Firefox < 2.0.0.19 / 3.0.5 Multiple Vulnerabilities

This script is Copyright (C) 2008-2017 Tenable Network Security, Inc.


Synopsis :

The remote Windows host contains a web browser that is affected by
multiple vulnerabilities.

Description :

The installed version of Firefox is earlier than 2.0.0.19. Such
versions are potentially affected by the following security issues :

- There are several stability bugs in the browser engine
that may lead to crashes with evidence of memory
corruption. (MFSA 2008-60)

- XBL bindings can be used to read data from other
domains. (MFSA 2008-61)

- The feed preview still allows for JavaScript privilege
escalation. (MFSA 2008-62)

- Sensitive data may be disclosed in an XHR response when
an XMLHttpRequest is made to a same-origin resource,
which 302 redirects to a resource in a different
domain. (MFSA 2008-64)

- A website may be able to access a limited amount of
data from a different domain by loading a same-domain
JavaScript URL which redirects to an off-domain target
resource containing data which is not parsable as
JavaScript. (MFSA 2008-65)

- Errors arise when parsing URLs with leading whitespace
and control characters. (MFSA 2008-66)

- An escaped null byte is ignored by the CSS parser and
treated as if it was not present in the CSS input
string. (MFSA 2008-67)

- Cross-site scripting and JavaScript privilege escalation
are possible. (MFSA 2008-68)

- Cross-site scripting vulnerabilities in SessionStore may
allow for violating the browser's same-origin policy and
performing an XSS attack or running arbitrary
JavaScript with chrome privileges. (MFSA 2008-69)

- Creating a Select object with a very large length can
result in memory exhaustion, causing a denial of
service. (CVE-2009-2535)

Note that Mozilla is not planning further security / stability
updates for Firefox 2.

See also :

https://www.mozilla.org/en-US/security/advisories/mfsa2008-60/
https://www.mozilla.org/en-US/security/advisories/mfsa2008-61/
https://www.mozilla.org/en-US/security/advisories/mfsa2008-62/
https://www.mozilla.org/en-US/security/advisories/mfsa2008-64/
https://www.mozilla.org/en-US/security/advisories/mfsa2008-65/
https://www.mozilla.org/en-US/security/advisories/mfsa2008-66/
https://www.mozilla.org/en-US/security/advisories/mfsa2008-67/
https://www.mozilla.org/en-US/security/advisories/mfsa2008-68/
https://www.mozilla.org/en-US/security/advisories/mfsa2008-69/
http://www.securityfocus.com/archive/1/504969/100/0/threaded
http://www.nessus.org/u?9e442733

Solution :

Upgrade to Firefox 2.0.0.19 / 3.0.5 or later.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 8.1
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : true

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now