Ubuntu 8.04 LTS / 8.10 : firefox-3.0, xulrunner-1.9 vulnerabilities (USN-717-1)

Ubuntu Security Notice (C) 2009-2013 Canonical, Inc. / NASL script (C) 2009-2013 Tenable Network Security, Inc.


Synopsis :

The remote Ubuntu host is missing one or more security-related patches.

Description :

Several flaws were discovered in the browser engine. These problems
could allow an attacker to crash the browser and possibly execute
arbitrary code with user privileges. (CVE-2009-0352, CVE-2009-0353)

A flaw was discovered in the JavaScript engine. An attacker could
bypass the same-origin policy in Firefox by utilizing a chrome XBL
method and execute arbitrary JavaScript within the context of another
website. (CVE-2009-0354)

A flaw was discovered in the browser engine when restoring closed
tabs. If a user were tricked into restoring a tab to a malicious
website with form input controls, an attacker could steal local files
on the user's system. (CVE-2009-0355)

Wladimir Palant discovered that Firefox did not restrict access to
cookies in HTTP response headers. If a user were tricked into opening
a malicious web page, a remote attacker could view sensitive
information. (CVE-2009-0357)

Paul Nel discovered that Firefox did not honor certain Cache-Control
HTTP directives. A local attacker could exploit this to view private
data in improperly cached pages of another user. (CVE-2009-0358).

Solution :

Update the affected packages.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

Family: Ubuntu Local Security Checks

Nessus Plugin ID: 37217 ()

Bugtraq ID:

CVE ID: CVE-2009-0352
CVE-2009-0353
CVE-2009-0354
CVE-2009-0355
CVE-2009-0357
CVE-2009-0358