14938

http://www.mozilla.org/security/announce/mfsa2005-39.html

RHSA-2005:383

13231

https://bugzilla.mozilla.org/show_bug.cgi?id=290079

oval:org.mitre.oval:def:100019

oval:org.mitre.oval:def:11734

Updated firefox packages that fix various security bugs are now available.

This update has been rated as having Important security impact by the Red Hat Security Response Team.

Mozilla Firefox is an open source Web browser.

Vladimir V. Perepelitsa discovered a bug in the way Firefox handles anonymous functions during regular expression string replacement. It is possible for a malicious web page to capture a random block of browser memory. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0989 to this issue.

Omar Khan discovered a bug in the way Firefox processes the PLUGINSPAGE tag. It is possible for a malicious web page to trick a user into pressing the 'manual install' button for an unknown plugin leading to arbitrary JavaScript code execution. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0752 to this issue.

Doron Rosenberg discovered a bug in the way Firefox displays pop-up windows. If a user choses to open a pop-up window whose URL is malicious JavaScript, the script will be executed with elevated privileges. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-1153 to this issue.

A bug was found in the way Firefox handles the JavaScript global scope for a window. It is possible for a malicious web page to define a global variable known to be used by a different site, allowing malicious code to be executed in the context of the site. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-1154 to this issue.

Michael Krax discovered a bug in the way Firefox handles favicon links. A malicious web page can programatically define a favicon link tag as JavaScript, executing arbitrary JavaScript with elevated privileges. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-1155 to this issue.

Michael Krax discovered a bug in the way Firefox installed search plugins. If a user chooses to install a search plugin from a malicious site, the new plugin could silently overwrite an existing plugin. This could allow the malicious plugin to execute arbitrary code and steal sensitive information. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2005-1156 and CVE-2005-1157 to these issues.

Kohei Yoshino discovered a bug in the way Firefox opens links in its sidebar. A malicious web page could construct a link in such a way that, when clicked on, could execute arbitrary JavaScript with elevated privileges. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-1158 to this issue.

A bug was found in the way Firefox validated several XPInstall related JavaScript objects. A malicious web page could pass other objects to the XPInstall objects, resulting in the JavaScript interpreter jumping to arbitrary locations in memory. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-1159 to this issue.

A bug was found in the way the Firefox privileged UI code handled DOM nodes from the content window. A malicious web page could install malicious JavaScript code or steal data requiring a user to do commonplace actions such as clicking a link or opening the context menu. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-1160 to this issue.

Users of Firefox are advised to upgrade to this updated package which contains Firefox version 1.0.3 and is not vulnerable to these issues.

USN-149-1 fixed some vulnerabilities in the Ubuntu 5.04 (Hoary Hedgehog) version of Firefox. The version shipped with Ubuntu 4.10 (Warty Warthog) is also vulnerable to these flaws, so it needs to be upgraded as well. Please see

http://www.ubuntulinux.org/support/documentation/usn/usn-149-1

for the original advisory.

This update also fixes several older vulnerabilities; Some of them could be exploited to execute arbitrary code with full user privileges if the user visited a malicious website. (MFSA-2005-01 to MFSA-2005-44; please see the following website for details:
http://www.mozilla.org/projects/security/known-vulnerabilities.html)

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

When a popup is blocked the user is given the ability to open that popup through the popup-blocking status bar icon and, in Firefox, through the information bar. Doron Rosenberg noticed that popups which are permitted by the user were executed with elevated privileges, which could be abused to automatically install and execute arbitrary code with the privileges of the user. (CAN-2005-1153)

It was discovered that the browser did not start with a clean global JavaScript state for each new website. This allowed a malicious web page to define a global variable known to be used by a different site, allowing malicious code to be executed in the context of that site (for example, sending web mail or automatic purchasing).
(CAN-2005-1154)

Michael Krax discovered a flaw in the 'favicon' links handler. A malicious web page could define a favicon link tag as JavaScript, which could be exploited to execute arbitrary code with the privileges of the user. (CAN-2005-1155)

Michael Krax found two flaws in the Search Plugin installation. This allowed malicious plugins to execute arbitrary code in the context of the current site. If the current page had elevated privileges (like 'about:plugins' or 'about:config'), the malicious plugin could even install malicious software when a search was performed.
(CAN-2005-1156, CAN-2005-1157)

Kohei Yoshino discovered two missing security checks when Firefox opens links in its sidebar. This allowed a malicious web page to construct a link that, when clicked on, could execute arbitrary JavaScript code with the privileges of the user. (CAN-2005-1158)

Georgi Guninski discovered that the types of certain XPInstall related JavaScript objects were not sufficiently validated when they were called. This could be exploited by a malicious website to crash Firefox or even execute arbitrary code with the privileges of the user. (CAN-2005-1159)

Firefox did not properly verify the values of XML DOM nodes of web pages. By tricking the user to perform a common action like clicking on a link or opening the context menu, a malicious page could exploit this to execute arbitrary JavaScript code with the full privileges of the user. (CAN-2005-1160).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

A number of security vulnerabilities were fixed in the Mozilla Firefox 1.0.4 and Mozilla Suite 1.7.8 releases. Patches have been backported where appropriate; Corporate 3.0 is receiving the new Mozilla Suite 1.7.8 release.

