Detections
Analytics

Firefox < 3.0.2 Multiple Vulnerabilities

high Log Correlation Engine Plugin ID 800756

Synopsis

The remote Windows host contains a web browser that is affected by multiple vulnerabilities.

Description

The installed version of Firefox is affected by various security issues :

- An attacker can cause the content window to move while the mouse is being clicked, causing an item to be dragged rather than clicked-on (MFSA 2008-40).
 - Privilege escalation is possible via 'XPCnativeWrapper' pollution (MFSA 2008-41).
 - There are several stability bugs in the browser engine that may lead to crashes with evidence of memory corruption (MFSA 2008-42).
 - Certain BOM characters and low surrogate characters, if HTML-escaped, are stripped from JavaScript code before it is executed, which could allow for cross-site scripting attacks (MFSA 2008-43).
 - The 'resource: ' protocol allows directory traversal on Linux when using URL-encoded slashes, and it can by used to bypass restrictions on local HTML files (MFSA 2008-44).

Solution

Upgrade to version 3.0.2 or higher.

See Also

http://www.mozilla.org/security/announce/2008/mfsa2008-50.html

http://www.mozilla.org/security/announce/2008/mfsa2008-40.html

http://www.mozilla.org/security/announce/2008/mfsa2008-41.html

http://www.mozilla.org/security/announce/2008/mfsa2008-42.html

http://www.mozilla.org/security/announce/2008/mfsa2008-43.html

http://www.mozilla.org/security/announce/2008/mfsa2008-44.html

http://www.securityfocus.com/bid/31346

Plugin Details

Severity: High

ID: 800756

Family: Web Clients

Nessus ID: 34267

Risk Information

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.6

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

Reference Information

CVE: CVE-2008-3835, CVE-2008-3836, CVE-2008-3837, CVE-2008-4058, CVE-2008-4059, CVE-2008-4060, CVE-2008-4061, CVE-2008-4062, CVE-2008-4063, CVE-2008-4064, CVE-2008-4065, CVE-2008-4066, CVE-2008-4067, CVE-2008-4068, CVE-2008-4069

BID: 31346