Mozilla Thunderbird 3.0 was updated to version 3.0.7, fixing various bugs and security issues.

Following security issues were fixed: MFSA 2010-49 / CVE-2010-3169:
Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products.
Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code.

MFSA 2010-50 / CVE-2010-2765: Security researcher Chris Rohlf of Matasano Security reported that the implementation of the HTML frameset element contained an integer overflow vulnerability. The code responsible for parsing the frameset columns used an 8-byte counter for the column numbers, so when a very large number of columns was passed in the counter would overflow. When this counter was subsequently used to allocate memory for the frameset, the memory buffer would be too small, potentially resulting in a heap buffer overflow and execution of attacker-controlled memory.

MFSA 2010-51 / CVE-2010-2767: Security researcher Sergey Glazunov reported a dangling pointer vulnerability in the implementation of navigator.plugins in which the navigator object could retain a pointer to the plugins array even after it had been destroyed. An attacker could potentially use this issue to crash the browser and run arbitrary code on a victim's computer.

MFSA 2010-52 / CVE-2010-3131: Security researcher Haifei Li of FortiGuard Labs reported that Firefox could be used to load a malicious code library that had been planted on a victim's computer.
Firefox attempts to load dwmapi.dll upon startup as part of its platform detection, so on systems that don't have this library, such as Windows XP, Firefox will subsequently attempt to load the library from the current working directory. An attacker could use this vulnerability to trick a user into downloading a HTML file and a malicious copy of dwmapi.dll into the same directory on their computer and opening the HTML file with Firefox, thus causing the malicious code to be executed. If the attacker was on the same network as the victim, the malicious DLL could also be loaded via a UNC path. The attack also requires that Firefox not currently be running when it is asked to open the HTML file and accompanying DLL.

As this is a Windows only problem, it does not affect the Linux version. It is listed for completeness only.

MFSA 2010-53 / CVE-2010-3166: Security researcher wushi of team509 reported a heap buffer overflow in code routines responsible for transforming text runs. A page could be constructed with a bidirectional text run which upon reflow could result in an incorrect length being calculated for the run of text. When this value is subsequently used to allocate memory for the text too small a buffer may be created potentially resulting in a buffer overflow and the execution of attacker controlled memory.

MFSA 2010-54 / CVE-2010-2760: Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that there was a remaining dangling pointer issue leftover from the fix to CVE-2010-2753. Under certain circumstances one of the pointers held by a XUL tree selection could be freed and then later reused, potentially resulting in the execution of attacker-controlled memory.

MFSA 2010-55 / CVE-2010-3168: Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that XUL <tree> objects could be manipulated such that the setting of certain properties on the object would trigger the removal of the tree from the DOM and cause certain sections of deleted memory to be accessed. In products based on Gecko version 1.9.2 (Firefox 3.6, Thunderbird 3.1) and newer this memory has been overwritten by a value that will cause an unexploitable crash. In products based on Gecko version 1.9.1 (Firefox 3.5, Thunderbird 3.0, and SeaMonkey 2.0) and older an attacker could potentially use this vulnerability to crash a victim's browser and run arbitrary code on their computer.

MFSA 2010-56 / CVE-2010-3167: Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that the implementation of XUL <tree>'s content view contains a dangling pointer vulnerability. One of the content view's methods for accessing the internal structure of the tree could be manipulated into removing a node prior to accessing it, resulting in the accessing of deleted memory. If an attacker can control the contents of the deleted memory prior to its access they could use this vulnerability to run arbitrary code on a victim's machine.

MFSA 2010-57 / CVE-2010-2766: Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that code used to normalize a document contained a logical flaw that could be leveraged to run arbitrary code. When the normalization code ran, a static count of the document's child nodes was used in the traversal, so a page could be constructed that would remove DOM nodes during this normalization which could lead to the accessing of a deleted object and potentially the execution of attacker-controlled memory.

MFSA 2010-58 / CVE-2010-2770: Security researcher Marc Schoenefeld reported that a specially crafted font could be applied to a document and cause a crash on Mac systems. The crash showed signs of memory corruption and presumably could be used by an attacker to execute arbitrary code on a victim's computer.

This issue probably does not affect the Linux builds and so is listed for completeness.