The following issues have been fixed in both Mozilla Firefox and Mozilla Suite :

  - A flaw in the JavaScript regular expression handling     could lead to a disclosure of browser memory,     potentially exposing private data from web pages viewed,     passwords, or similar data sent to other web pages. It     could also crash the browser itself (CVE-2005-0989, MFSA     2005-33)

  - With manual Plugin install, it was possible for the     Plugin to execute JavaScript code with the installing     user's privileges (CVE-2005-0752 and MFSA 2005-34)

  - The popup for showing blocked JavaScript used the wrong     privilege context which could be sued for privilege     escalation (CVE-2005-1153 and MFSA 2005-35)

  - Cross-site scripting through global scope pollution     could lead an attacker to being able to run code in     foreign websites context, leading to the potential     sniffing of information or performing actions in that     context (CVE-2005-1154 and MFSA 2005-36)

  - Code execution through JavaScript via favicons     ('firelinking') could be used for privilege escalation     (CVE-2005-1155 and MFSA 2005-37)

  - Search plugin cross-site scripting ('firesearching')     (CVE-2005-1156, CVE-2005-1157, and MFSA 2005-38)

  - Arbitrary code execution via the Firefox sidebar panel     II (CVE-2005-1158 and MFSA 2005-39)

  - Missing Install object instance checks (CVE-2005-1159     and MFSA 2005-40)

  - Privilege escalation via DOM property overrides     (CVE-2005-1160 and MFSA 2005-41)

  - Code execution via javacript: IconURL (MFSA 2005-42)

  - Security check bypass by wrapping a javascript: URL in     the view-source: pseudo protocol (MFSA 2005-43)

  - Privilege escalation via non-DOM property overrides     (MFSA 2005-44)

In addition to the vulnerabilities previously noted, the following issues have been fixed in the Mozilla Suite 1.7.2 packages :

  - Bypass restriction on opening privileged XUL     (CVE-2005-0401 and MSF 2005-32)

  - Arbitrary code execution via a GIF processing error when     parsing obsolete Netscape extension 2 leading to an     exploitable heap overrun (CVE-2005-0401 and MFSA     2005-32)

  - International Domain Name support could allow for     characters that look similar to other english letters to     be used in constructing nearly perfect phishing sites     (MFSA 2005-29)

  - Predictable plugin temporary directory name (MFSA     2005-28)

  - Plugins can be used to load privileged content into a     frame (CVE-2005-0527 and MFSA 2005-27)

  - Cross-site scripting attack via dropping javascript:
    links on a tab (MFSA 2005-26)

  - Image dragging-and-drop from a web page to the desktop     preserve their original name and extension; if this were     an executable extension then the file would be executed     rather than opened in a media application (MFSA 2005-25)

  - HTTP authentication prompt tab spoofing (MFSA 2005-24)

  - Download dialog source can be disguised by using a host     name long enough that most significant parts are     truncated, allowing a malicious site to spoof the origin     of the file (MFSA 2005-23)

  - Download dialog spoofing via supplied     Content-Disposition header could allow for a file to     look like a safe file (ie. a JPEG image) and when     downloaded saved with an executable extension (MFSA     2005-22)

  - XSLT can include stylesheets from arbitrary hosts (MFSA     2005-20)

  - Memory handling flaw in Mozilla string classes that     could overwrite memory at a fixed location if     reallocation fails during string growth (MFSA 2005-18)

  - Install source spoofing with user:pass@host (MFSA     2005-17)

  - Spoofing download and security dialogs with overlapping     windows (MFSA 2005-16)

  - It is possible for a UTF8 string with invalid sequences     to trigger a heap overflow of converted Unicode data     (MFSA 2005-15)

  - SSL 'secure site' indicator spoofing (MFSA 2005-14)

  - Mozilla mail clients responded to cookie requests     accompanying content loaded over HTTP, ignoring the     setting of the preference     'network.cookie.disableCookieForMailNews' which could be     used to track people (MFSA 2005-11)

  - Browser responds to proxy authentication requests from     non-proxy servers (SSL/HTTPS) (MFSA 2005-09)

  - Snythetic middle-click event can steal clipboard     contents (MFSA 2005-08)

  - In windows with multiple tabs, malicious content in a     background tab can attempt to steal information intended     for the topmost tab by popping up a prompt dialog that     appears to come from the trusted site, or by silently     redirecting input focus to a background tab hoping to     catch the user inputting something sensitive (MFSA     2005-05)

  - Secure site lock can be spoofed with 'view-source:'     (MFSA 2005-04)

  - An insecure page triggering a load of a binary file from     a secure server will cause the SSL lock icon to appear;
    the certificate information is that of the binary file's     host and the location bar URL shows the original     insecure page (MFSA 2005-03)

  - Temporary files are saved with world-readable     permissions (MFSA 2005-02)

  - A vulnerability in the NNTP handling code could cause a     heap overflow and execute arbitrary code on the client     machine (isec-0020)

  - A number of other minor bugs were fixed as well.

