Mozilla Firefox 4.0.x < 4.0.1 Multiple Vulnerabilities

High Log Correlation Engine Plugin ID 801264

Synopsis

The remote host has a web browser installed that is vulnerable to multiple attack vectors.

Description

Versions of Firefox 4.0.x earlier than 4.0.1 are potentially affected by multiple vulnerabilities :

Multiple memory corruption issues could lead to arbitrary code execution. (MFSA2011-12)

- Multiple vulnerabilities in the WebGL feature and WebGLES could be exploited to execute arbitrary code or bypass ASLR protection on Windows. (MFSA2011-17) - The XSLT 'generate-id()' function returned a string that revealed a specific valid address of an object on the memory heap. (MFSA2011-18)

Solution

Upgrade to Firefox 4.0.1 or later.

See Also

http://.mozilla.org/security/known-vulnerabilities/firefox40.html#firefox4.0.1

http://.mozilla.org/security/announce/2011/mfsa2011-12.html

http://.mozilla.org/security/announce/2011/mfsa2011-17.html

http://.mozilla.org/security/announce/2011/mfsa2011-18.html

Plugin Details

Severity: High

ID: 801264

File Name: 801264.prm

Family: Web Clients

Published: 2011/04/29

Nessus ID: 53595

Risk Information

Risk Factor: High

CVSSv2

Base Score: 9.3

Temporal Score: 7.7

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:F/RL:OF/RC:C

Vulnerability Information

Patch Publication Date: 2011/04/28

Vulnerability Publication Date: 2011/04/28

Exploitable With

Metasploit (Mozilla Firefox "nsTreeRange" Dangling Pointer Vulnerability)

Reference Information

CVE: CVE-2011-0068, CVE-2011-0069, CVE-2011-0070, CVE-2011-0079, CVE-2011-0081, CVE-2011-1202

BID: 47635, 47641, 47646, 47648, 47651, 47653, 47654, 47655, 47656, 47657, 47659, 47661, 47662, 47663, 47667, 47668