MFSA 2010-59 / CVE-2010-2762: Mozilla developer Blake Kaplan reported that the wrapper class XPCSafeJSObjectWrapper (SJOW), a security wrapper that allows content-defined objects to be safely accessed by privileged code, creates scope chains ending in outer objects. Users of SJOWs which expect the scope chain to end on an inner object may be handed a chrome privileged object which could be leveraged to run arbitrary JavaScript with chrome privileges.

Michal Zalewski's recent contributions helped to identify this architectural weakness.

MFSA 2010-60 / CVE-2010-2763: Mozilla security researcher moz_bug_r_a4 reported that the wrapper class XPCSafeJSObjectWrapper (SJOW) on the Mozilla 1.9.1 development branch has a logical error in its scripted function implementation that allows the caller to run the function within the context of another site. This is a violation of the same-origin policy and could be used to mount an XSS attack.

MFSA 2010-61 / CVE-2010-2768: Security researchers David Huang and Collin Jackson of Carnegie Mellon University CyLab (Silicon Valley campus) reported that the type attribute of an <object> tag can override the charset of a framed HTML document, even when the document is included across origins. A page could be constructed containing such an <object> tag which sets the charset of the framed document to UTF-7. This could potentially allow an attacker to inject UTF-7 encoded JavaScript into a site, bypassing the site's XSS filters, and then executing the code using the above technique.

MFSA 2010-62 / CVE-2010-2769: Security researcher Paul Stone reported that when an HTML selection containing JavaScript is copy-and-pasted or dropped onto a document with designMode enabled the JavaScript will be executed within the context of the site where the code was dropped.
A malicious site could leverage this issue in an XSS attack by persuading a user into taking such an action and in the process running malicious JavaScript within the context of another site.

MFSA 2010-63 / CVE-2010-2764: Matt Haggard reported that the statusText property of an XMLHttpRequest object is readable by the requestor even when the request is made across origins. This status information reveals the presence of a web server and could be used to gather information about servers on internal private networks.

This issue was also independently reported to Mozilla by Nicholas Berthaume

This update brings Mozilla XULRunner to version 1.9.1.15, fixing various bugs and security issues.

The following security issues were fixed: MFSA 2010-49 / CVE-2010-3169: Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code.

MFSA 2010-50 / CVE-2010-2765: Security researcher Chris Rohlf of Matasano Security reported that the implementation of the HTML frameset element contained an integer overflow vulnerability. The code responsible for parsing the frameset columns used an 8-byte counter for the column numbers, so when a very large number of columns was passed in the counter would overflow. When this counter was subsequently used to allocate memory for the frameset, the memory buffer would be too small, potentially resulting in a heap buffer overflow and execution of attacker-controlled memory.

MFSA 2010-51 / CVE-2010-2767: Security researcher Sergey Glazunov reported a dangling pointer vulnerability in the implementation of navigator.plugins in which the navigator object could retain a pointer to the plugins array even after it had been destroyed. An attacker could potentially use this issue to crash the browser and run arbitrary code on a victim's computer.

MFSA 2010-52 / CVE-2010-3131: Security researcher Haifei Li of FortiGuard Labs reported that Firefox could be used to load a malicious code library that had been planted on a victim's computer.
Firefox attempts to load dwmapi.dll upon startup as part of its platform detection, so on systems that don't have this library, such as Windows XP, Firefox will subsequently attempt to load the library from the current working directory. An attacker could use this vulnerability to trick a user into downloading a HTML file and a malicious copy of dwmapi.dll into the same directory on their computer and opening the HTML file with Firefox, thus causing the malicious code to be executed. If the attacker was on the same network as the victim, the malicious DLL could also be loaded via a UNC path. The attack also requires that Firefox not currently be running when it is asked to open the HTML file and accompanying DLL. As this is a Windows only problem, it does not affect the Linux version. It is listed for completeness only.

MFSA 2010-53 / CVE-2010-3166: Security researcher wushi of team509 reported a heap buffer overflow in code routines responsible for transforming text runs. A page could be constructed with a bidirectional text run which upon reflow could result in an incorrect length being calculated for the run of text. When this value is subsequently used to allocate memory for the text too small a buffer may be created potentially resulting in a buffer overflow and the execution of attacker controlled memory.

