SynopsisThe remote Ubuntu host is missing one or more security-related patches.
DescriptionSecunia.com reported that one of the recent security patches in Firefox reintroduced the frame injection patch that was originally known as CAN-2004-0718. This allowed a malicious website to spoof the contents of other websites. (CAN-2005-1937)
In several places the browser user interface did not correctly distinguish between true user events, such as mouse clicks or keystrokes, and synthetic events genenerated by web content. This could be exploited by malicious websites to generate e. g. mouse clicks that install malicious plugins. Synthetic events are now prevented from reaching the browser UI entirely. (CAN-2005-2260)
Matthew Mastracci discovered a flaw in the addons installation launcher. By forcing a page navigation immediately after calling the install method a callback function could end up running in the context of the new page selected by the attacker. This callback script could steal data from the new page such as cookies or passwords, or perform actions on the user's behalf such as make a purchase if the user is already logged into the target site. However, the default settings allow only http://addons.mozilla.org to bring up this install dialog.
This could only be exploited if users have added untrustworthy sites to the installation whitelist, and if a malicious site can convince you to install from their site. (CAN-2005-2263)
This could be used to steal cookies, passwords or other sensitive data. (CAN-2005-2264)
A child frame can call top.focus() even if the framing page comes from a different origin and has overridden the focus() routine. Andreas Sandblad discovered that the call is made in the context of the child frame. This could be exploited to steal cookies and passwords from the framed page, or take actions on behalf of a signed-in user. However, websites with above properties are not very common. (CAN-2005-2266)
Several media players, for example Flash and QuickTime, support scripted content with the ability to open URLs in the default browser.
In the fixed version these prompts contain the hostname of the page which created it. (CAN-2005-2268)
The XHTML DOM node handler did not take namespaces into account when verifying node types based on their names. For example, an XHTML document could contain an <IMG> tag with malicious contents, which would then be processed as the standard trusted HTML <img> tag. By tricking an user to view malicious websites, this could be exploited to execute attacker-specified code with the full privileges of the user. (CAN-2005-2269)
It was discovered that some objects were not created appropriately.
This allowed malicious web content scripts to trace back the creation chain until they found a privileged object and execute code with higher privileges than allowed by the current site. (CAN-2005-2270).
Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
SolutionUpdate the affected packages.
File Name: ubuntu_USN-149-1.nasl
Supported Sensors: Agentless Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent
CPE: p-cpe:/a:canonical:ubuntu_linux:mozilla-firefox, p-cpe:/a:canonical:ubuntu_linux:mozilla-firefox-dev, p-cpe:/a:canonical:ubuntu_linux:mozilla-firefox-dom-inspector, p-cpe:/a:canonical:ubuntu_linux:mozilla-firefox-gnome-support, cpe:/o:canonical:ubuntu_linux:5.04
Required KB Items: Host/cpu, Host/Ubuntu, Host/Ubuntu/release, Host/Debian/dpkg-l
Exploit Ease: Exploits are available
Patch Publication Date: 7/21/2005
Metasploit (Mozilla Suite/Firefox compareTo() Code Execution)
CVE: CVE-2004-0718, CVE-2005-1937, CVE-2005-2260, CVE-2005-2261, CVE-2005-2263, CVE-2005-2264, CVE-2005-2265, CVE-2005-2266, CVE-2005-2267, CVE-2005-2268, CVE-2005-2269, CVE-2005-2270