzilla.mozilla.org/show_bug.cgi?id=293331</a></li>
</ul>

29
security/announce/2005/mfsa2005-49.md Normal file
Просмотреть файл

@ -0,0 +1,29 @@
title: MFSA 2005-49: Script injection from Firefox sidebar panel using data:
<h1>Mozilla Foundation Security Advisory 2005-49</h1>
<p><span class="label">Title:</span> Script injection from Firefox sidebar panel using data:<br/>
<span class="label">Severity:</span> High<br/>
<span class="label">Reporter:</span> Kohei Yoshino<br/>
<span class="label">Products:</span> Firefox<br/>
<br/>
<span class="label">Fixed in:</span> Firefox 1.0.5</p>
<h3>Description</h3>
<p>Sites can use the _search target to open links in the Firefox sidebar. A
missing security check allows the sidebar to inject data: urls containing
scripts into any page open in the browser. This could be used to steal
cookies, passwords or other sensitive data.</p>
<h3>Workaround</h3>
<h3>References</h3>
<ul>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=294074">
https://bugzilla.mozilla.org/show_bug.cgi?id=294074</a></li>
</ul>

39
security/announce/2005/mfsa2005-50.md Normal file
Просмотреть файл

@ -0,0 +1,39 @@
title: MFSA 2005-50: Exploitable crash in InstallVersion.compareTo()
<h1>Mozilla Foundation Security Advisory 2005-50</h1>
<p><span class="label">Title:</span> Exploitable crash in InstallVersion.compareTo<br/>
<span class="label">Severity:</span> Critical<br/>
<span class="label">Reporter:</span> shutdown<br/>
<span class="label">Products:</span> Firefox, Mozilla Suite<br/>
<br/>
<span class="label">Fixed in:</span> Firefox 1.0.5<br/>
<span class="label">&#160;</span> Mozilla Suite 1.7.10</p>
<h3>Description</h3>
<p>When InstallVersion.compareTo() is passed an object rather than a string
it assumed the object was another InstallVersion without verifying it.
When passed a different kind of object the browser would generally
crash with an access violation.</p>
<p>shutdown has demonstrated that different javascript objects can be
passed on some OS versions to get control over the instruction pointer.
We assume this could be developed further to run arbitrary machine code
if the attacker can get exploit code loaded at a predictable address.</p>
<p><strong>Update:</strong>(2005-12-14) Aviv Raff has posted a proof of concept
exploit of this flaw that demonstrates execution of attacker-supplied
code on windows.</p>
<h3>Workaround</h3>
<h3>References</h3>
<ul>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=295854">
https://bugzilla.mozilla.org/show_bug.cgi?id=295854</a></li>
</ul>

31
security/announce/2005/mfsa2005-51.md Normal file
Просмотреть файл

@ -0,0 +1,31 @@
title: MFSA 2005-51: The return of frame-injection spoofing
<h1>Mozilla Foundation Security Advisory 2005-51</h1>
<p><span class="label">Title:</span> The return of frame-injection spoofing<br/>
<span class="label">Severity:</span> Moderate<br/>
<span class="label">Reporter:</span> Secunia.com<br/>
<span class="label">Products:</span> Firefox 1.0.3, Mozilla Suite 1.7.7<br/>
<br/>
<span class="label">Fixed in:</span> Firefox 1.0.5<br/>
<span class="label">&#160;</span> Mozilla Suite 1.7.10</p>
<h3>Description</h3>
<p>The original frame-injection spoofing bug was fixed in the Mozilla Suite 1.7
and Firefox 0.9 releases. This protection was accidentally bypassed by one
of the fixes in the Firefox 1.0.3 and Mozilla Suite 1.7.7 releases.</p>
<h3>Workaround</h3>
<h3>References</h3>
<ul>
<li><a class="ex-ref" href="http://secunia.com/advisories/15601/">http://secunia.com/advisories/15601/</a></li>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=296850">
https://bugzilla.mozilla.org/show_bug.cgi?id=296850</a></li>
</ul>

38
security/announce/2005/mfsa2005-52.md Normal file
Просмотреть файл

@ -0,0 +1,38 @@
title: MFSA 2005-52: Same origin violation: frame calling top.focus()
<h1>Mozilla Foundation Security Advisory 2005-52</h1>
<p><span class="label">Title:</span> Same origin violation: frame calling top.focus()<br/>
<span class="label">Severity:</span> Moderate<br/>
<span class="label">Reporter:</span> Andreas Sandblad (Secunia)<br/>
<span class="label">Products:</span> Firefox, Mozilla Suite<br/>
<br/>
<span class="label">Fixed in:</span> Firefox 1.0.5<br/>
<span class="label">&#160;</span> Mozilla Suite 1.7.10</p>
<h3>Description</h3>
<p>A child frame can call top.focus() even if the framing page comes from a different
origin and has overridden the focus() routine. The call is made in the context
of the child frame. The attacker would look for a target site with a framed
page that makes this call but doesn't verify that its parent comes from the same
site. The attacker could steal cookies and passwords from the framed page, or
take actions on behalf of a signed-in user. This attack would work only against
sites that use frames in this manner.</p>
<h3>Workaround</h3>
<p>Upgrade to a version containing the fix. As a website author verify that a parent
frame is from the expected site before calling methods on it.</p>
<h3>References</h3>
<ul>
<li><a class="ex-ref" href="http://secunia.com/advisories/15549/">http://secunia.com/advisories/15549/</a></li>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=296830">
https://bugzilla.mozilla.org/show_bug.cgi?id=296830</a></li>
</ul>

49
security/announce/2005/mfsa2005-53.md Normal file
Просмотреть файл

@ -0,0 +1,49 @@
title: MFSA 2005-53: Standalone applications can run arbitrary code through the browser
<h1>Mozilla Foundation Security Advisory 2005-53</h1>
<p><span class="label">Title:</span> Standalone applications can run arbitrary code through the browser<br/>
<span class="label">Severity:</span> Critical<br/>
<span class="label">Reporter:</span> Michael Krax<br/>
<span class="label">Products:</span> Firefox<br/>
<br/>
<span class="label">Fixed in:</span> Firefox 1.0.5</p>
<h3>Description</h3>
<p>Several media players, for example Flash and QuickTime, support scripted content
with the ability to open URLs in the default browser. The default behavior for
Firefox was to replace the currently open browser window's
content with the externally opened content. If the external URL was a javascript:
url it would run as if it came from the site that served the previous content, which
could be used to steal sensitive information such as login cookies or passwords.
If the media player content first caused a privileged chrome: url to load then
the subsequent javascript: url could execute arbitrary code.</p>
<p>External javascript: urls will now run in a blank context regardless of what
content it's replacing, and external apps will no longer be able to load
privileged chrome: urls in a browser window. The -chrome command line option
to load chrome applications is still supported.</p>
<h3>Workaround</h3>
<p>Set the browser to open external links in a new tab or new window.</p>
<ol>
<li>Open the Options dialog from the Tools menu</li>
<li>Select the Advanced icon in the left panel</li>
<li>Open the "Tabbed Browsing" group</li>
<li>Set "Open links from other applications in:" to either new tab or new window</li>
</ol>
<h3>References</h3>
<p>Bug details embargoed until August 1, 2005</p>
<ul>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=298255">
https://bugzilla.mozilla.org/show_bug.cgi?id=298255</a></li>
</ul>

41
security/announce/2005/mfsa2005-54.md Normal file
Просмотреть файл

@ -0,0 +1,41 @@
title: MFSA 2005-54: Javascript prompt origin spoofing
<h1>Mozilla Foundation Security Advisory 2005-54</h1>
<p><span class="label">Title:</span> Javascript prompt origin spoofing<br/>
<span class="label">Severity:</span> Low<br/>
<span class="label">Reporter:</span> Secunia.com<br/>
<span class="label">Products:</span> Firefox, Mozilla Suite<br/>
<br/>
<span class="label">Fixed in:</span> Firefox 1.0.5<br/>
<span class="label">&#160;</span> Mozilla Suite 1.7.10</p>
<h3>Description</h3>
<p>Alerts and prompts created by scripts in web pages are presented with the
generic title [JavaScript Application] which sometimes makes it difficult to know
which site created them. A malicious page could attempt to cause a prompt
to appear in front of a trusted site in an attempt to extract information
such as passwords from the user.</p>
<p>In the fixed version these prompts will contain the hostname from the
page which created it.</p>
<h3>Workaround</h3>
<p>Do not enter sensitive information into a "JavaScript Application" prompt,
they are almost never used for this purpose. If you must, first drag the
prompt on the desktop and make sure there is not a tiny window hiding
behind it.</p>
<h3>References</h3>
<ul>
<li><a class="ex-ref" href="http://secunia.com/advisories/15489/">http://secunia.com/advisories/15489/</a></li>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=298934">
https://bugzilla.mozilla.org/show_bug.cgi?id=298934</a></li>
</ul>

38
security/announce/2005/mfsa2005-55.md Normal file
Просмотреть файл

@ -0,0 +1,38 @@
title: MFSA 2005-55: XHTML node spoofing
<h1>Mozilla Foundation Security Advisory 2005-55</h1>
<p><span class="label">Title:</span> XHTML node spoofing<br/>
<span class="label">Severity:</span> High<br/>
<span class="label">Reporter:</span> moz_bug_r_a4<br/>
<span class="label">Products:</span> Firefox, Mozilla Suite<br/>
<br/>
<span class="label">Fixed in:</span> Firefox 1.0.5<br/>
<span class="label">&#160;</span> Mozilla Suite 1.7.10</p>
<h3>Description</h3>
<p>Parts of the browser UI relied too much on DOM node names without taking
different namespaces into account and verifying that nodes really were
of the expected type. An XHTML document could be used to create fake
&lt;IMG&gt; elements, for example, with content-defined properties that the
browser would access as if they were the trusted built-in properties of the
expected HTML elements.</p>
<p>The severity of the vulnerability would depend on what the attacker could
convince the victim to do, but could result in executing user-supplied
script with elevated "chrome" privileges. This could be used to install
malicious software on the victim's machine.</p>
<h3>Workaround</h3>
<h3>References</h3>
<ul>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=298892">
https://bugzilla.mozilla.org/show_bug.cgi?id=298892</a></li>
</ul>

42
security/announce/2005/mfsa2005-56.md Normal file
Просмотреть файл

@ -0,0 +1,42 @@
title: MFSA 2005-56: Code execution through shared function objects
<h1>Mozilla Foundation Security Advisory 2005-56</h1>
<p><span class="label">Title:</span> Code execution through shared function objects<br/>
<span class="label">Severity:</span> Critical<br/>
<span class="label">Reporter:</span> moz_bug_r_a4, shutdown<br/>
<span class="label">Products:</span> Firefox, Mozilla Suite<br/>
<br/>
<span class="label">Fixed in:</span> Firefox 1.0.5<br/>
<span class="label">&#160;</span> Mozilla Suite 1.7.10</p>
<h3>Description</h3>
<p>Improper cloning of base objects allowed web content scripts to
walk up the prototype chain to get to a privileged object.
This could be used to execute code with enhanced privileges.</p>
<h3>Workaround</h3>
<p>Upgrade to a version containing the fix.</p>
<h3>References</h3>
<p>Bug details embargoed until August 1, 2005</p>
<ul>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=294795">
https://bugzilla.mozilla.org/show_bug.cgi?id=294795</a></li>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=294799">
https://bugzilla.mozilla.org/show_bug.cgi?id=294799</a></li>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=295011">
https://bugzilla.mozilla.org/show_bug.cgi?id=295011</a></li>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=296397">
https://bugzilla.mozilla.org/show_bug.cgi?id=296397</a></li>
</ul>

45
security/announce/2005/mfsa2005-57.md Normal file
Просмотреть файл

@ -0,0 +1,45 @@
title: MFSA 2005-57: IDN heap overrun using soft-hyphens
<h1>Mozilla Foundation Security Advisory 2005-57</h1>
<p><span class="label">Title:</span> <abbr title="Internationalized Domain Name">IDN</abbr> heap overrun using soft-hyphens<br/>
<span class="label">Severity:</span> Critical<br/>
<span class="label">Reporter:</span> Tom Ferris<br/>
<span class="label">Products:</span> Firefox, Mozilla Suite<br/>
<br/>
<span class="label">Fixed in:</span> Firefox 1.0.7<br/>
<span class="label">&#160;</span> Mozilla Suite 1.7.12</p>
<h3>Description</h3>
<p>Tom Ferris reported a Firefox crash when processing a domain name
consisting solely of soft-hyphen characters. This is due to a heap
overrun triggered when <dfn>Internationalized Domain Name (IDN)</dfn> processing
results in an empty string after removing non-mapping characters
such as soft-hyphens. This overrun could be exploited to run or install
malware on a user's computer.</p>
<p>Mozilla Thunderbird does not process
<abbr title="Internationalized Domain Name">IDN</abbr> host names and
is thus not affected by this vulnerability.</p>
<h3>Workaround</h3>
<p>Disable <abbr title="Internationalized Domain Name">IDN</abbr>.
Instructions on how to do so manually or through a
small patch can be found <a href="http://www.mozilla.org/security/idn.html">
here</a>. Installing the fixed versions will restore
<abbr title="Internationalized Domain Name">IDN</abbr> functionality
if you've installed the patch; if you disabled
<abbr title="Internationalized Domain Name">IDN</abbr> manually it
will have to be reenabled the same way.</p>
<h3>References</h3>
<ul>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=307259">
https://bugzilla.mozilla.org/show_bug.cgi?id=307259</a></li>
</ul>