MFSA 2010-54 / CVE-2010-2760: Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that there was a remaining dangling pointer issue leftover from the fix to CVE-2010-2753. Under certain circumstances one of the pointers held by a XUL tree selection could be freed and then later reused, potentially resulting in the execution of attacker-controlled memory.

MFSA 2010-55 / CVE-2010-3168: Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that XUL objects could be manipulated such that the setting of certain properties on the object would trigger the removal of the tree from the DOM and cause certain sections of deleted memory to be accessed. In products based on Gecko version 1.9.2 (Firefox 3.6, Thunderbird 3.1) and newer this memory has been overwritten by a value that will cause an unexploitable crash. In products based on Gecko version 1.9.1 (Firefox 3.5, Thunderbird 3.0, and SeaMonkey 2.0) and older an attacker could potentially use this vulnerability to crash a victim's browser and run arbitrary code on their computer.

MFSA 2010-56 / CVE-2010-3167: Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that the implementation of XUL's content view contains a dangling pointer vulnerability. One of the content view's methods for accessing the internal structure of the tree could be manipulated into removing a node prior to accessing it, resulting in the accessing of deleted memory. If an attacker can control the contents of the deleted memory prior to its access they could use this vulnerability to run arbitrary code on a victim's machine.

MFSA 2010-57 / CVE-2010-2766: Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that code used to normalize a document contained a logical flaw that could be leveraged to run arbitrary code. When the normalization code ran, a static count of the document's child nodes was used in the traversal, so a page could be constructed that would remove DOM nodes during this normalization which could lead to the accessing of a deleted object and potentially the execution of attacker-controlled memory.

MFSA 2010-58 / CVE-2010-2770: Security researcher Marc Schoenefeld reported that a specially crafted font could be applied to a document and cause a crash on Mac systems. The crash showed signs of memory corruption and presumably could be used by an attacker to execute arbitrary code on a victim's computer. This issue probably does not affect the Linux builds and so is listed for completeness.

MFSA 2010-59 / CVE-2010-2762: Mozilla developer Blake Kaplan reported that the wrapper class XPCSafeJSObjectWrapper (SJOW), a security wrapper that allows content-defined objects to be safely accessed by privileged code, creates scope chains ending in outer objects. Users of SJOWs which expect the scope chain to end on an inner object may be handed a chrome privileged object which could be leveraged to run arbitrary JavaScript with chrome privileges. Michal Zalewski's recent contributions helped to identify this architectural weakness.

MFSA 2010-60 / CVE-2010-2763: Mozilla security researcher mozbugr_a4 reported that the wrapper class XPCSafeJSObjectWrapper (SJOW) on the Mozilla 1.9.1 development branch has a logical error in its scripted function implementation that allows the caller to run the function within the context of another site. This is a violation of the same-origin policy and could be used to mount an XSS attack.

MFSA 2010-61 / CVE-2010-2768: Security researchers David Huang and Collin Jackson of Carnegie Mellon University CyLab (Silicon Valley campus) reported that the type attribute of an tag can override the charset of a framed HTML document, even when the document is included across origins. A page could be constructed containing such an tag which sets the charset of the framed document to UTF-7. This could potentially allow an attacker to inject UTF-7 encoded JavaScript into a site, bypassing the site's XSS filters, and then executing the code using the above technique.

MFSA 2010-62 / CVE-2010-2769: Security researcher Paul Stone reported that when an HTML selection containing JavaScript is copy-and-pasted or dropped onto a document with designMode enabled the JavaScript will be executed within the context of the site where the code was dropped.
A malicious site could leverage this issue in an XSS attack by persuading a user into taking such an action and in the process running malicious JavaScript within the context of another site.

MFSA 2010-63 / CVE-2010-2764: Matt Haggard reported that the statusText property of an XMLHttpRequest object is readable by the requestor even when the request is made across origins. This status information reveals the presence of a web server and could be used to gather information about servers on internal private networks. This issue was also independently reported to Mozilla by Nicholas Berthaume.

MFSA 2010-64: Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. References

Paul Nickerson, Jesse Ruderman, Olli Pettay, Igor Bukanov and Josh Soref reported memory safety problems that affected Firefox 3.6 and Firefox 3.5.