Mandriva recommends all users to upgrade to these packages immediately.

The remote host is missing the patch for the advisory SUSE-SA:2005:028 (Mozilla. Mozilla Firefox).


Several problems have been fixed with the security update releases of the Mozilla Firefox 1.0.3 web browser and the Mozilla Suite 1.7.7.

This security update contains those security fixes. The Firefox packages have been directly upgraded to the version 1.0.3, for the Mozilla Suite packages the fixes up to version 1.7.7 have been back ported.

Updates are currently provided for:

Mozilla Firefox: SUSE Linux 9.0 up to 9.3, Novell Linux Desktop 9 Mozilla Suite: SUSE Linux 9.2 and 9.3

Fixes of the Mozilla Suite for older products (SUSE Linux 8.2 - 9.1, SUSE Linux Enterprise Server 8 and 9, SUSE Linux Desktop 1.0) are being worked on.

Following security issues have been fixed:
- MFSA 2005-33,CVE-2005-0989:
A flaw in the Javascript regular expression handling of Mozilla based browser can lead to disclosure of browser memory, potentially exposing private data from web pages viewed or passwords or similar data sent to other web pages.  This flaw could also crash the browser.

- MFSA 2005-34,CVE-2005-0752:
With manual Plugin install it was possible for the Plugin to execute javascript code with the installing users privileges.

- MFSA 2005-35,CVE-2005-1153:
Showing blocked javascript: pop up uses wrong privilege context, this could be used for a privilege escalation (installing malicious plugins).

- MFSA 2005-36,CVE-2005-1154:
Cross-site scripting through global scope pollution, this could lead to an attacker being able to run code in foreign websites context, potentially sniffing information or performing actions in that context.

- MFSA 2005-37,CVE-2005-1155,'firelinking':
Code execution through javascript: favicons, which could be used for a privilege escalation.

- MFSA 2005-38,CVE-2005-1157,CVE-2005-1156,'firesearching':
Search Plugin cross-site scripting.

- MFSA 2005-39,CVE-2005-1158:
Arbitrary code execution from Firefox sidebar panel II.

- MFSA 2005-40,CVE-2005-1159:
Missing Install object instance checks.

- MFSA 2005-41,CVE-2005-1160:
Privilege escalation via DOM property overrides.

The remote version of this software contains various security issues that may allow an attacker to execute arbitrary code on the remote host.

Versions of Mozilla Firefox prior to 1.7.7 are affected by various security issues that may allow an attacker to execute arbitrary code on the remote host.

The remote host is using Mozilla.  The remote version of this software contains various security issues that may allow an attacker to execute arbitrary code on the remote host.

The remote host is using Firefox. 

The remote version of this software contains various security issues that may
allow an attacker to execute arbitrary code on the remote host.

ID	Name	Product	Family	Severity
21929	CentOS 4 : Firefox (CESA-2005:383)	Nessus	CentOS Local Security Checks	high
20546	Ubuntu 4.10 : mozilla-firefox vulnerabilities (USN-149-3)	Nessus	Ubuntu Local Security Checks	high
20513	Ubuntu 5.04 : mozilla-firefox, mozilla vulnerabilities (USN-124-1)	Nessus	Ubuntu Local Security Checks	high
18277	Mandrake Linux Security Advisory : mozilla (MDKSA-2005:088)	Nessus	Mandriva Local Security Checks	high
18154	SUSE-SA:2005:028: Mozilla. Mozilla Firefox	Nessus	SuSE Local Security Checks	high
18109	RHEL 4 : firefox (RHSA-2005:383)	Nessus	Red Hat Local Security Checks	high
18064	Firefox < 1.0.3 Multiple Vulnerabilities	Nessus	Windows	high
2789	Mozilla Firefox < 1.7.7 Multiple Vulnerabilities	Nessus Network Monitor	Web Clients	medium
2788	Mozilla Firefox < 1.0.3 Multiple Vulnerabilities	Nessus Network Monitor	Web Clients	medium
801293	Mozilla < 1.7.7 Multiple Vulnerabilities	Log Correlation Engine	Web Clients	high
800745	Firefox < 1.0.3 Multiple Vulnerabilities	Log Correlation Engine	Web Clients	high

CVE-2005-1158

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Tenable Plugins