openSUSE Security Update : MozillaFirefox (MozillaFirefox-1312)

This script is Copyright (C) 2009-2016 Tenable Network Security, Inc.


Synopsis :

The remote openSUSE host is missing a security update.

Description :

This update brings Mozilla Firefox to the 3.0.14 stable release.

It also fixes various security issues: MFSA 2009-47 / CVE-2009-3069 /
CVE-2009-3070 / CVE-2009-3071 / CVE-2009-3072 / CVE-2009-3073 /
CVE-2009-3074 / CVE-2009-3075: Mozilla developers and community
members identified and fixed several stability bugs in the browser
engine used in Firefox and other Mozilla-based products. Some of these
crashes showed evidence of memory corruption under certain
circumstances and we presume that with enough effort at least some of
these could be exploited to run arbitrary code.

MFSA 2009-48 / CVE-2009-3076: Mozilla security researcher Jesse
Rudermanreported that when security modules were added or removed via
pkcs11.addmodule or pkcs11.deletemodule, the resulting dialog was not
sufficiently informative. Without sufficient warning, an attacker
could entice a victim to install a malicious PKCS11 module and affect
the cryptographic integrity of the victim's browser. Security
researcher Dan Kaminsky reported that this issue had not been fixed in
Firefox 3.0 and that under certain circumstances pkcs11 modules could
be installed from a remote location. Firefox 3.5 releases are not
affected.

MFSA 2009-49 / CVE-2009-3077: An anonymous security researcher, via
TippingPoint's Zero Day Initiative, reported that the columns of a XUL
tree element could be manipulated in a particular way which would
leave a pointer owned by the column pointing to freed memory. An
attacker could potentially use this vulnerability to crash a victim's
browser and run arbitrary code on the victim's computer.

MFSA 2009-50 / CVE-2009-3078: Security researcher Juan Pablo Lopez
Yacubian reported that the default Windows font used to render the
locationbar and other text fields was improperly displaying certain
Unicode characters with tall line-height. In such cases the tall
line-height would cause the rest of the text in the input field to be
scrolled vertically out of view. An attacker could use this
vulnerability to prevent a user from seeing the URL of a malicious
site. Corrie Sloot also independently reported this issue to Mozilla.

MFSA 2009-51 / CVE-2009-3079: Mozilla security researcher moz_bug_r_a4
reported that the BrowserFeedWriter could be leveraged to run
JavaScript code from web content with elevated privileges. Using this
vulnerability, an attacker could construct an object containing
malicious JavaScript and cause the FeedWriter to process the object,
running the malicious code with chrome privileges. Thunderbird does
not support the BrowserFeedWriter object and is not vulnerable in its
default configuration. Thunderbird might be vulnerable if the user has
installed any add-on which adds a similarly implemented feature and
then enables JavaScript in mail messages. This is not the default
setting and we strongly discourage users from running JavaScript in
mail.

See also :

https://bugzilla.novell.com/show_bug.cgi?id=534458

Solution :

Update the affected MozillaFirefox packages.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now