  - Memory safety bugs - Firefox 3.6, Firefox 3.5

  - CVE-2010-3176

Jesse Ruderman reported a crash which affected Firefox 3.5 only.

    - https://bugzilla.mozilla.org/show_bug.cgi?id=476547

  - CVE-2010-3174

MFSA 2010-65 / CVE-2010-3179: Security researcher Alexander Miller reported that passing an excessively long string to document.write could cause text rendering routines to end up in an inconsistent state with sections of stack memory being overwritten with the string data.
An attacker could use this flaw to crash a victim's browser and potentially run arbitrary code on their computer.

MFSA 2010-66 / CVE-2010-3180: Security researcher Sergey Glazunov reported that it was possible to access the locationbar property of a window object after it had been closed. Since the closed window's memory could have been subsequently reused by the system it was possible that an attempt to access the locationbar property could result in the execution of attacker-controlled memory.

MFSA 2010-67 / CVE-2010-3183: Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that when window.__lookupGetter__ is called with no arguments the code assumes the top JavaScript stack value is a property name. Since there were no arguments passed into the function, the top value could represent uninitialized memory or a pointer to a previously freed JavaScript object. Under such circumstances the value is passed to another subroutine which calls through the dangling pointer, potentially executing attacker-controlled memory.

MFSA 2010-68 / CVE-2010-3177: Google security researcher Robert Swiecki reported that functions used by the Gopher parser to convert text to HTML tags could be exploited to turn text into executable JavaScript. If an attacker could create a file or directory on a Gopher server with the encoded script as part of its name the script would then run in a victim's browser within the context of the site.

MFSA 2010-69 / CVE-2010-3178: Security researcher Eduardo Vela Nava reported that if a web page opened a new window and used a javascript:
URL to make a modal call, such as alert(), then subsequently navigated the page to a different domain, once the modal call returned the opener of the window could get access to objects in the navigated window. This is a violation of the same-origin policy and could be used by an attacker to steal information from another website.

MFSA 2010-70 / CVE-2010-3170: Security researcher Richard Moore reported that when an SSL certificate was created with a common name containing a wildcard followed by a partial IP address a valid SSL connection could be established with a server whose IP address matched the wildcard range by browsing directly to the IP address. It is extremely unlikely that such a certificate would be issued by a Certificate Authority.

MFSA 2010-71 / CVE-2010-3182: Dmitri Gribenko reported that the script used to launch Mozilla applications on Linux was effectively including the current working directory in the LD_LIBRARY_PATH environment variable. If an attacker was able to place into the current working directory a malicious shared library with the same name as a library that the bootstrapping script depends on the attacker could have their library loaded instead of the legitimate library.

MFSA 2010-73 / CVE-2010-3765: Morten Kr&aring;kvik of Telenor SOC reported an exploit targeting particular versions of Firefox 3.6 on Windows XP that Telenor found while investigating an intrusion attempt on a customer network. The underlying vulnerability, however, was present on both the Firefox 3.5 and Firefox 3.6 development branches and affected all supported platforms.

This update brings Mozilla Firefox to version 3.5.15, fixing various bugs and security issues.

The following security issues were fixed :

  - Mozilla developers identified and fixed several memory     safety bugs in the browser engine used in Firefox and     other Mozilla-based products. Some of these bugs showed     evidence of memory corruption under certain     circumstances, and we presume that with enough effort at     least some of these could be exploited to run arbitrary     code. (MFSA 2010-49 / CVE-2010-3169)

  - Security researcher Chris Rohlf of Matasano Security     reported that the implementation of the HTML frameset     element contained an integer overflow vulnerability. The     code responsible for parsing the frameset columns used     an 8-byte counter for the column numbers, so when a very     large number of columns was passed in the counter would     overflow. When this counter was subsequently used to     allocate memory for the frameset, the memory buffer     would be too small, potentially resulting in a heap     buffer overflow and execution of attacker-controlled     memory. (MFSA 2010-50 / CVE-2010-2765)

  - Security researcher Sergey Glazunov reported a dangling     pointer vulnerability in the implementation of     navigator.plugins in which the navigator object could     retain a pointer to the plugins array even after it had     been destroyed. An attacker could potentially use this     issue to crash the browser and run arbitrary code on a     victim's computer. (MFSA 2010-51 / CVE-2010-2767)