195
security/announce/2005/mfsa2005-58.md Normal file
Просмотреть файл

@ -0,0 +1,195 @@
title: MFSA 2005-58 Firefox 1.0.7 / Mozilla Suite 1.7.12 Vulnerability Fixes
<h1>Mozilla Foundation Security Advisory 2005-58</h1>
<p><span class="label">Date:</span> September 22, 2005<br/>
<span class="label">Severity:</span> Critical<br/>
<span class="label">Products:</span> Firefox, Mozilla Suite<br/>
<span class="label">Fixed in:</span> Firefox 1.0.7<br/>
<span class="label">&#160;</span> Mozilla Suite 1.7.12</p>
<p>Fixes for multiple vulnerabilities with an overall severity of "critical"
have been released in Mozilla Firefox 1.0.7 and the Mozilla Suite 1.7.12</p>
<ul>
<li>
<a href="#xbm">Heap overrun in XBM image processing</a>
<span class="critical">[Critical]</span>
</li>
<li>
<a href="#zero-width">Crash on "zero-width non-joiner" sequence</a>
<span class="critical">[Critical]</span>
</li>
<li>
<a href="#xmlhttp">XMLHttpRequest header spoofing</a>
<span class="moderate">[Moderate]</span>
</li>
<li>
<a href="#xblspoof">Object spoofing using XBL &lt;implements&gt;</a>
<span class="moderate">[Moderate]</span>
</li>
<li>
<a href="#js-int">JavaScript integer overflow</a>
<span class="high">[Severe]</span>
</li>
<li>
<a href="#about">Privilege escalation using about: scheme</a>
<span class="high">[Severe]</span>
</li>
<li>
<a href="#closedwin">Chrome window spoofing</a>
<span class="high">[Severe]</span>
</li>
<li>
<a href="#regressions">Regression fixes</a>
</li>
</ul>
<h3 id="xbm">Heap overrun in XBM image processing</h3>
<p><span class="reporter">jackerror</span> reports that an
improperly terminated XBM image ending with space characters
instead of the expected end tag
can lead to a heap buffer overrun.
This appears to be exploitable to install or run
malicious code on the user's machine.</p>
<ul>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=300936">
https://bugzilla.mozilla.org/show_bug.cgi?id=300936</a></li>
</ul>
<p>Thunderbird does not support the XBM format and is not affected
by this flaw.</p>
<h3 id="zero-width">Crash on "zero-width non-joiner" sequence</h3>
<p><span class="reporter">Mats Palmgren</span> discovered that a
reported crash on Unicode sequences with "zero-width non-joiner"
characters was due to stack corruption that may be exploitable
to run arbitrary code.</p>
<ul>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=296134">
https://bugzilla.mozilla.org/show_bug.cgi?id=296134</a></li>
</ul>
<p>In the default configuration (JavaScript disabled) Thunderbird
will crash, but we do not believe it can be exploited to run the
attacker's code. With JavaScript turned on Thunderbird is
vulnerable to this exploit.</p>
<h3 id="xmlhttp">XMLHttpRequest header spoofing</h3>
<p>It was possible to add illegal and malformed headers to
an XMLHttpRequest. This could have been used to exploit
server or proxy flaws from the user's machine, or to fool
a server or proxy into thinking a single request was
a stream of separate requests.
The severity of this vulnerability depends on the value of
servers which might be vulnerable to HTTP request smuggling and
similar attacks, or which share an IP address (virtual hosting)
with the attacker's page.</p>
<p>For users connecting to the web through a proxy this flaw
could be used to bypass the same-origin restriction on
XMLHttpRequests by fooling the proxy into handling a single request
as multiple pipe-lined requests directed at arbitrary hosts.
This could be used, for example, to read files on intranet
servers behind a firewall.</p>
<p>Reported independently by <span class="reporter">Tim Altman</span> and
<span class="reporter">Yutaka Oiwa</span></p>
<ul>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=297078">
https://bugzilla.mozilla.org/show_bug.cgi?id=297078</a></li>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=302263">
https://bugzilla.mozilla.org/show_bug.cgi?id=302263</a></li>
</ul>
<h3 id="xblspoof">Object spoofing using XBL &lt;implements&gt;</h3>
<p><span class="reporter">moz_bug_r_a4</span> demonstrated a DOM
object spoofing bug similar to
<a href="mfsa2005-55.html">MFSA 2005-55</a> using an XBL control
that &lt;implements&gt; an internal interface. The severity depends
on the version of Firefox: investigation so far indicates Firefox 1.0.x
releases don't expose any vulnerable functionality to interfaces
spoofed in this way, but that early Deer Park Alpha 1 versions did.</p>
<p>XBL was changed to no longer allow unprivileged controls from
web content to implement XPCOM interfaces.</p>
<ul>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=299518">
https://bugzilla.mozilla.org/show_bug.cgi?id=299518</a></li>
</ul>
<h3 id="js-int">JavaScript integer overflow</h3>
<p><span class="reporter">Georgi Guninski</span> reported
an integer overflow in the JavaScript engine. We presume
this could be exploited to run arbitrary code under
favorable conditions.</p>
<ul>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=303213">
https://bugzilla.mozilla.org/show_bug.cgi?id=303213</a></li>
</ul>
<h3 id="about">Privilege escalation using about: scheme</h3>
<p><span class="reporter">heatsync</span> and
<span class="reporter">shutdown</span> report two different ways
to bypass the restriction on loading high privileged "chrome"
pages from an unprivileged "about:" page. By itself this is
harmless--once the "about" page's privilege is raised the original
page no longer has access--but should this be combined with
a same-origin violation this could lead to arbitrary code
execution.</p>
<ul>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=304754">
https://bugzilla.mozilla.org/show_bug.cgi?id=304754</a></li>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=306261">
https://bugzilla.mozilla.org/show_bug.cgi?id=306261</a></li>
</ul>
<h3 id="closedwin">Chrome window spoofing</h3>
<p><span class="reporter">moz_bug_r_a4</span> demonstrates a way
to get a blank "chrome" canvas by opening a window from a reference
to a closed window. The resulting window is not privileged, but
the normal browser UI is missing and can be used to construct a spoof
page without any of the safety features of the browser chrome designed
to alert users to phishing sites, such as the address bar and the
status bar.</p>
<ul>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=306804">
https://bugzilla.mozilla.org/show_bug.cgi?id=306804</a></li>
</ul>
<h3 id="regressions">Regression fixes</h3>
<p>These releases include fixes for the following bugs that were
introduced in previous security releases. These were fixed for
stability reasons, they do not themselves pose any security risk.</p>
<ul>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=291178">291178</a>
InstallTrigger.getVersion gone in Firefox 1.0.3</li>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=300853">300853</a>
Caps crash on cleanup [@ DomainPolicy::Drop]</li>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=301180">301180</a>
crash if you stop search and hit the search button again (Mozilla 1.7 only)</li>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=302100">302100</a>
Firefox 1.0.6 crashes when loading any page if PAC script uses eval</li>
</ul>

37
security/announce/2005/mfsa2005-59.md Normal file
Просмотреть файл

@ -0,0 +1,37 @@
title: MFSA 2005-59: Command-line handling on Linux allows shell execution
<h1>Mozilla Foundation Security Advisory 2005-59</h1>
<p><span class="label">Title:</span> Command-line handling on Linux allows shell execution<br/>
<span class="label">Severity:</span> Severe<br/>
<span class="label">Reporter:</span> Peter Zelezny<br/>
<span class="label">Products:</span> Firefox, Thunderbird, Mozilla Suite<br/>
<br/>
<span class="label">Fixed in:</span> Firefox 1.0.7<br/>
<span class="label">&#160;</span> Thunderbird 1.0.7<br/>
<span class="label">&#160;</span> Mozilla Suite 1.7.12</p>
<h3>Description</h3>
<p>URLs passed to Linux versions of Firefox and Thunderbird on the command-line were
not correctly protected against interpretation by the shell. As a result
a malicious URL can result in the execution of shell commands with
the privileges of the user. If Firefox is set as the default handler for
web URLs then opening a URL in another program (for example, links
in a mail or chat client) can result in shell command execution.</p>
<h3>Workaround</h3>
<p>Do not click on links in spam or other mail from people you don't know.
Do not use the affected programs as the default handler for URLs.
Upgrade to the fixed versions.</p>
<h3>References</h3>
<ul>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=307185">
https://bugzilla.mozilla.org/show_bug.cgi?id=307185</a></li>
</ul>

62
security/announce/2006/mfsa2006-01.md Normal file
Просмотреть файл

@ -0,0 +1,62 @@
title: MFSA 2006-01: JavaScript garbage-collection hazards
<h1>Mozilla Foundation Security Advisory 2006-01</h1>
<p><span class="label">Title:</span> JavaScript garbage-collection hazards<br/>
<span class="label">Severity:</span> Moderate<br/>
<span class="label">Date:</span> February 1, 2006<br/>
<span class="label">Reporter:</span> Igor Bukanov<br/>
<span class="label">Products:</span> Firefox, Thunderbird, Mozilla Suite<br/>
<br/>
<span class="label">Fixed in:</span> Firefox 1.5.0.1<br/>
<span class="label">&#160;</span> SeaMonkey 1.0<br/>
<span class="label">&#160;</span> Thunderbird 1.5.0.2<br/>
<span class="label">&#160;</span> Firefox 1.0.8<br/>
<span class="label">&#160;</span> Thunderbird 1.0.8<br/>
<span class="label">&#160;</span> Mozilla Suite 1.7.13</p>
<h3>Description</h3>
<p>Garbage collection hazards have been found in the JavaScript
engine where some routines used temporary variables
that were not properly protected (rooted). Specially crafted objects
could contain a user-defined method that would be called during
the lifetime of these temporaries. If this method triggered
garbage collection the engine would operate on the unexpectedly freed
temporary object when it returned from the user-defined routine.</p>
<p>The risk appears remote, but this type of memory corruption could
potentially be used by an attacker to run arbitrary code.</p>
<p>CVE-2006-0293 was introduced during Firefox 1.5 development and does not
affect Firefox 1.0. CVE-2006-0292 affects all versions of Firefox.</p>
<p class="note">Thunderbird shares the JavaScript engine with Firefox
and could be vulnerable if JavaScript is enabled in mail. This is not
the default setting; we strongly discourage users from running
JavaScript in mail.</p>
<p><strong style="text-decoration: underline;">Update (13 April 2006)</strong><br/>
This flaw has been fixed in Thunderbird 1.5.0.2</p>
<p>Updated versions of Firefox 1.0, Thunderbird 1.0, and the Mozilla Suite 1.7
have been released containing this fix.</p>
<h3>Workaround</h3>
<p>Upgrade to the fixed versions. Do not enable JavaScript in Thunderbird
or Mozilla Suite mail.</p>
<h3>References</h3>
<ul>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=316885">
https://bugzilla.mozilla.org/show_bug.cgi?id=316885</a><br/>
CVE-2006-0292</li>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=322045">
https://bugzilla.mozilla.org/show_bug.cgi?id=322045</a><br/>
CVE-2006-0293</li>
</ul>

46
security/announce/2006/mfsa2006-02.md Normal file
Просмотреть файл

@ -0,0 +1,46 @@
title: MFSA 2006-02: Changing position:relative to static corrupts memory
<h1>Mozilla Foundation Security Advisory 2006-02</h1>
<p><span class="label">Title:</span> Changing position:relative to static corrupts memory<br/>
<span class="label">Severity:</span> Moderate<br/>
<span class="label">Date:</span> February 1, 2006<br/>
<span class="label">Reporter:</span> Martijn Wargers<br/>
<span class="label">Products:</span> Firefox, Thunderbird, SeaMonkey<br/><br/>
<span class="label">Fixed in:</span> Firefox 1.5.0.1<br/>
<span class="label">&#160;</span> SeaMonkey 1.0<br/>
<span class="label">&#160;</span> Thunderbird 1.5.0.2</p>
<h3>Description</h3>
<p>Dynamically changing the style of an element from position:relative
to position:static can cause Gecko to operate on freed memory.
It may be possible to exploit this in order to run arbitrary
code.</p>
<p>This flaw was introduced during Firefox 1.5 and SeaMonkey 1.0
development and does not affect Firefox 1.0 or the Mozilla Suite 1.7</p>
<p class="note">Thunderbird 1.5 could be vulnerable if JavaScript is
enabled in mail. This is not the default setting and we strongly
discourage users from turning on JavaScript in mail. Thunderbird
is not vulnerable in its default configuration.</p>
<p><strong style="text-decoration: underline;">Update (13 April 2006)</strong><br/>
This flaw has been fixed in Thunderbird 1.5.0.2</p>
<h3>Workaround</h3>
<p>Upgrade to the fixed versions. Do not enable JavaScript in Thunderbird
or SeaMonkey mail.</p>
<h3>References</h3>
<ul>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=317934">
https://bugzilla.mozilla.org/show_bug.cgi?id=317934</a><br/>
CVE-2006-0294</li>
</ul>

