openSUSE Security Update : MozillaFirefox (openSUSE-SU-2010:0358-2)

This script is Copyright (C) 2010-2014 Tenable Network Security, Inc.


Synopsis :

The remote openSUSE host is missing a security update.

Description :

Mozilla Firefox was updated to version 3.5.10, fixing various bugs and
security issues.

MFSA 2010-33 / CVE-2008-5913: Security researcher Amit Klein reported
that it was possible to reverse engineer the value used to seed
Math.random(). Since the pseudo-random number generator was only
seeded once per browsing session, this seed value could be used as a
unique token to identify and track users across different websites.

MFSA 2010-32 / CVE-2010-1197: Security researcher Ilja van Sprundel of
IOActive reported that the Content-Disposition: attachment HTTP header
was ignored when Content-Type: multipart was also present. This issue
could potentially lead to XSS problems in sites that allow users to
upload arbitrary files and specify a Content-Type but rely on
Content-Disposition: attachment to prevent the content from being
displayed inline.

MFSA 2010-31 / CVE-2010-1125: Google security researcher Michal
Zalewski reported that focus() could be used to change a user's cursor
focus while they are typing, potentially directing their keyboard
input to an unintended location. This behaviour was also present
across origins when content from one domain was embedded within
another via an iframe. A malicious web page could use this behaviour
to steal keystrokes from a victim while they were typing sensitive
information such as a password.

MFSA 2010-30 / CVE-2010-1199: Security researcher Martin Barbella
reported via TippingPoint's Zero Day Initiative that an XSLT node
sorting routine contained an integer overflow vulnerability. In cases
where one of the nodes to be sorted contained a very large text value,
the integer used to allocate a memory buffer to store its value would
overflow, resulting in too small a buffer being created. An attacker
could use this vulnerability to write data past the end of the buffer,
causing the browser to crash and potentially running arbitrary code on
a victim's computer.

MFSA 2010-29 / CVE-2010-1196: Security researcher Nils of MWR
InfoSecurity reported that the routine for setting the text value for
certain types of DOM nodes contained an integer overflow
vulnerability. When a very long string was passed to this routine, the
integer value used in creating a new memory buffer to hold the string
would overflow, resulting in too small a buffer being allocated. An
attacker could use this vulnerability to write data past the end of
the buffer, causing a crash and potentially running arbitrary code on
a victim's computer.

MFSA 2010-28 / CVE-2010-1198: Microsoft Vulnerability Research
reported that two plugin instances could interact in a way in which
one plugin gets a reference to an object owned by a second plugin and
continues to hold that reference after the second plugin is unloaded
and its object is destroyed. In these cases, the first plugin would
contain a pointer to freed memory which, if accessed, could be used by
an attacker to execute arbitrary code on a victim's computer.

MFSA 2010-27 / CVE-2010-0183: Security researcher wushi of team509
reported that the frame construction process for certain types of
menus could result in a menu containing a pointer to a previously
freed menu item. During the cycle collection process, this freed item
could be accessed, resulting in the execution of a section of code
potentially controlled by an attacker.

MFSA 2010-26 / CVE-2010-1200 / CVE-2010-1201 / CVE-2010-1202 /
CVE-2010-1203: Mozilla developers identified and fixed several
stability bugs in the browser engine used in Firefox and other
Mozilla-based products. Some of these crashes showed evidence of
memory corruption under certain circumstances, and we presume that
with enough effort at least some of these could be exploited to run
arbitrary code.

MFSA 2010-25 / CVE-2010-1121: A memory corruption flaw leading to code
execution was reported by security researcher Nils of MWR InfoSecurity
during the 2010 Pwn2Own contest sponsored by TippingPoint's Zero Day
Initiative. By moving DOM nodes between documents Nils found a case
where the moved node incorrectly retained its old scope. If garbage
collection could be triggered at the right time then Firefox would
later use this freed object. The contest winning exploit only affects
Firefox 3.6 and not earlier versions. Updated (June 22, 2010): Firefox
3.5, SeaMonkey 2.0, and Thunderbird 3.0 based on earlier versions of
the browser engine were patched just in case there is an alternate way
of triggering the underlying flaw.

See also :

http://lists.opensuse.org/opensuse-updates/2010-07/msg00004.html
https://bugzilla.novell.com/show_bug.cgi?id=603356

Solution :

Update the affected MozillaFirefox packages.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now