SuSE 10 Security Update : Mozilla Firefox (ZYPP Patch Number 7784)

This script is Copyright (C) 2011-2012 Tenable Network Security, Inc.


Synopsis :

The remote SuSE 10 host is missing a security-related patch.

Description :

Mozilla Firefox was updated to version 3.6.23, fixing various bugs and
security issues.

- Mozilla developers identified and fixed several memory
safety bugs in the browser engine used in Firefox and
other Mozilla-based products. Some of these bugs showed
evidence of memory corruption under certain
circumstances, and we presume that with enough effort at
least some of these could be exploited to run arbitrary
code. (MFSA 2011-36)

In general these flaws cannot be exploited through email
in the Thunderbird and SeaMonkey products because
scripting is disabled,, but are potentially a risk in
browser or browser-like contexts in those products.

- Benjamin Smedberg, Bob Clary, and Jesse Ruderman
reported memory safety problems that affected Firefox
3.6 and Firefox 6. (CVE-2011-2995)

- Josh Aas reported a potential crash in the plugin API
that affected Firefox 3.6 only. (CVE-2011-2996)

- Mark Kaplan reported a potentially exploitable crash due
to integer underflow when using a large JavaScript
RegExp expression. We would also like to thank Mark for
contributing the fix for this problem. (no CVE yet).
(MFSA 2011-37)

- Mozilla developer Boris Zbarsky reported that a frame
named 'location' could shadow the window.location object
unless a script in a page grabbed a reference to the
true object before the frame was created. Because some
plugins use the value of window.location to determine
the page origin this could fool the plugin into granting
the plugin content access to another site or the local
file system in violation of the Same Origin Policy. This
flaw allows circumvention of the fix added for MFSA
2010-10. (CVE-2011-2999). (MFSA 2011-38)

- Ian Graham of Citrix Online reported that when multiple
Location headers were present in a redirect response
Mozilla behavior differed from other browsers: Mozilla
would use the second Location header while Chrome and
Internet Explorer would use the first. Two copies of
this header with different values could be a symptom of
a CRLF injection attack against a vulnerable server.
Most commonly it is the Location header itself that is
vulnerable to the response splitting and therefore the
copy preferred by Mozilla is more likely to be the
malicious one. It is possible, however, that the first
copy was the injected one depending on the nature of the
server vulnerability. (MFSA 2011-39)

The Mozilla browser engine has been changed to treat two
copies of this header with different values as an error
condition. The same has been done with the headers
Content-Length and Content-Disposition. (CVE-2011-3000)

- Mariusz Mlynski reported that if you could convince a
user to hold down the Enter key--as part of a game or
test, perhaps--a malicious page could pop up a download
dialog where the held key would then activate the
default Open action. For some file types this would be
merely annoying (the equivalent of a pop-up) but other
file types have powerful scripting capabilities. And
this would provide an avenue for an attacker to exploit
a vulnerability in applications not normally exposed to
potentially hostile internet content. (MFSA 2011-40)

Holding enter allows arbitrary code execution due to
Download Manager. (CVE-2011-2372)

See also :

http://www.mozilla.org/security/announce/2010/mfsa2010-10.html
http://www.mozilla.org/security/announce/2011/mfsa2011-36.html
http://www.mozilla.org/security/announce/2011/mfsa2011-37.html
http://www.mozilla.org/security/announce/2011/mfsa2011-38.html
http://www.mozilla.org/security/announce/2011/mfsa2011-39.html
http://www.mozilla.org/security/announce/2011/mfsa2011-40.html
http://support.novell.com/security/cve/CVE-2011-2372.html
http://support.novell.com/security/cve/CVE-2011-2995.html
http://support.novell.com/security/cve/CVE-2011-2996.html
http://support.novell.com/security/cve/CVE-2011-2999.html
http://support.novell.com/security/cve/CVE-2011-3000.html

Solution :

Apply ZYPP patch number 7784.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

Family: SuSE Local Security Checks

Nessus Plugin ID: 57152 ()

Bugtraq ID:

CVE ID: CVE-2011-2372
CVE-2011-2995
CVE-2011-2996
CVE-2011-2999
CVE-2011-3000

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now