55
security/announce/2006/mfsa2006-03.md Normal file
Просмотреть файл

@ -0,0 +1,55 @@
title: MFSA 2006-03: Long document title causes startup denial of Service
<h1>Mozilla Foundation Security Advisory 2006-03</h1>
<p><span class="label">Title:</span> Long document title causes startup denial of service<br/>
<span class="label">Severity:</span> Low<br/>
<span class="label">Date:</span> February 1, 2006<br/>
<span class="label">Reporter:</span> ZIPLOCK<br/>
<span class="label">Products:</span> Firefox, Mozilla Suite<br/>
<br/>
<span class="label">Fixed in:</span> Firefox 1.5.0.1<br/>
<span class="label">&#160;</span> SeaMonkey 1.0<br/>
<span class="label">&#160;</span> Firefox 1.0.8<br/>
<span class="label">&#160;</span> Mozilla Suite 1.7.13</p>
<h3>Description</h3>
<p>Web pages with extremely long titles--the public demonstration
had a title 2.5 million characters long--cause subsequent
launches of the browser to appear to "hang" for up to a few
minutes, or even crash if the computer has insufficient memory.</p>
<p>Once affected this condition will recur every time the browser
is started until the item expires from the saved browsing history
or the user deletes the file <code class="filename">history.dat</code> from
the user profile directory.</p>
<p><strong style="text-decoration: underline;">Update (13 April 2006)</strong><br/>
Updated versions of Firefox 1.0 and the Mozilla Suite 1.7
have been released containing this fix.</p>
<h3>Workaround</h3>
<p>This problem can be prevented in vulnerable versions by turning off
the saving of browser history. In Firefox:</p>
<ol>
<li>Open the <strong>Options</strong> dialog from the <strong>Tools</strong> menu
</li><li>Select the <strong>Privacy</strong> icon
</li><li>In the <strong>History</strong> section set the remembered duration to
<strong>0</strong> days
</li></ol>
<p>The steps for the Mozilla Suite are similar</p>
<h3>References</h3>
<ul>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=319004">
https://bugzilla.mozilla.org/show_bug.cgi?id=319004</a><br/>
CVE-2005-4134</li>
</ul>

54
security/announce/2006/mfsa2006-04.md Normal file
Просмотреть файл

@ -0,0 +1,54 @@
title: MFSA 2006-04: Memory corruption via QueryInterface on Location, Navigator objects
<h1>Mozilla Foundation Security Advisory 2006-04</h1>
<p><span class="label">Title:</span> Memory corruption via QueryInterface on Location, Navigator objects<br/>
<span class="label">Severity:</span> Critical<br/>
<span class="label">Date:</span> February 1, 2006<br/>
<span class="label">Reporter:</span> Georgi Guninski<br/>
<span class="label">Products:</span> Firefox, Thunderbird, SeaMonkey<br/>
<br/>
<span class="label">Fixed in:</span> Firefox 1.5.0.1<br/>
<span class="label">&#160;</span> SeaMonkey 1.0<br/>
<span class="label">&#160;</span> Thunderbird 1.5.0.2</p>
<h3>Description</h3>
<p>Calling the <code>QueryInterface</code> method of the built-in
Location and Navigator objects causes memory corruption
that might be exploitable to run arbitrary code.</p>
<p>This flaw appears to have been introduced during development
of Firefox 1.5/SeaMonkey 1.0 -- Firefox 1.0 and the older
Mozilla Suite 1.7 do not appear to be vulnerable.</p>
<p class="note">Thunderbird 1.5 could be vulnerable if JavaScript is
enabled in mail. This is not the default setting and we strongly
discourage users from turning on JavaScript in mail. Thunderbird
is not vulnerable in its default configuration.</p>
<p><strong style="text-decoration: underline;">Update (7 February 2006)</strong><br/>
H D Moore of the Metasploit Project published a working exploit on milw0rm
for the Linux and Mac OS X versions of Firefox 1.5. Severity upgraded
to critical.</p>
<p><strong style="text-decoration: underline;">Update (13 April 2006)</strong><br/>
This flaw has been fixed in Thunderbird 1.5.0.2</p>
<h3>Workaround</h3>
<p>Upgrade to the fixed versions. Do not enable JavaScript in Thunderbird
or SeaMonkey mail.</p>
<h3>References</h3>
<ul>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=319296">
https://bugzilla.mozilla.org/show_bug.cgi?id=319296</a><br/>
CVE-2006-0295</li>
<li><a class="ex-ref" href="http://www.milw0rm.com/id.php?id=1474">http://www.milw0rm.com/id.php?id=1474</a></li>
<li><a class="ex-ref" href="http://www.milw0rm.com/id.php?id=1480">http://www.milw0rm.com/id.php?id=1480</a></li>
</ul>

50
security/announce/2006/mfsa2006-05.md Normal file
Просмотреть файл

@ -0,0 +1,50 @@
title: MFSA 2006-05: Localstore.rdf XML injection through XULDocument.persist()
<h1>Mozilla Foundation Security Advisory 2006-05</h1>
<p><span class="label">Title:</span> Localstore.rdf XML injection through XULDocument.persist()<br/>
<span class="label">Severity:</span> Critical<br/>
<span class="label">Date:</span> February 1, 2006<br/>
<span class="label">Reporter:</span> moz_bug_r_a4<br/>
<span class="label">Products:</span> Firefox, Thunderbird, Mozilla Suite<br/>
<br/>
<span class="label">Fixed in:</span> Firefox 1.5.0.1<br/>
<span class="label">&#160;</span> SeaMonkey 1.0<br/>
<span class="label">&#160;</span> Thunderbird 1.5.0.2<br/>
<span class="label">&#160;</span> Firefox 1.0.8<br/>
<span class="label">&#160;</span> Thunderbird 1.0.8<br/>
<span class="label">&#160;</span> Mozilla Suite 1.7.13</p>
<h3>Description</h3>
<p>XULDocument.persist() did not validate the attribute name,
allowing an attacker to inject XML into localstore.rdf that would
be read and acted upon at startup. This could include JavaScript
commands that would be run with the permissions of the browser.</p>
<p class="note">Thunderbird could be vulnerable if JavaScript is
enabled. This is not the default setting and we strongly
discourage users from turning on JavaScript in mail. Thunderbird
is not vulnerable in its default configuration.</p>
<p><strong style="text-decoration: underline;">Update (13 April 2006)</strong><br/>
This flaw has been fixed in Thunderbird 1.5.0.2</p>
<p>Updated versions of Firefox 1.0, Thunderbird 1.0, and the Mozilla Suite 1.7
have been released containing this fix.</p>
<h3>Workaround</h3>
<p>Upgrade to the fixed versions. Do not enable JavaScript in Thunderbird
or SeaMonkey mail.</p>
<h3>References</h3>
<ul>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=319847">
https://bugzilla.mozilla.org/show_bug.cgi?id=319847</a><br/>
CVE-2006-0296</li>
</ul>

48
security/announce/2006/mfsa2006-06.md Normal file
Просмотреть файл

@ -0,0 +1,48 @@
title: MFSA 2006-06: Integer overflows in E4X, SVG and Canvas
<h1>Mozilla Foundation Security Advisory 2006-06</h1>
<p><span class="label">Title:</span> Integer overflows in E4X, SVG, and Canvas<br/>
<span class="label">Severity:</span> Moderate<br/>
<span class="label">Date:</span> February 1, 2006<br/>
<span class="label">Reporter:</span> Georgi Guninski<br/>
<span class="label">Products:</span> Firefox, Thunderbird, SeaMonkey<br/>
<br/>
<span class="label">Fixed in:</span> Firefox 1.5.0.1<br/>
<span class="label">&#160;</span> SeaMonkey 1.0<br/>
<span class="label">&#160;</span> Thunderbird 1.5.0.2</p>
<h3>Description</h3>
<p>Georgi Guninski reports integer overflows in the new
E4X, SVG, and Canvas features. These lead to memory corruption that
is potentially exploitable to run arbitrary code.</p>
<p>These flaws were introduced during Firefox 1.5 and SeaMonkey 1.0
development and do not affect Firefox 1.0 or the Mozilla Suite 1.7</p>
<p class="note">Thunderbird 1.5 could be vulnerable if JavaScript is
enabled in mail. This is not the default setting and we strongly
discourage users from turning on JavaScript in mail. Thunderbird
is not vulnerable in its default configuration.</p>
<p><strong style="text-decoration: underline;">Update (13 April 2006)</strong><br/>
This flaw has been fixed in Thunderbird 1.5.0.2</p>
<h3>Workaround</h3>
<p>Upgrade to the fixed versions. Do not enable JavaScript in Thunderbird
or SeaMonkey mail.</p>
<h3>References</h3>
<ul>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=319872">
https://bugzilla.mozilla.org/show_bug.cgi?id=319872</a></li>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=322215">
https://bugzilla.mozilla.org/show_bug.cgi?id=322215</a><br/>
CVE-2006-0297</li>
</ul>

39
security/announce/2006/mfsa2006-07.md Normal file
Просмотреть файл

@ -0,0 +1,39 @@
title: MFSA 2006-07: Read beyond buffer while parsing XML
<h1>Mozilla Foundation Security Advisory 2006-07</h1>
<p><span class="label">Title:</span> Read beyond buffer while parsing XML<br/>
<span class="label">Severity:</span> Low<br/>
<span class="label">Date:</span> February 1, 2006<br/>
<span class="label">Reporter:</span> Johnny Stenback<br/>
<span class="label">Products:</span> Firefox, Thunderbird, SeaMonkey<br/>
<br/>
<span class="label">Fixed in:</span> Firefox 1.5.0.1<br/>
<span class="label">&#160;</span> SeaMonkey 1.0<br/>
<span class="label">&#160;</span> Thunderbird 1.5.0.2</p>
<h3>Description</h3>
<p>An upgrade in the XML parser introduced a bug that could read
beyond the end of the buffer, often causing a crash. We don't know if
this could be exploited to incorporate private data into the DOM of an
XML document, but could be a privacy risk if so. Firefox 1.0, Thunderbird 1.0
and Mozilla Suite 1.7 are not affected.</p>
<p><strong style="text-decoration: underline;">Update (13 April 2006)</strong><br/>
This flaw has been fixed in Thunderbird 1.5.0.2</p>
<h3>Workaround</h3>
<p>Upgrade to the fixed versions.</p>
<h3>References</h3>
<ul>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=320375">
https://bugzilla.mozilla.org/show_bug.cgi?id=320375</a><br/>
CVE-2006-0298</li>
</ul>

48
security/announce/2006/mfsa2006-08.md Normal file
Просмотреть файл

@ -0,0 +1,48 @@
title: MFSA 2006-08: "AnyName" entrainment and access control hazard
<h1>Mozilla Foundation Security Advisory 2006-08</h1>
<p><span class="label">Title:</span> "AnyName" entrainment and access control hazard<br/>
<span class="label">Severity:</span> Low<br/>
<span class="label">Date:</span> February 1, 2006<br/>
<span class="label">Reporter:</span> Brendan Eich<br/>
<span class="label">Products:</span> Firefox, Thunderbird, SeaMonkey<br/>
<br/>
<span class="label">Fixed in:</span> Firefox 1.5.0.1<br/>
<span class="label">&#160;</span> SeaMonkey 1.0<br/>
<span class="label">&#160;</span> Thunderbird 1.5.0.2</p>
<h3>Description</h3>
<p>The implementation of E4X introduced an internal "AnyName" object which
was unintentionally exposed to web content. This singleton object could
be used by two cooperating domains as a communication channel to get
around same-origin restrictions that prevent direct access from one
window or frame to another. This could not be used to violate
same-origin protection of another window's content, it was simply a
mutually accessible storage spot. E4X was not supported in Firefox 1.0
or Mozilla 1.7</p>
<p class="note">Thunderbird 1.5 could be vulnerable if JavaScript is
enabled in mail. This is not the default setting and we strongly
discourage users from turning on JavaScript in mail. Thunderbird
is not vulnerable in its default configuration.</p>
<p><strong style="text-decoration: underline;">Update (13 April 2006)</strong><br/>
This flaw has been fixed in Thunderbird 1.5.0.2</p>
<h3>Workaround</h3>
<p>Upgrade to the fixed versions. Do not enable JavaScript in Thunderbird
or SeaMonkey mail.</p>
<h3>References</h3>
<ul>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=322312">
https://bugzilla.mozilla.org/show_bug.cgi?id=322312</a><br/>
CVE-2006-0299</li>
</ul>

