This script is Copyright (C) 2005-2015 Tenable Network Security, Inc.
The remote FreeBSD host is missing one or more security-related
A Mozilla Foundation Security Advisory reports :
moz_bug_r_a4 reported several exploits giving an attacker the ability
to install malicious code or steal data, requiring only that the user
do commonplace actions like click on a link or open the context menu.
The common cause in each case was privileged UI code ('chrome') being
overly trusting of DOM nodes from the content window. Scripts in the
web page can override properties and methods of DOM nodes and shadow
the native values, unless steps are taken to get the true underlying
We found that most extensions also interacted with content DOM in a
natural, but unsafe, manner. Changes were made so that chrome code
using this natural DOM coding style will now automatically use the
native DOM value if it exists without having to use cumbersome wrapper
Most of the specific exploits involved tricking the privileged code
into calling eval() on an attacker-supplied script string, or the
equivalent using the Script() object. Checks were added in the
security manager to make sure eval and Script objects are run with the
privileges of the context that created them, not the potentially
elevated privileges of the context calling them.
See also :
Update the affected packages.
Risk factor :
Family: FreeBSD Local Security Checks
Nessus Plugin ID: 19171 (freebsd_pkg_f650d5b8ae6211d9a7880001020eed82.nasl)
Get Nessus Professional to scan unlimited IPs, run compliance checks & moreBuy Nessus Professional Now