  - Security researcher Haifei Li of FortiGuard Labs     reported that Firefox could be used to load a malicious     code library that had been planted on a victim's     computer. Firefox attempts to load dwmapi.dll upon     startup as part of its platform detection, so on systems     that don't have this library, such as Windows XP,     Firefox will subsequently attempt to load the library     from the current working directory. An attacker could     use this vulnerability to trick a user into downloading     a HTML file and a malicious copy of dwmapi.dll into the     same directory on their computer and opening the HTML     file with Firefox, thus causing the malicious code to be     executed. If the attacker was on the same network as the     victim, the malicious DLL could also be loaded via a UNC     path. The attack also requires that Firefox not     currently be running when it is asked to open the HTML     file and accompanying DLL. As this is a Windows only     problem, it does not affect the Linux version. It is     listed for completeness only. (MFSA 2010-52 /     CVE-2010-3131)

  - Security researcher wushi of team509 reported a heap     buffer overflow in code routines responsible for     transforming text runs. A page could be constructed with     a bidirectional text run which upon reflow could result     in an incorrect length being calculated for the run of     text. When this value is subsequently used to allocate     memory for the text too small a buffer may be created     potentially resulting in a buffer overflow and the     execution of attacker controlled memory. (MFSA 2010-53 /     CVE-2010-3166)

  - Security researcher regenrecht reported via     TippingPoint's Zero Day Initiative that there was a     remaining dangling pointer issue leftover from the fix     to CVE-2010-2753. Under certain circumstances one of the     pointers held by a XUL tree selection could be freed and     then later reused, potentially resulting in the     execution of attacker-controlled memory. (MFSA 2010-54 /     CVE-2010-2760)

  - Security researcher regenrecht reported via     TippingPoint's Zero Day Initiative that XUL objects     could be manipulated such that the setting of certain     properties on the object would trigger the removal of     the tree from the DOM and cause certain sections of     deleted memory to be accessed. In products based on     Gecko version 1.9.2 (Firefox 3.6, Thunderbird 3.1) and     newer this memory has been overwritten by a value that     will cause an unexploitable crash. In products based on     Gecko version 1.9.1 (Firefox 3.5, Thunderbird 3.0, and     SeaMonkey 2.0) and older an attacker could potentially     use this vulnerability to crash a victim's browser and     run arbitrary code on their computer. (MFSA 2010-55 /     CVE-2010-3168)

  - Security researcher regenrecht reported via     TippingPoint's Zero Day Initiative that the     implementation of XUL's content view contains a dangling     pointer vulnerability. One of the content view's methods     for accessing the internal structure of the tree could     be manipulated into removing a node prior to accessing     it, resulting in the accessing of deleted memory. If an     attacker can control the contents of the deleted memory     prior to its access they could use this vulnerability to     run arbitrary code on a victim's machine. (MFSA 2010-56     / CVE-2010-3167)

  - Security researcher regenrecht reported via     TippingPoint's Zero Day Initiative that code used to     normalize a document contained a logical flaw that could     be leveraged to run arbitrary code. When the     normalization code ran, a static count of the document's     child nodes was used in the traversal, so a page could     be constructed that would remove DOM nodes during this     normalization which could lead to the accessing of a     deleted object and potentially the execution of     attacker-controlled memory. (MFSA 2010-57 /     CVE-2010-2766)

  - Security researcher Marc Schoenefeld reported that a     specially crafted font could be applied to a document     and cause a crash on Mac systems. The crash showed signs     of memory corruption and presumably could be used by an     attacker to execute arbitrary code on a victim's     computer. This issue probably does not affect the Linux     builds and so is listed for completeness. (MFSA 2010-58     / CVE-2010-2770)

  - Mozilla developer Blake Kaplan reported that the wrapper     class XPCSafeJSObjectWrapper (SJOW), a security wrapper     that allows content-defined objects to be safely     accessed by privileged code, creates scope chains ending     in outer objects. Users of SJOWs which expect the scope     chain to end on an inner object may be handed a chrome     privileged object which could be leveraged to run     arbitrary JavaScript with chrome privileges. Michal     Zalewski's recent contributions helped to identify this     architectural weakness. (MFSA 2010-59 / CVE-2010-2762)