80
security/announce/2006/mfsa2006-09.md Normal file
Просмотреть файл

@ -0,0 +1,80 @@
title: MFSA 2006-09: Cross-site JavaScript injection using event handlers
<h1>Mozilla Foundation Security Advisory 2006-09</h1>
<p><span class="label">Title:</span> Cross-site JavaScript injection using event handlers<br/>
<span class="label">Impact:</span> High<br/>
<span class="label">Date:</span> April 13, 2006<br/>
<span class="label">Reporter:</span> shutdown<br/>
<span class="label">Products:</span> Firefox, Thunderbird, Mozilla Suite<br/>
<br/>
<span class="label">Fixed in:</span> Firefox 1.5<br/>
<span class="label">&#160;</span> Firefox 1.0.8<br/>
<span class="label">&#160;</span> Thunderbird 1.5<br/>
<span class="label">&#160;</span> Thunderbird 1.0.8<br/>
<span class="label">&#160;</span> Mozilla Suite 1.7.13<br/>
<span class="label">&#160;</span> SeaMonkey 1.0</p>
<h3>Description</h3>
<p>shutdown reported a method of injecting running JavaScript code into
a page on another site using a modal alert to suspend an event handler
while a new page is being loaded. This vulnerability allows an attacker
to steal any confidential information the new page might contain,
including any passwords and cookies which might allow the attacker
to log on to that site as the victim.</p>
<p>shutdown also reported a variant using the two-argument form of eval() that
did not require a modal dialog and would be much less obtrusive.
moz_bug_r_a4 reported two variants that bypassed our initial fixes,
one using "new Script()", the other extending the eval() attack using
window.__proto__</p>
<p class="note">Thunderbird shares the browser engine with Firefox
and could be vulnerable if JavaScript were to be enabled in mail. This is not
the default setting and we strongly discourage users from running
JavaScript in mail.</p>
<h3>Workaround</h3>
<p>Disable JavaScript until you can upgrade to a fixed version.</p>
<h3>References</h3>
<p>Exploit code and details embargoed during the active update period.</p>
<p>Original vulnerability:</p>
<ul>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=296514">
https://bugzilla.mozilla.org/show_bug.cgi?id=296514</a><br/>
CVE-2006-1741</li>
</ul>
<p>Firefox 1.5 fix:</p>
<ul>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=296639">
https://bugzilla.mozilla.org/show_bug.cgi?id=296639</a></li>
</ul>
<p>Alternate fix for Firefox 1.0.8/Mozilla Suite 1.7.13:</p>
<ul>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=316589">
https://bugzilla.mozilla.org/show_bug.cgi?id=316589</a></li>
</ul>
<p>Variants:</p>
<ul>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=311024">
https://bugzilla.mozilla.org/show_bug.cgi?id=311024</a></li>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=311619">
https://bugzilla.mozilla.org/show_bug.cgi?id=311619</a></li>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=311892">
https://bugzilla.mozilla.org/show_bug.cgi?id=311892</a></li>
</ul>

72
security/announce/2006/mfsa2006-10.md Normal file
Просмотреть файл

@ -0,0 +1,72 @@
title: MFSA 2006-10: JavaScript garbage-collection hazard audit
<h1>Mozilla Foundation Security Advisory 2006-10</h1>
<p><span class="label">Title:</span> JavaScript garbage-collection hazard audit<br/>
<span class="label">Impact:</span> Critical<br/>
<span class="label">Date:</span> April 13, 2006<br/>
<span class="label">Reporter:</span> Igor Bukanov<br/>
<span class="label">Products:</span> Firefox, Thunderbird, Mozilla Suite<br/>
<br/>
<span class="label">Fixed in:</span> Firefox 1.5<br/>
<span class="label">&#160;</span> Firefox 1.0.8<br/>
<span class="label">&#160;</span> Thunderbird 1.5<br/>
<span class="label">&#160;</span> Thunderbird 1.0.8<br/>
<span class="label">&#160;</span> SeaMonkey 1.0<br/>
<span class="label">&#160;</span> Mozilla Suite 1.7.13</p>
<h3>Description</h3>
<p>Igor Bukanov has audited the JavaScript engine for routines that use
temporary variables not protected against garbage-collection.
If malicious content could cause garbage-collection to run during the
lifetime of these temporaries then the original routine would end up
operating on freed memory.</p>
<p>The risk appears remote, but this type of memory corruption could
potentially be used by an attacker to run arbitrary code including
the installation of malware.</p>
<p class="note">Thunderbird shares the JavaScript engine with Firefox
and could be vulnerable if JavaScript were to be enabled in mail. This is not
the default setting and we strongly discourage users from running
JavaScript in mail.</p>
<p><strong style="text-decoration: underline;">Update (29 July 2006)</strong><br/>
Added reference to bug 313500 which was part of this audit.</p>
<h3>Workaround</h3>
<p>Upgrade to the fixed versions. Do not enable JavaScript in Thunderbird
or Mozilla Suite mail.</p>
<h3>References</h3>
<ul>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=311497">
https://bugzilla.mozilla.org/show_bug.cgi?id=311497</a></li>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=311792">
https://bugzilla.mozilla.org/show_bug.cgi?id=311792</a></li>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=312278">
https://bugzilla.mozilla.org/show_bug.cgi?id=312278</a></li>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=313276">
https://bugzilla.mozilla.org/show_bug.cgi?id=313276</a></li>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=313479">
https://bugzilla.mozilla.org/show_bug.cgi?id=313479</a></li>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=313500">
https://bugzilla.mozilla.org/show_bug.cgi?id=313500</a></li>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=313630">
https://bugzilla.mozilla.org/show_bug.cgi?id=313630</a></li>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=313724">
https://bugzilla.mozilla.org/show_bug.cgi?id=313724</a></li>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=313763">
https://bugzilla.mozilla.org/show_bug.cgi?id=313763</a></li>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=313938">
https://bugzilla.mozilla.org/show_bug.cgi?id=313938</a></li>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=325269">
https://bugzilla.mozilla.org/show_bug.cgi?id=325269</a><br/>
CVE-2006-1742</li>
</ul>

72
security/announce/2006/mfsa2006-11.md Normal file
Просмотреть файл

@ -0,0 +1,72 @@
title: MFSA 2006-11: Crashes with evidence of memory corruption (rv:1.8)
<h1>Mozilla Foundation Security Advisory 2006-11</h1>
<p><span class="label">Title:</span> Crashes with evidence of memory corruption (rv:1.8)<br/>
<span class="label">Impact:</span> Critical<br/>
<span class="label">Date:</span> April 13, 2006<br/>
<span class="label">Reporter:</span> various<br/>
<span class="label">Products:</span> Firefox, Thunderbird, Mozilla Suite<br/>
<br/>
<span class="label">Fixed in:</span> Firefox 1.5<br/>
<span class="label">&#160;</span> Firefox 1.0.8<br/>
<span class="label">&#160;</span> Thunderbird 1.5<br/>
<span class="label">&#160;</span> Thunderbird 1.0.8<br/>
<span class="label">&#160;</span> SeaMonkey 1.0<br/>
<span class="label">&#160;</span> Mozilla Suite 1.7.13</p>
<h3>Description</h3>
<p>As part of the Firefox 1.5 release we fixed several crash bugs to
improve the stability of the product. Some of these crashes showed
evidence of memory corruption that we presume could be exploited
to run arbitrary code and have been applied to the Firefox 1.0.x
and Mozilla Suite 1.7.x releases</p>
<p>While fixing an unexploitable recursion-induced crash Bernd Mielke
discovered that the CSS border-rendering code could potentially write
past the end of an array.</p>
<p>Alden D'Souza reported a crash when using an extremely large
regular expression in JavaScript. This was tracked down to a 16-bit
integer overflow that could potentially cause the browser to interpret
attacker supplied data as JavaScript bytecode.</p>
<p>Martijn Wargers found two potentially exploitable crashes when programmatically
changing the -moz-grid and -moz-grid-group display styles.</p>
<p>Bob Clary found a memory corruption crash using the InstallTrigger.install()
method that was introduced in Firefox 1.0.7 by one of the regression
fixes described in <a href="../2005/mfsa2005-58.html">MFSA 2005-58</a>.</p>
<p class="note">Thunderbird shares the browser engine with Firefox
and could be vulnerable if JavaScript were to be enabled in mail. This is not
the default setting and we strongly discourage users from running
JavaScript in mail.</p>
<h3>Workaround</h3>
<p>Upgrade to the fixed versions. Do not enable JavaScript in Thunderbird
or the mail portions of SeaMonkey and the Mozilla Suite.</p>
<h3>References</h3>
<ul>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=265736">
https://bugzilla.mozilla.org/show_bug.cgi?id=265736</a><br/>
CVE-2006-1739</li>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=280769">
https://bugzilla.mozilla.org/show_bug.cgi?id=280769</a><br/>
CVE-2006-1737</li>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=311710">
https://bugzilla.mozilla.org/show_bug.cgi?id=311710</a></li>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=313173">
https://bugzilla.mozilla.org/show_bug.cgi?id=313173</a><br/>
CVE-2006-1738</li>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=315304">
https://bugzilla.mozilla.org/show_bug.cgi?id=315304</a><br/>
CVE-2006-1790</li>
</ul>

43
security/announce/2006/mfsa2006-12.md Normal file
Просмотреть файл

@ -0,0 +1,43 @@
title: MFSA 2006-12: Secure-site spoof (requires security warning dialog)
<h1>Mozilla Foundation Security Advisory 2006-12</h1>
<p><span class="label">Title:</span> Secure-site spoof (requires security warning dialog)<br/>
<span class="label">Impact:</span> Low<br/>
<span class="label">Date:</span> April 13, 2006<br/>
<span class="label">Reporter:</span> Tristor<br/>
<span class="label">Products:</span> Firefox, Mozilla Suite<br/>
<br/>
<span class="label">Fixed in:</span> Firefox 1.5<br/>
<span class="label">&#160;</span> Firefox 1.0.8<br/>
<span class="label">&#160;</span> SeaMonkey 1.0<br/>
<span class="label">&#160;</span> Mozilla Suite 1.7.13</p>
<h3>Description</h3>
<p>Tristor reports that it was possible to spoof the browser's secure-site
indicators (the lock icon, the site name in the URL field, the gold URL
field background in Firefox) by first loading the target secure site
in a pop-up window, then changing its location to a different site.</p>
<p>If the user has turned on the "Entering secure site" modal warning dialog
then the window location can be changed while that dialog is displayed
and the secure-browsing indicators from the original site will remain.</p>
<p>These dialogs are turned off by default in Firefox, and most Suite users
click the checkbox to turn them off.</p>
<h3>Workaround</h3>
<p>Turn off the "Entering encrypted site" warning dialog if you have not already.</p>
<h3>References</h3>
<ul>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=271194">
https://bugzilla.mozilla.org/show_bug.cgi?id=271194</a><br/>
CVE-2006-1740</li>
</ul>

55
security/announce/2006/mfsa2006-13.md Normal file
Просмотреть файл

@ -0,0 +1,55 @@
title: MFSA 2006-13: Downloading executables with "Save Image As..."
<h1>Mozilla Foundation Security Advisory 2006-13</h1>
<p><span class="label">Title:</span> Downloading executables with "Save Image As..."<br/>
<span class="label">Impact:</span> Moderate<br/>
<span class="label">Date:</span> April 13, 2006<br/>
<span class="label">Reporter:</span> Michael Krax<br/>
<span class="label">Products:</span> Firefox, Mozilla Suite<br/>
<br/>
<span class="label">Fixed in:</span> Firefox 1.5<br/>
<span class="label">&#160;</span> Firefox 1.0.8<br/>
<span class="label">&#160;</span> SeaMonkey 1.0<br/>
<span class="label">&#160;</span> Mozilla Suite 1.7.13</p>
<h3>Description</h3>
<p>By layering a transparent image link to an executable on top of a
visible (and presumably desirable) image
a malicious site might be able to convince some visitors to
right-click and choose "Save image as..." from the context menu
and fool them by giving them the executable instead. When the users
later double-click on the saved "image" to view or edit it
the attacker's malware would be run.</p>
<p>The attacker could put a lot of spaces before the extension to hide it
by pushing it out of the standard file-saving dialog, and once downloaded
the default Windows behavior of hiding the extension could make a filename
such as "bikini.jpg&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;.exe"
look like a legitimate image. The attacker
could further this illusion by embedding a common image icon into
the executable.</p>
<h3>Workaround</h3>
<p>Check the filename carefully on the save dialog and do not save
files unless everything is as you expected. On Windows the highlighting
of the filename should stop where you think the filename ends; if the
highlighting fills the entire filename box use the arrow keys to scroll.
The "Save as type" drop-down should say the appropriate image type and not
"Application".</p>
<p>Windows users should modify their system preferences to show file extensions.</p>
<h3>References</h3>
<ul>
<li>
<a href="https://bugzilla.mozilla.org/show_bug.cgi?id=293527">
https://bugzilla.mozilla.org/show_bug.cgi?id=293527</a><br/>
CVE-2006-1736</li>
</ul>

50
security/announce/2006/mfsa2006-14.md Normal file
Просмотреть файл

@ -0,0 +1,50 @@
title: MFSA 2006-14: Privilege escalation via XBL.method.eval
<h1>Mozilla Foundation Security Advisory 2006-14</h1>
<p><span class="label">Title:</span> Privilege escalation via XBL.method.eval<br/>
<span class="label">Impact:</span> Critical<br/>
<span class="label">Date:</span> April 13, 2006<br/>
<span class="label">Reporter:</span> shutdown<br/>
<span class="label">Products:</span> Firefox, Thunderbird, Mozilla Suite<br/>
<br/>
<span class="label">Fixed in:</span> Firefox 1.5<br/>
<span class="label">&#160;</span> Firefox 1.0.8<br/>
<span class="label">&#160;</span> Thunderbird 1.5<br/>
<span class="label">&#160;</span> Thunderbird 1.0.8<br/>
<span class="label">&#160;</span> SeaMonkey 1.0<br/>
<span class="label">&#160;</span> Mozilla Suite 1.7.13</p>
<h3>Description</h3>
<p>Using the eval associated with methods of an XBL binding it was possible
to create JavaScript functions that would get compiled with the wrong
privileges, allowing the attacker to run code of their choice with the
full permission of the user running the browser. This
could be used to install spyware or viruses.</p>
<p class="note">Thunderbird shares the JavaScript engine with Firefox
and could be vulnerable if JavaScript were to be enabled in mail. This is not
the default setting and we strongly discourage users from running
JavaScript in mail.</p>
<h3>Workaround</h3>
<p>Disable JavaScript until you can upgrade to a fixed version.</p>
<h3>References</h3>
<p>Exploit code and details embargoed during the active update period.</p>
<ul>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=311025">
https://bugzilla.mozilla.org/show_bug.cgi?id=311025</a></li>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=311403">
https://bugzilla.mozilla.org/show_bug.cgi?id=311403</a></li>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=311455">
https://bugzilla.mozilla.org/show_bug.cgi?id=311455</a><br/>
CVE-2006-1735</li>
</ul>

51
security/announce/2006/mfsa2006-15.md Normal file
Просмотреть файл

@ -0,0 +1,51 @@
title: MFSA 2006-15: Privilege escalation using a JavaScript function\'s cloned parent
<h1>Mozilla Foundation Security Advisory 2006-15</h1>
<p><span class="label">Title:</span> Privilege escalation using a JavaScript function's cloned parent<br/>
<span class="label">Impact:</span> Critical<br/>
<span class="label">Date:</span> April 13, 2006<br/>
<span class="label">Reporter:</span> shutdown<br/>
<span class="label">Products:</span> Firefox, Thunderbird, Mozilla Suite<br/>
<br/>
<span class="label">Fixed in:</span> Firefox 1.5<br/>
<span class="label">&#160;</span> Firefox 1.0.8<br/>
<span class="label">&#160;</span> Thunderbird 1.5<br/>
<span class="label">&#160;</span> Thunderbird 1.0.8<br/>
<span class="label">&#160;</span> SeaMonkey 1.0<br/>
<span class="label">&#160;</span> Mozilla Suite 1.7.13</p>
<h3>Description</h3>
<p>shutdown discovered it was possible to use the Object.watch()
method to access an internal function object (the "clone parent")
which could then be used to run arbitrary JavaScript code with
full permission. This could be used to install malware such as
password sniffers or viruses.</p>
<p>In pre-release versions of Firefox 1.5 the same technique could
be applied to the Array generic methods introduced in that release.</p>
<p class="note">Thunderbird shares the JavaScript engine with Firefox
and could be vulnerable if JavaScript were to be enabled in mail. This is not
the default setting and we strongly discourage users from running
JavaScript in mail.</p>
<h3>Workaround</h3>
<p>Disable JavaScript until you can upgrade to a fixed version.</p>
<h3>References</h3>
<p>Exploit code and details embargoed during the active update period.</p>
<ul>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=313370">
https://bugzilla.mozilla.org/show_bug.cgi?id=313370</a></li>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=313684">
https://bugzilla.mozilla.org/show_bug.cgi?id=313684</a><br/>
CVE-2006-1734</li>
</ul>

56
security/announce/2006/mfsa2006-16.md Normal file
Просмотреть файл

@ -0,0 +1,56 @@
title: MFSA 2006-16: Accessing XBL compilation scope via valueOf.call()
<h1>Mozilla Foundation Security Advisory 2006-16</h1>
<p><span class="label">Title:</span> Accessing XBL compilation scope via valueOf.call()<br/>
<span class="label">Impact:</span> Critical<br/>
<span class="label">Date:</span> April 13, 2006<br/>
<span class="label">Reporter:</span> moz_bug_r_a4<br/>
<span class="label">Products:</span> Firefox, Thunderbird, Mozilla Suite<br/>
<br/>
<span class="label">Fixed in:</span> Firefox 1.5<br/>
<span class="label">&#160;</span> Firefox 1.0.8<br/>
<span class="label">&#160;</span> Thunderbird 1.5<br/>
<span class="label">&#160;</span> Thunderbird 1.0.8<br/>
<span class="label">&#160;</span> SeaMonkey 1.0<br/>
<span class="label">&#160;</span> Mozilla Suite 1.7.13</p>
<h3>Description</h3>
<p>moz_bug_r_a4 discovered that the compilation scope of privileged
built-in XBL bindings was not fully protected from web content and
could be accessed by calling valueOf.call()
and valueOf.apply() on a method of that binding. This could then
be used to compile and run attacker-supplied JavaScript, giving it
the privileges of the binding which would allow an attacker
to install malware such as viruses and password sniffers.</p>
<p>shutdown reported an alternate way to get to XBL compilation scope
by inserting an XBL method into the DOM's document.body
prototype chain.</p>
<p class="note">Thunderbird shares the JavaScript engine with Firefox
and could be vulnerable if JavaScript were to be enabled in mail. This is not
the default setting and we strongly discourage users from running
JavaScript in mail.</p>
<h3>Workaround</h3>
<p>Disable JavaScript until you can upgrade to a fixed version.</p>
<h3>References</h3>
<p>Exploit code and details embargoed during the active update period.</p>
<ul>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=312871">
https://bugzilla.mozilla.org/show_bug.cgi?id=312871</a></li>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=313236">
https://bugzilla.mozilla.org/show_bug.cgi?id=313236</a></li>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=313375">
https://bugzilla.mozilla.org/show_bug.cgi?id=313375</a><br/>
CVE-2006-1733</li>
</ul>

47
security/announce/2006/mfsa2006-17.md Normal file
Просмотреть файл

@ -0,0 +1,47 @@
title: MFSA 2006-17: cross-site scripting through window.controllers
<h1>Mozilla Foundation Security Advisory 2006-17</h1>
<p><span class="label">Title:</span> cross-site scripting through window.controllers<br/>
<span class="label">Impact:</span> High<br/>
<span class="label">Date:</span> April 13, 2006<br/>
<span class="label">Reporter:</span> shutdown<br/>
<span class="label">Products:</span> Firefox, Thunderbird, Mozilla Suite<br/>
<br/>
<span class="label">Fixed in:</span> Firefox 1.5<br/>
<span class="label">&#160;</span> Firefox 1.0.8<br/>
<span class="label">&#160;</span> Thunderbird 1.5<br/>
<span class="label">&#160;</span> Thunderbird 1.0.8<br/>
<span class="label">&#160;</span> SeaMonkey 1.0<br/>
<span class="label">&#160;</span> Mozilla Suite 1.7.13</p>
<h3>Description</h3>
<p>shutdown demonstrated how to use the window.controllers array
to bypass same-origin protections, allowing a malicious site to
inject script into content from another site. This could allow
the malicious page to steal information such as cookies or
passwords from the other site, or perform transactions on the user's
behalf if the user were already logged in.</p>
<p class="note">Thunderbird shares the JavaScript engine with Firefox
and could be vulnerable if JavaScript were to be enabled in mail. This is not
the default setting and we strongly discourage users from running
JavaScript in mail.</p>
<h3>Workaround</h3>
<p>Disable JavaScript until you can upgrade to a version containing the fix.</p>
<h3>References</h3>
<p>Exploit code and details embargoed during the active update period.</p>
<ul>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=313373">
https://bugzilla.mozilla.org/show_bug.cgi?id=313373</a><br/>
CVE-2006-1732</li>
</ul>

45
security/announce/2006/mfsa2006-18.md Normal file
Просмотреть файл

@ -0,0 +1,45 @@
title: MFSA 2006-18: Mozilla Firefox Tag Order Vulnerability
<h1>Mozilla Foundation Security Advisory 2006-18</h1>
<p><span class="label">Title:</span> Mozilla Firefox Tag Order Vulnerability<br/>
<span class="label">Impact:</span> Critical<br/>
<span class="label">Date:</span> April 13, 2006<br/>
<span class="label">Reporter:</span> TippingPoint and the Zero Day Initiative<br/>
<span class="label">Products:</span> Firefox, Thunderbird, Mozilla Suite<br/>
<br/>
<span class="label">Fixed in:</span> Firefox 1.5<br/>
<span class="label">&#160;</span> Firefox 1.0.8<br/>
<span class="label">&#160;</span> Thunderbird 1.5<br/>
<span class="label">&#160;</span> Thunderbird 1.0.8<br/>
<span class="label">&#160;</span> SeaMonkey 1.0<br/>
<span class="label">&#160;</span> Mozilla Suite 1.7.13</p>
<h3>Description</h3>
<p>A particular sequence of HTML tags that reliably crash
Mozilla clients was reported by an anonymous researcher via
TippingPoint and the Zero Day Initiative. The crash is due to memory corruption
that can be exploited to run arbitary code.</p>
<p>Mozilla mail clients will crash on the tag sequence, but
without the ability to run scripts to fill memory with the attack
code it may not be possible for an attacker to exploit this crash.</p>
<h3>Workaround</h3>
<p>Upgrade to a fixed version.</p>
<h3>References</h3>
<ul>
<li><a class="ex-ref" href="http://www.zerodayinitiative.com/advisories/ZDI-06-009.html"> ZDI-06-009</a></li>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=320182">
https://bugzilla.mozilla.org/show_bug.cgi?id=320182</a></li>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=269095">
https://bugzilla.mozilla.org/show_bug.cgi?id=269095</a><br/>
CVE-2006-0749</li>
</ul>

55
security/announce/2006/mfsa2006-19.md Normal file
Просмотреть файл

@ -0,0 +1,55 @@
title: MFSA 2006-19: Cross-site scripting using .valueOf.call()
<h1>Mozilla Foundation Security Advisory 2006-19</h1>
<p><span class="label">Title:</span> Cross-site scripting using .valueOf.call()<br/>
<span class="label">Impact:</span> High<br/>
<span class="label">Date:</span> April 13, 2006<br/>
<span class="label">Reporter:</span> moz_bug_r_a4<br/>
<span class="label">Products:</span> Firefox, Thunderbird, Mozilla Suite<br/>
<br/>
<span class="label">Fixed in:</span> Firefox 1.5<br/>
<span class="label">&#160;</span> Firefox 1.0.8<br/>
<span class="label">&#160;</span> Thunderbird 1.5<br/>
<span class="label">&#160;</span> Thunderbird 1.0.8<br/>
<span class="label">&#160;</span> SeaMonkey 1.0<br/>
<span class="label">&#160;</span> Mozilla Suite 1.7.13</p>
<h3>Description</h3>
<p>moz_bug_r_a4 discovered that .valueOf.call() and .valueOf.apply()
when called with no arguments were returning the Object class
prototype rather than the caller's global window object. When
called on a reachable property of another window this provides
a hook to get around the same-origin protection, allowing an
attacker to inject script into another window.</p>
<p>Cross-site script injection can be used to steal confidential
data such as cookies or passwords, or perform actions on
the user's behalf. It can also be used to alter the content
of the other window which could be used to fool a user
into trusting bogus information or downloaded content.</p>
<p class="note">Thunderbird shares the JavaScript engine with Firefox
and could be vulnerable if JavaScript were to be enabled in mail. This is not
the default setting and we strongly discourage users from running
JavaScript in mail.</p>
<h3>Workaround</h3>
<p>Disable JavaScript until a fixed version can be installed.</p>
<h3>References</h3>
<p>Exploit code and details embargoed during the active update period.</p>
<ul>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=327194">
https://bugzilla.mozilla.org/show_bug.cgi?id=327194</a></li>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=290488">
https://bugzilla.mozilla.org/show_bug.cgi?id=290488</a><br/>
CVE-2006-1731</li>
</ul>

65
security/announce/2006/mfsa2006-20.md Normal file
Просмотреть файл

@ -0,0 +1,65 @@
title: MFSA 2006-20: Crashes with evidence of memory corruption (rv:1.8.0.2)
<h1>Mozilla Foundation Security Advisory 2006-20</h1>
<p><span class="label">Title:</span> Crashes with evidence of memory corruption (rv:1.8.0.2)<br/>
<span class="label">Impact:</span> Critical<br/>
<span class="label">Date:</span> April 13, 2006<br/>
<span class="label">Reporter:</span> various<br/>
<span class="label">Products:</span> Firefox, Thunderbird, Mozilla Suite<br/>
<br/>
<span class="label">Fixed in:</span> Firefox 1.5.0.2<br/>
<span class="label">&#160;</span> Thunderbird 1.5.0.2<br/>
<span class="label">&#160;</span> SeaMonkey 1.0.1</p>
<h3>Description</h3>
<p>As part of the Firefox 1.5.0.2 release we fixed several crash bugs to
improve the stability of the product, with a particular focus on
finding crashes caused by DHTML. Some of these crashes showed
evidence of memory corruption that we presume could be exploited
to run arbitrary code with enough effort.</p>
<p class="note">Thunderbird shares the browser engine with Firefox
and could be vulnerable if JavaScript were to be enabled in mail. This is not
the default setting and we strongly discourage users from running
JavaScript in mail.</p>
<h3>Workaround</h3>
<p>Upgrade to the fixed versions. Do not enable JavaScript in Thunderbird
or the mail portion of SeaMonkey.</p>
<h3>References</h3>
<p>Also fixed in Firefox/Thunderbird 1.0.8, Mozilla Suite 1.7.13:</p>
<ul>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=282105">
https://bugzilla.mozilla.org/show_bug.cgi?id=282105</a><br/>
CVE-2006-1724</li>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=320459">
https://bugzilla.mozilla.org/show_bug.cgi?id=320459</a></li>
</ul>
<p>Fixed in Firefox 1.5.0.2, not applicable to older releases:</p>
<ul>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=315254">
https://bugzilla.mozilla.org/show_bug.cgi?id=315254</a><br/>
CVE-2006-1529</li>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=326615">
https://bugzilla.mozilla.org/show_bug.cgi?id=326615</a><br/>
CVE-2006-1530</li>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=326834">
https://bugzilla.mozilla.org/show_bug.cgi?id=326834</a><br/>
CVE-2006-1531</li>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=327941">
https://bugzilla.mozilla.org/show_bug.cgi?id=327941</a><br/>
CVE-2006-1723</li>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=328509">
https://bugzilla.mozilla.org/show_bug.cgi?id=328509</a></li>
</ul>

46
security/announce/2006/mfsa2006-21.md Normal file
Просмотреть файл

@ -0,0 +1,46 @@
title: MFSA 2006-21: JavaScript execution in mail when forwarding in-line
<h1>Mozilla Foundation Security Advisory 2006-21</h1>
<p><span class="label">Title:</span> JavaScript execution in mail when forwarding in-line<br/>
<span class="label">Impact:</span> Critical<br/>
<span class="label">Announced:</span> April 21, 2006<br/>
<span class="label">Reporter:</span> Georgi Guninski<br/>
<span class="label">Products:</span> Firefox, Mozilla Suite<br/><br/>
<span class="label">Fixed in:</span> Thunderbird 1.5.0.2<br/>
<span class="label">&#160;</span> Thunderbird 1.0.8<br/>
<span class="label">&#160;</span> SeaMonkey 1.0.1<br/>
<span class="label">&#160;</span> Mozilla Suite 1.7.13</p>
<h3>Description</h3>
<p>Georgi Guninski reports that forwarding mail in-line while
using the default HTML "rich mail" editor will execute
JavaScript embedded in the e-mail message. Forwarding mail
in-line is not the default setting but it is easily accessed
through the "Forward As" menu item.</p>
<p>This JavaScript runs with the full privileges of the client
and could be used to install malware or send spam.</p>
<p>In Thunderbird 1.0.7 and below and Mozilla Suite 1.7.12 and below
JavaScript is also executed when you reply to a mail, though
limited to the sandbox of the message. This script could
spy on or alter the message you are composing.</p>
<h3>Workaround</h3>
<p>Switch to "plain text" mail composition, this vulnerability only
affects HTML mail composition (the default). On the "Composition and
Addressing" tab of Thunderbird's Account Settings dialog uncheck the
"Compose messages in HTML format" option to compose messages in plain
text.</p>
<h3>References</h3>
<p><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=319858">
https://bugzilla.mozilla.org/show_bug.cgi?id=319858</a><br/>
CVE-2006-0884</p>

44
security/announce/2006/mfsa2006-22.md Normal file
Просмотреть файл

@ -0,0 +1,44 @@
title: MFSA 2006-22: CSS Letter-Spacing Heap Overflow Vulnerability
<h1>Mozilla Foundation Security Advisory 2006-22</h1>
<p><span class="label">Title:</span> CSS Letter-Spacing Heap Overflow Vulnerability<br/>
<span class="label">Impact:</span> Critical<br/>
<span class="label">Date:</span> April 13, 2006<br/>
<span class="label">Reporter:</span> TippingPoint and the Zero Day Initiative<br/>
<span class="label">Products:</span> Firefox, Thunderbird, Mozilla Suite<br/>
<br/>
<span class="label">Fixed in:</span> Firefox 1.5.0.2<br/>
<span class="label">&#160;</span> Firefox 1.0.8<br/>
<span class="label">&#160;</span> Thunderbird 1.5.0.2<br/>
<span class="label">&#160;</span> Thunderbird 1.0.8<br/>
<span class="label">&#160;</span> SeaMonkey 1.0.1<br/>
<span class="label">&#160;</span> Mozilla Suite 1.7.13</p>
<h3>Description</h3>
<p>An anonymous researcher for TippingPoint and the Zero Day Initiative discovered
an integer overflow triggered by the CSS letter-spacing property. This results in
in under-allocating memory and ultimately a heap buffer overflow which could
be exploited to run code of the attacker's choice.</p>
<p>The overflow condition itself does not require JavaScript
and thus could affect Thunderbird via received mail, but without
scripting to prepare memory it may not be possible to exploit
this condition in mail.</p>
<h3>Workaround</h3>
<p>Upgrade to the fixed version.</p>
<h3>References</h3>
<ul>
<li><a class="ex-ref" href="http://www.zerodayinitiative.com/advisories/ZDI-06-010.html"> ZDI-06-010</a></li>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=325403">
https://bugzilla.mozilla.org/show_bug.cgi?id=325403</a><br/>
CVE-2006-1730</li>
</ul>

42
security/announce/2006/mfsa2006-23.md Normal file
Просмотреть файл

@ -0,0 +1,42 @@
title: MFSA 2006-23: File stealing by changing input type
<h1>Mozilla Foundation Security Advisory 2006-23</h1>
<p><span class="label">Title:</span> File stealing by changing input type<br/>
<span class="label">Impact:</span> High<br/>
<span class="label">Date:</span> April 13, 2006<br/>
<span class="label">Reporter:</span> Claus J&#246;rgensen<br/>
<span class="label">Products:</span> Firefox, Mozilla Suite<br/>
<br/>
<span class="label">Fixed in:</span> Firefox 1.5.0.2<br/>
<span class="label">&#160;</span> Firefox 1.0.8<br/>
<span class="label">&#160;</span> SeaMonkey 1.0.1<br/>
<span class="label">&#160;</span> Mozilla Suite 1.7.13</p>
<h3>Description</h3>
<p>Claus J&#246;rgensen reports that a text input box can be pre-filled with
a filename and then turned into a file-upload control with the
contents intact, allowing a malicious website the ability to
steal any local file whose name they can guess.</p>
<p>Jesse Ruderman reports a variation, changing the type of the input
control in an event handler to work around some of the initial
checks.</p>
<h3>Workaround</h3>
<p>Upgrade to fixed version.</p>
<h3>References</h3>
<ul>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=325947">
https://bugzilla.mozilla.org/show_bug.cgi?id=325947</a></li>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=328566">
https://bugzilla.mozilla.org/show_bug.cgi?id=328566</a><br/>
CVE-2006-1729</li>
</ul>

44
security/announce/2006/mfsa2006-24.md Normal file
Просмотреть файл

@ -0,0 +1,44 @@
title: MFSA 2006-24: Privilege escalation using crypto.generateCRMFRequest
<h1>Mozilla Foundation Security Advisory 2006-24</h1>
<p><span class="label">Title:</span> Privilege escalation using crypto.generateCRMFRequest<br/>
<span class="label">Impact:</span> Critical<br/>
<span class="label">Date:</span> April 13, 2006<br/>
<span class="label">Reporter:</span> shutdown<br/>
<span class="label">Products:</span> Firefox, Thunderbird, Mozilla Suite<br/>
<br/>
<span class="label">Fixed in:</span> Firefox 1.5.0.2<br/>
<span class="label">&#160;</span> Firefox 1.0.8<br/>
<span class="label">&#160;</span> Thunderbird 1.5.0.2<br/>
<span class="label">&#160;</span> Thunderbird 1.0.8<br/>
<span class="label">&#160;</span> SeaMonkey 1.0.1<br/>
<span class="label">&#160;</span> Mozilla Suite 1.7.13</p>
<h3>Description</h3>
<p>shutdown demonstrated that the crypto.generateCRMFRequest method
can be used to run arbitrary code with the privilege of the
user, which could enable an attacker to install malware.</p>
<p class="note">Thunderbird shares the browser engine with Firefox
and could be vulnerable if JavaScript were to be enabled in mail. This is not
the default setting and we strongly discourage users from running
JavaScript in mail.</p>
<h3>Workaround</h3>
<p>Disable JavaScript until you can upgrade to a version with the fix.</p>
<h3>References</h3>
<p>Exploit code and details embargoed during the active update period.</p>
<ul>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=327126">
https://bugzilla.mozilla.org/show_bug.cgi?id=327126</a><br/>
CVE-2006-1728</li>
</ul>

42
security/announce/2006/mfsa2006-25.md Normal file
Просмотреть файл

@ -0,0 +1,42 @@
title: MFSA 2006-25: Privilege escalation through Print Preview
<h1>Mozilla Foundation Security Advisory 2006-25</h1>
<p><span class="label">Title:</span> Privilege escalation through Print Preview<br/>
<span class="label">Impact:</span> Critical<br/>
<span class="label">Date:</span> April 13, 2006<br/>
<span class="label">Reporter:</span> Georgi Guninski<br/>
<span class="label">Products:</span> Firefox, Thunderbird, Mozilla Suite<br/>
<br/>
<span class="label">Fixed in:</span> Firefox 1.5.0.2<br/>
<span class="label">&#160;</span> Firefox 1.0.8<br/>
<span class="label">&#160;</span> Thunderbird 1.5.0.2<br/>
<span class="label">&#160;</span> Thunderbird 1.0.8<br/>
<span class="label">&#160;</span> SeaMonkey 1.0.1<br/>
<span class="label">&#160;</span> Mozilla Suite 1.7.13</p>
<h3>Description</h3>
<p>Georgi Guninski reported two variants of using scripts in an XBL control
to gain chrome privileges when the page is viewed under "Print Preview".</p>
<p>This vulnerability exists even if web-content JavaScript is turned off.</p>
<h3>Workaround</h3>
<p>Do not use Print Preview until you upgrade to a fixed version.</p>
<h3>References</h3>
<p>Exploit code and details embargoed during the active update period.</p>
<ul>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=325991">
https://bugzilla.mozilla.org/show_bug.cgi?id=325991</a></li>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=328469">
https://bugzilla.mozilla.org/show_bug.cgi?id=328469</a><br/>
CVE-2006-1727</li>
</ul>

37
security/announce/2006/mfsa2006-26.md Normal file
Просмотреть файл

@ -0,0 +1,37 @@
title: MFSA 2006-26: Mail Multiple Information Disclosure
<h1>Mozilla Foundation Security Advisory 2006-26</h1>
<p><span class="label">Title:</span> Mail Multiple Information Disclosure<br/>
<span class="label">Impact:</span> Low<br/>
<span class="label">Date:</span> April 13, 2006<br/>
<span class="label">Reporter:</span> CrashFr<br/>
<span class="label">Products:</span> Thunderbird<br/><br/>
<span class="label">Fixed in:</span> Thunderbird 1.5.0.2<br/>
<span class="label">&#160;</span> Thunderbird 1.0.8</p>
<h3>Description</h3>
<p>As a privacy measure to prevent senders (primarily spammers)
from tracking when e-mail is read Thunderbird does not load
remote content referenced from an HTML mail message until a
user tells it to do so. This normally includes the content of
frames and CSS files, but CrashFr showed it was possible to
bypass this restriction through indirection: the direct
CSS or iframe src is included in-line, with that including
remote content.</p>
<h3>Workaround</h3>
<p>Switch the "view message body as..." choice to "Simple HTML" or
"Plain text". Or for POP mail, after downloading the mail
switch to offline mode before reading any of it.</p>
<h3>References</h3>
<p><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=328917">
https://bugzilla.mozilla.org/show_bug.cgi?id=328917</a><br/>
CVE-2006-1045</p>

43
security/announce/2006/mfsa2006-27.md Normal file
Просмотреть файл

@ -0,0 +1,43 @@
title: MFSA 2006-27: Table Rebuilding Code Execution Vulnerability
<h1>Mozilla Foundation Security Advisory 2006-27</h1>
<p><span class="label">Title:</span> Table Rebuilding Code Execution Vulnerability<br/>
<span class="label">Impact:</span> Critical<br/>
<span class="label">Announced:</span> April 21, 2006<br/>
<span class="label">Reporter:</span> TippingPoint and the Zero Day Initiative<br/>
<span class="label">Products:</span> Firefox, Thunderbird, Mozilla Suite<br/>
<br/>
<span class="label">Fixed in:</span> Firefox 1.5.0.2<br/>
<span class="label">&#160;</span> Firefox 1.0.8<br/>
<span class="label">&#160;</span> Thunderbird 1.5.0.2<br/>
<span class="label">&#160;</span> Thunderbird 1.0.8<br/>
<span class="label">&#160;</span> SeaMonkey 1.0.1<br/>
<span class="label">&#160;</span> Mozilla Suite 1.7.13</p>
<h3>Description</h3>
<p>An anonymous researcher for TippingPoint and the Zero Day Initiative reports
that an invalid and nonsensical ordering of table-related tags causes Mozilla
to use a negative array index. This invalid memory use can be exploited to run
code of the attacker's choice.</p>
<h3>Workaround</h3>
<p>Upgrade to fixed version.</p>
<p>Although JavaScript is not involved in
the vulnerability itself, disabling JavaScript may prevent an attacker
from effectively preparing memory in order to carry out the exploit.</p>
<h3>References</h3>
<ul>
<li><a class="ex-ref" href="http://www.zerodayinitiative.com/advisories/ZDI-06-011.html"> ZDI-06-011</a></li>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=328937">
https://bugzilla.mozilla.org/show_bug.cgi?id=328937</a><br/>
CVE-2006-0748</li>
</ul>

45
security/announce/2006/mfsa2006-28.md Normal file
Просмотреть файл

@ -0,0 +1,45 @@
title: MFSA 2006-28: Security check of js_ValueToFunctionObject() can be circumvented
<h1>Mozilla Foundation Security Advisory 2006-28</h1>
<p><span class="label">Title:</span> Security check of js_ValueToFunctionObject() can be circumvented<br/>
<span class="label">Impact:</span> Critical<br/>
<span class="label">Date:</span> April 13, 2006<br/>
<span class="label">Reporter:</span> shutdown<br/>
<span class="label">Products:</span> Firefox, Thunderbird, SeaMonkey<br/>
<br/>
<span class="label">Fixed in:</span> Firefox 1.5.0.2<br/>
<span class="label">&#160;</span> Thunderbird 1.5.0.2<br/>
<span class="label">&#160;</span> SeaMonkey 1.0.1</p>
<h3>Description</h3>
<p>The security check in js_ValueToFunctionObject() can be bypassed
by clever use of setTimeout() and the new Firefox 1.5 array method ForEach.
shutdown demonstrated how to leverage this into a privilege escalation
vulnerability that would allow the installation of malware.</p>
<p>This vulnerability was introduced during Firefox 1.5 development,
Firefox 1.0 and Mozilla Suite 1.7 are not affected.</p>
<p class="note">Thunderbird shares the browser engine with Firefox
and could be vulnerable if JavaScript were to be enabled in mail. This is not
the default setting and we strongly discourage users from running
JavaScript in mail.</p>
<h3>Workaround</h3>
<p>Disable JavaScript until you upgrade to a fixed version.</p>
<h3>References</h3>
<p>Exploit code and details embargoed during the active update period.</p>
<ul>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=323501">
https://bugzilla.mozilla.org/show_bug.cgi?id=323501</a><br/>
CVE-2006-1726</li>
</ul>

48
security/announce/2006/mfsa2006-29.md Normal file
Просмотреть файл

@ -0,0 +1,48 @@
title: MFSA 2006-29: Spoofing with translucent windows
<h1>Mozilla Foundation Security Advisory 2006-29</h1>
<p><span class="label">Title:</span> Spoofing with translucent windows<br/>
<span class="label">Impact:</span> Moderate<br/>
<span class="label">Date:</span> April 13, 2006<br/>
<span class="label">Reporter:</span> moz_bug_r_a4<br/>
<span class="label">Products:</span> Firefox, SeaMonkey<br/>
<br/>
<span class="label">Fixed in:</span> Firefox 1.5.0.2<br/>
<span class="label">&#160;</span> SeaMonkey 1.0.1</p>
<h3>Description</h3>
<p>An interaction between XUL content windows and the new faster history
mechanism in Firefox 1.5 caused those windows to become translucent.
This could be used to construct spoofs that could trick users into
interacting with browser UI they can't see. It's possible a
clever game-type presentation could persuade an unsuspicious
user into some combination of actions that would result in
running the attacker's code.</p>
<p>Firefox 1.0 and the Mozilla Suite 1.7 are not vulnerable.</p>
<h3>Workaround</h3>
<p>Disable the faster back/forward history:</p>
<ol>
<li>Enter "about:config" into the location bar and hit Enter</li>
<li>Enter "sessionhistory" into the "Filter" text box</li>
<li>Double-click on <code>browser.sessionhistory.max_total_viewers</code></li>
<li>Change the default "-1" to "0" and hit the OK button</li>
</ol>
<h3>References</h3>
<p>Exploit code and details embargoed during the active update period.</p>
<ul>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=327014">
https://bugzilla.mozilla.org/show_bug.cgi?id=327014</a><br/>
CVE-2006-1725</li>
</ul>

48
security/announce/2006/mfsa2006-30.md Normal file
Просмотреть файл

@ -0,0 +1,48 @@
title: MFSA 2006-30: Deleted object reference when designMode="on"
<h1>Mozilla Foundation Security Advisory 2006-30</h1>
<p><span class="label">Title:</span> Deleted object reference when designMode="on"<br/>
<span class="label">Impact:</span> Critical<br/>
<span class="label">Date:</span> May 2, 2006<br/>
<span class="label">Reporter:</span> Martijn Wargers, Nick Mott, splices<br/>
<span class="label">Affects:</span> Firefox 1.5<br/>
<br/>
<span class="label">Fixed in:</span> Firefox 1.5.0.3</p>
<h3>Description</h3>
<p>Martijn Wargers and Nick Mott each described crashes that were discovered
to ultimately stem from the same root cause: attempting to use a deleted
controller context when designMode was turned on. This generally
results in crashing the browser, but in theory references to deleted objects
can be abused to run malicious code.</p>
<p>"splices" reported the same crash at the fan site MozillaZine
and on Bugtraq, incorrectly describing it as a buffer overflow.</p>
<p><b style="text-decoration: underline;">Update (31 July 2006)</b></p>
<p>The advisory originally stated that older clients (Firefox 1.0.x and the Mozilla
Suite 1.7.x) were unaffected. This is incorrect as demonstrated by the testcase
MoBB#4 at the Browser Fun Blog. Those clients were already at risk from
many other published vulnerabilities and should no longer be used.</p>
<h3>Workaround</h3>
<p>Temporarily disable JavaScript until you can upgrade to a fixed version.</p>
<h3>References</h3>
<ul>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=334515">
https://bugzilla.mozilla.org/show_bug.cgi?id=334515</a></li>
<li><a class="ex-ref" href="http://forums.mozillazine.org/viewtopic.php?t=408603">MozillaZine forum post (splices)</a></li>
<li><a class="ex-ref" href="http://secunia.com/advisories/19802/">Secunia Advisory 19802</a></li>
<li><a class="ex-ref" href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1993">CVE-2006-1993</a></li>
<li><a class="ex-ref" href="http://browserfun.blogspot.com/2006/07/mobb-4-mozilla-firefox-designmode.html">
Browser Fun: MoBB #4</a></li>
</ul>

60
security/announce/2006/mfsa2006-31.md Normal file
Просмотреть файл

@ -0,0 +1,60 @@
title: MFSA 2006-31: EvalInSandbox escape (Proxy Autoconfig, Greasemonkey)
<h1>Mozilla Foundation Security Advisory 2006-31</h1>
<p><span class="label">Title:</span> EvalInSandbox escape (Proxy Autoconfig, Greasemonkey)<br/>
<span class="label">Impact:</span> Moderate<br/>
<span class="label">Date:</span> June 1, 2006<br/>
<span class="label">Reporter:</span> moz_bug_r_a4<br/>
<span class="label">Products:</span> Firefox, Thunderbird, SeaMonkey<br/>
<br/>
<span class="label">Fixed in:</span> Firefox 1.5.0.4<br/>
<span class="label">&#160;</span> Thunderbird 1.5.0.4<br/>
<span class="label">&#160;</span> SeaMonkey 1.0.2</p>
<h3>Description</h3>
<p>Mozilla researcher moz_bug_r_a4 demonstrated that javascript run via
EvalInSandbox can escape the sandbox and gain elevated privilege by
calling valueOf() on objects created outside the sandbox and inserted
into it. Malicious scripts could use these privileges to compromise
your computer or data.</p>
<p>In Mozilla clients the primary use for EvalInSandbox is to run the
Proxy Autoconfig script should one be specified by your network
administrator. This is a rare option for home users, it is primarily
used by institutional networks which have a need for remote configuration.</p>
<p>The popular Greasemonkey extension uses EvalInSandbox to run userscripts
which manipulate the web pages you visit on your behalf. Using this
vulnerability a malicious userscript could gain enough privilege to
install malware, but even when Greasemonkey is working as designed
a malicious userscript can make life miserable. Only install userscripts
from sources you can trust.</p>
<h3>Workaround</h3>
<p>On the Connection Settings preferences select either "Direct connection
to the Internet" (the default) or "Manual proxy configuration."</p>
<p>If you use Greasemonkey user only install userscripts from trusted sources
and inspect them for occurrances of valueOf(). Or simply disable Greasemonkey
until you can upgrade to a newer version.</p>
<h3>References</h3>
<ul>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=319263">
https://bugzilla.mozilla.org/show_bug.cgi?id=319263</a></li>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=321101">
https://bugzilla.mozilla.org/show_bug.cgi?id=321101</a></li>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=336313">
https://bugzilla.mozilla.org/show_bug.cgi?id=336313</a></li>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=336601">
https://bugzilla.mozilla.org/show_bug.cgi?id=336601</a></li>
<li>
<a href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2787">CVE-2006-2787</a></li>
</ul>

90
security/announce/2006/mfsa2006-32.md Normal file
Просмотреть файл

@ -0,0 +1,90 @@
title: MFSA 2006-32: Fixes for crashes with potential memory corruption (rv:1.8.0.4)
<h1>Mozilla Foundation Security Advisory 2006-32</h1>
<p><span class="label">Title:</span> Fixes for crashes with potential memory corruption (rv:1.8.0.4)<br/>
<span class="label">Impact:</span> Critical<br/>
<span class="label">Date:</span> June 1, 2006<br/>
<span class="label">Reporter:</span> Mozilla Developers<br/>
<span class="label">Products:</span> Firefox, Thunderbird, SeaMonkey<br/>
<br/>
<span class="label">Fixed in:</span> Firefox 1.5.0.4<br/>
<span class="label">&#160;</span> Thunderbird 1.5.0.4<br/>
<span class="label">&#160;</span> SeaMonkey 1.0.2</p>
<h3>Description</h3>
<p>Mozilla team members discovered several crashes during testing of the
browser engine showing evidence of memory corruption that we presume
is exploitable.</p>
<p class="note">Thunderbird shares the browser engine with Firefox
and could be vulnerable if JavaScript were to be enabled in mail. This is not
the default setting and we strongly discourage users from running
JavaScript in mail.</p>
<h3>Workaround</h3>
<p>Disable Javascript until you can upgrade to a fixed version.</p>
<h3>References</h3>
<p>Removing nested &lt;option&gt;s from a select (Jesse Ruderman)</p>
<ul>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=324918">
https://bugzilla.mozilla.org/show_bug.cgi?id=324918</a></li>
</ul>
<p>Crashes during DOMNodeRemoved mutation event</p>
<ul>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=325730">
https://bugzilla.mozilla.org/show_bug.cgi?id=325730</a></li>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=329982">
https://bugzilla.mozilla.org/show_bug.cgi?id=329982</a></li>
</ul>
<p>Content-implemented tree views can corrupt memory (Boris Zbarsky)</p>
<ul>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=326501">
https://bugzilla.mozilla.org/show_bug.cgi?id=326501</a></li>
</ul>
<p>Memory corruption involving BoxObjects (Boris Zbarsky, Neil Rashbrook, Georgi Guninski)</p>
<ul>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=326931">
https://bugzilla.mozilla.org/show_bug.cgi?id=326931</a></li>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=329219">
https://bugzilla.mozilla.org/show_bug.cgi?id=329219</a></li>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=330818">
https://bugzilla.mozilla.org/show_bug.cgi?id=330818</a></li>
</ul>
<p>XBL implementation doesn't root temporaries correctly (L. David Baron)</p>
<ul>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=327712">
https://bugzilla.mozilla.org/show_bug.cgi?id=327712</a></li>
</ul>
<p>crash with iframe removing itself (Georgi Guninski)</p>
<ul>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=332971">
https://bugzilla.mozilla.org/show_bug.cgi?id=332971</a></li>
<li><a class="ex-ref" href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2779">CVE-2006-2779</a></li>
</ul>
<p>potential integer overflow in jsstr tagify (Georgi Guninski)</p>
<ul>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=335535">
https://bugzilla.mozilla.org/show_bug.cgi?id=335535</a></li>
<li><a class="ex-ref" href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2780">CVE-2006-2780</a></li>
</ul>

67
security/announce/2006/mfsa2006-33.md Normal file
Просмотреть файл

@ -0,0 +1,67 @@
title: MFSA 2006-33: HTTP response smuggling
<h1>Mozilla Foundation Security Advisory 2006-33</h1>
<p><span class="label">Title:</span> HTTP response smuggling<br/>
<span class="label">Impact:</span> High<br/>
<span class="label">Date:</span> June 1, 2006<br/>
<span class="label">Reporter:</span> Kazuho Oku (Cybozu Labs)<br/>
<span class="label">Products:</span> Firefox, Thunderbird, SeaMonkey<br/>
<br/>
<span class="label">Fixed in:</span> Firefox 1.5.0.4<br/>
<span class="label">&#160;</span> Thunderbird 1.5.0.4<br/>
<span class="label">&#160;</span> SeaMonkey 1.0.2</p>
<h3>Description</h3>
<p>Kazuho Oku of Cybozu Labs reports via the Information-technology Promotion
Agency, Japan, that Firefox is vulnerable to HTTP response smuggling when
used with certain proxy servers.</p>
<p>The first technique takes advantage of Mozilla's lenient handling
of HTTP header syntax which was necessary in the past to cope with various
real-world servers. One aspect was to accept HTTP headers with space
characters between the header name and the colon. A modern proxy with strict
syntax checking would ignore these as invalid headers while Mozilla
clients might accept them and interpret one long response as two shorter
responses. If a page on the malicious host can make Firefox issue two
requests in succession, one to the malicious host and one to the victim
site, the second part of the response from the malicious site could
be interpreted as the response from the victim site. The content of
that response could be a web page that could steal login cookies or
other sensitive data if the user has an account at the victim site.</p>
<p>A second variant accomplishes the same thing by sending HTTP 1.1
headers through an HTTP 1.0 proxy such as the popular Squid. The proxy
will ignore the unknown 1.1 header (such as "Transfer-Encoding: chunked")
while Mozilla-based clients will accept them and again can be made to
interpret one long request as two shorter ones.</p>
<p>If the user is not browsing through a proxy the same attacks
can still be mounted but would be effective only if the malicious
site were at the same IP address as the victim site.</p>
<p class="note">Thunderbird shares the browser engine with Firefox
and could be vulnerable if JavaScript were to be enabled in mail. This is not
the default setting and we strongly discourage users from running
JavaScript in mail. Thunderbird users are extremely unlikely to have logged
into a website using their mail client further reducing the risk from
this vulnerability.</p>
<h3>Workaround</h3>
<p>Upgrade to a fixed version.</p>
<h3>References</h3>
<ul>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=329746">
https://bugzilla.mozilla.org/show_bug.cgi?id=329746</a></li>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=330214">
https://bugzilla.mozilla.org/show_bug.cgi?id=330214</a></li>
<li>
<a class="ex-ref" href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2786">CVE-2006-2786</a></li>
</ul>

51
security/announce/2006/mfsa2006-34.md Normal file
Просмотреть файл

@ -0,0 +1,51 @@
title: MFSA 2006-34: XSS viewing javascript: frames or images from context menu
<h1>Mozilla Foundation Security Advisory 2006-34</h1>
<p><span class="label">Title:</span> XSS viewing javascript: frames or images from context menu<br/>
<span class="label">Impact:</span> Moderate<br/>
<span class="label">Date:</span> June 1, 2006<br/>
<span class="label">Reporter:</span> Paul Nickerson<br/>
<span class="label">Products:</span> Firefox, SeaMonkey<br/>
<br/>
<span class="label">Fixed in:</span> Firefox 1.5.0.4<br/>
<span class="label">&#160;</span> SeaMonkey 1.0.2</p>
<h3>Description</h3>
<p>Paul Nickerson demonstrated that if an attacker could convince a user
to right-click on a broken image and choose "View Image" from the context
menu then he could get javascript to run on a site of the attacker's choosing
by making the image src attribute a javascript: URL and loading the target
site on mousedown. This could be used to steal login cookies or other
confidential information from the target site.</p>
<p>Similarly, if a user could be convinced to right-click and choose
"Show only this frame" on a frame whose src attribute is a javascript: URL
then that script would run in the context of the framing site. In order
for this variant to be effective not only would you have to convince the
user to view the frame, you would have to find an interesting target
site that can be made to host a frame of the attacker's choosing.</p>
<h3>Workaround</h3>
<p>Be wary when sites give "work around" instructions for odd breakage
on their sites. If images have been broken long enough to have posted
instructions why can't the site simply make images work like every
other site on the internet? Be cautious in such situations, and consider
copying the URL instead and pasting it into a new window so you can
see what it really is first.</p>
<h3>References</h3>
<ul>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=329468">
https://bugzilla.mozilla.org/show_bug.cgi?id=329468</a></li>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=329521">
https://bugzilla.mozilla.org/show_bug.cgi?id=329521</a></li>
<li>
<a class="ex-ref" href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2785">CVE-2006-2785</a></li>
</ul>

44
security/announce/2006/mfsa2006-35.md Normal file
Просмотреть файл

@ -0,0 +1,44 @@
title: MFSA 2006-35: Privilege escalation through XUL persist
<h1>Mozilla Foundation Security Advisory 2006-35</h1>
<p><span class="label">Title:</span> Privilege escalation through XUL persist.<br/>
<span class="label">Impact:</span> Critical<br/>
<span class="label">Date:</span> June 1, 2006<br/>
<span class="label">Reporter:</span> Jonas Sicking (Mozilla)<br/>
<span class="label">Products:</span> Firefox, Thunderbird, SeaMonkey<br/>
<br/>
<span class="label">Fixed in:</span> Firefox 1.5.0.4<br/>
<span class="label">&#160;</span> Thunderbird 1.5.0.4<br/>
<span class="label">&#160;</span> SeaMonkey 1.0.2</p>
<h3>Description</h3>
<p>In certain circumstances persisted XUL attributes are associated with the
wrong URL. If an attacker can get a persisted string associated with an
URL that will later eval or execute that attribute in a privileged
context then the attacker's code will run with the full permissions
of the browser.</p>
<p class="note">Thunderbird shares the browser engine with Firefox
and could be vulnerable if JavaScript were to be enabled in mail. This is not
the default setting and we strongly discourage users from running
JavaScript in mail.</p>
<h3>Workaround</h3>
<p>Disable JavaScript until you upgrade to the fixed version</p>
<h3>References</h3>
<p>Exploit details withheld until sufficient users upgrade to a fixed version</p>
<ul>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=329677">
https://bugzilla.mozilla.org/show_bug.cgi?id=329677</a></li>
<li>
<a class="ex-ref" href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2775">CVE-2006-2775</a></li>
</ul>

43
security/announce/2006/mfsa2006-36.md Normal file
Просмотреть файл

@ -0,0 +1,43 @@
title: MFSA 2006-36: PLUGINSPAGE privileged JavaScript execution 2
<h1>Mozilla Foundation Security Advisory 2006-36</h1>
<p><span class="label">Title:</span> PLUGINSPAGE privileged JavaScript execution II<br/>
<span class="label">Impact:</span> Moderate<br/>
<span class="label">Date:</span> June 1, 2006<br/>
<span class="label">Reporter:</span> Paul Nickerson<br/>
<span class="label">Products:</span> Firefox<br/>
<br/>
<span class="label">Fixed in:</span> Firefox 1.5.0.4</p>
<h3>Description</h3>
<p>Paul Nickerson reports that the fix for
<a href="../2005/mfsa2005-34.html">
MFSA 2005-34</a> can be bypassed using nested javascript: URLs, again allowing
the attacker to execute privileged code. The attacker must first convince the
user to first click on the missing-plugin icon in the page or the
"Install Missing Plugins..." button in the infobar, and then click on the
"Manual Install" button on the plugin-finder dialog.</p>
<p>Note that the "Manual Install" button is a mechanism for installing
software from a site specified by the web page. Many potential victims who have
come this far might be convinced to go ahead and install arbitrary software from
the attacker's site even without this vulnerability.</p>
<h3>Workaround</h3>
<p>Do not press the "Manual Install" button on the Firefox plugin finder. Instead
use a search engine to find an appropriate plugin for the content.</p>
<h3>References</h3>
<ul>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=330037">
https://bugzilla.mozilla.org/show_bug.cgi?id=330037</a></li>
<li>
<a class="ex-ref" href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2784">CVE-2006-2784</a></li>
</ul>

45
security/announce/2006/mfsa2006-37.md Normal file
Просмотреть файл

@ -0,0 +1,45 @@
title: MFSA 2006-37: Remote compromise via content-defined setter on object prototypes
<h1>Mozilla Foundation Security Advisory 2006-37</h1>
<p><span class="label">Title:</span> Remote compromise via content-defined setter on object prototypes<br/>
<span class="label">Impact:</span> Critical<br/>
<span class="label">Date:</span> June 1, 2006<br/>
<span class="label">Reporter:</span> Paul Nickerson, moz_bug_r_a4<br/>
<span class="label">Products:</span> Firefox, Thunderbird, SeaMonkey<br/>
<br/>
<span class="label">Fixed in:</span> Firefox 1.5.0.4<br/>
<span class="label">&#160;</span> Thunderbird 1.5.0.4<br/>
<span class="label">&#160;</span> SeaMonkey 1.0.2</p>
<h3>Description</h3>
<p>Paul Nickerson discovered that content-defined setters on an object prototype were
getting called by privileged UI code, and moz_bug_r_a4 was able to develop an
exploit PoC that demonstrated that the higher privilege level could be passed
along to the content-defined attack code.</p>
<p class="note">Thunderbird shares the browser engine with Firefox
and could be vulnerable if JavaScript were to be enabled in mail. This is not
the default setting and we strongly discourage users from running
JavaScript in mail.</p>
<h3>Workaround</h3>
<p>Disable JavaScript until an upgraded version is installed. Do not enable
JavaScript in mail clients such as Thunderbird.</p>
<h3>References</h3>
<p>Exploit details withheld until sufficient time has passed to give
users a chance to upgrade</p>
<ul>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=330773">
https://bugzilla.mozilla.org/show_bug.cgi?id=330773</a></li>
<li>
<a class="ex-ref" href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2776">CVE-2006-2776</a></li>
</ul>

40
security/announce/2006/mfsa2006-38.md Normal file
Просмотреть файл

@ -0,0 +1,40 @@
title: MFSA 2006-38: Buffer overflow in crypto.signText()
<h1>Mozilla Foundation Security Advisory 2006-38</h1>
<p><span class="label">Title:</span> Buffer overflow in crypto.signText()<br/>
<span class="label">Impact:</span> Critical<br/>
<span class="label">Date:</span> June 1, 2006<br/>
<span class="label">Reporter:</span> Mikolaj J. Habryn<br/>
<span class="label">Products:</span> Firefox, Thunderbird, SeaMonkey<br/>
<br/>
<span class="label">Fixed in:</span> Firefox 1.5.0.4<br/>
<span class="label">&#160;</span> Thunderbird 1.5.0.4<br/>
<span class="label">&#160;</span> SeaMonkey 1.0.2</p>
<h3>Description</h3>
<p>Mikolaj Habryn discovered an array index bug in crypto.signText() that
results in overflowing an allocated array of pointers by two when optional
Certificate Authority name arguments are passed in.</p>
<p class="note">Thunderbird shares the browser engine with Firefox
and could be vulnerable if JavaScript were to be enabled in mail. This is not
the default setting and we strongly discourage users from running
JavaScript in mail.</p>
<h3>Workaround</h3>
<p>Disable JavaScript until upgraded to the fixed version.</p>
<h3>References</h3>
<ul>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=330897">
https://bugzilla.mozilla.org/show_bug.cgi?id=330897</a></li>
<li>
<a class="ex-ref" href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2778">CVE-2006-2778</a></li>
</ul>

51
security/announce/2006/mfsa2006-39.md Normal file
Просмотреть файл

@ -0,0 +1,51 @@
title: MFSA 2006-39: "View Image" local resource linking (Windows)
<h1>Mozilla Foundation Security Advisory 2006-39</h1>
<p><span class="label">Title:</span> "View Image" local resource linking (Windows)<br/>
<span class="label">Impact:</span> Low<br/>
<span class="label">Date:</span> June 1, 2006<br/>
<span class="label">Reporter:</span> Eric Foley<br/>
<span class="label">Products:</span> Firefox, SeaMonkey<br/>
<br/>
<span class="label">Fixed in:</span> Firefox 1.5.0.4<br/>
<span class="label">&#160;</span> SeaMonkey 1.0.2</p>
<h3>Description</h3>
<p>Normally Mozilla-based clients prevent web content from linking to local files
but Eric Foley reports a partial bypass of this restriction by using Windows
filename syntax (on a Windows computer) rather than a file:/// URL as the
SRC= attribute. The image will not be loaded on the web page--it will appear as
a broken image--but if a user can be convinced to right-click and select
"View Image" then the content will be loaded. Since the image will replace
the current document attacker script cannot be run on it. Loading a local
file at a known location is about the extent of this attack.</p>
<p>If the local file is a media file an external helper program may be launched
to play the media depending on your settings. The action will be the same
as if you had clicked on a remote link of the same media type and does not
present any additional risk. Local files identified as executable will
never be opened in this way, with "executable" broadly
defined on windows to include many scriptable document formats with a history
of being abused.</p>
<p>By referencing a local device rather than a file this could be used
as a limited denial-of-service attack to hang the browser.</p>
<h3>Workaround</h3>
<p>Do not select "View Image" from the context menu for broken images on
web sites you do not fully trust.</p>
<h3>References</h3>
<ul>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=334341">
https://bugzilla.mozilla.org/show_bug.cgi?id=334341</a></li>
<li><a class="ex-ref" href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1942">
CVE-2006-1942</a></li>
</ul>

Некоторые файлы не были показаны из-за слишком большого количества измененных файлов Показать больше