  - Mozilla security researcher mozbugr_a4 reported that the     wrapper class XPCSafeJSObjectWrapper (SJOW) on the     Mozilla 1.9.1 development branch has a logical error in     its scripted function implementation that allows the     caller to run the function within the context of another     site. This is a violation of the same-origin policy and     could be used to mount an XSS attack. (MFSA 2010-60 /     CVE-2010-2763)

  - Security researchers David Huang and Collin Jackson of     Carnegie Mellon University CyLab (Silicon Valley campus)     reported that the type attribute of an tag can override     the charset of a framed HTML document, even when the     document is included across origins. A page could be     constructed containing such an tag which sets the     charset of the framed document to UTF-7. This could     potentially allow an attacker to inject UTF-7 encoded     JavaScript into a site, bypassing the site's XSS     filters, and then executing the code using the above     technique. (MFSA 2010-61 / CVE-2010-2768)

  - Security researcher Paul Stone reported that when an     HTML selection containing JavaScript is copy-and-pasted     or dropped onto a document with designMode enabled the     JavaScript will be executed within the context of the     site where the code was dropped. A malicious site could     leverage this issue in an XSS attack by persuading a     user into taking such an action and in the process     running malicious JavaScript within the context of     another site. (MFSA 2010-62 / CVE-2010-2769)

  - Matt Haggard reported that the statusText property of an     XMLHttpRequest object is readable by the requestor even     when the request is made across origins. This status     information reveals the presence of a web server and     could be used to gather information about servers on     internal private networks. This issue was also     independently reported to Mozilla by Nicholas Berthaume.
    (MFSA 2010-63 / CVE-2010-2764)

  - Mozilla developers identified and fixed several memory     safety bugs in the browser engine used in Firefox and     other Mozilla-based products. Some of these bugs showed     evidence of memory corruption under certain     circumstances, and we presume that with enough effort at     least some of these could be exploited to run arbitrary     code. References. (MFSA 2010-64)

    Paul Nickerson, Jesse Ruderman, Olli Pettay, Igor     Bukanov and Josh Soref reported memory safety problems     that affected Firefox 3.6 and Firefox 3.5.

o Memory safety bugs - Firefox 3.6, Firefox 3.5 o CVE-2010-3176

Jesse Ruderman reported a crash which affected Firefox 3.5 only.

o https://bugzilla.mozilla.org/show_bug.cgi?id=476547 o CVE-2010-3174

  - Security researcher Alexander Miller reported that     passing an excessively long string to document.write     could cause text rendering routines to end up in an     inconsistent state with sections of stack memory being     overwritten with the string data. An attacker could use     this flaw to crash a victim's browser and potentially     run arbitrary code on their computer. (MFSA 2010-65 /     CVE-2010-3179)

  - Security researcher Sergey Glazunov reported that it was     possible to access the locationbar property of a window     object after it had been closed. Since the closed     window's memory could have been subsequently reused by     the system it was possible that an attempt to access the     locationbar property could result in the execution of     attacker-controlled memory. (MFSA 2010-66 /     CVE-2010-3180)

  - Security researcher regenrecht reported via     TippingPoint's Zero Day Initiative that when     window.__lookupGetter__ is called with no arguments the     code assumes the top JavaScript stack value is a     property name. Since there were no arguments passed into     the function, the top value could represent     uninitialized memory or a pointer to a previously freed     JavaScript object. Under such circumstances the value is     passed to another subroutine which calls through the     dangling pointer, potentially executing     attacker-controlled memory. (MFSA 2010-67 /     CVE-2010-3183)

  - Google security researcher Robert Swiecki reported that     functions used by the Gopher parser to convert text to     HTML tags could be exploited to turn text into     executable JavaScript. If an attacker could create a     file or directory on a Gopher server with the encoded     script as part of its name the script would then run in     a victim's browser within the context of the site. (MFSA     2010-68 / CVE-2010-3177)

  - Security researcher Eduardo Vela Nava reported that if a     web page opened a new window and used a javascript: URL     to make a modal call, such as alert(), then subsequently     navigated the page to a different domain, once the modal     call returned the opener of the window could get access     to objects in the navigated window. This is a violation     of the same-origin policy and could be used by an     attacker to steal information from another website.
    (MFSA 2010-69 / CVE-2010-3178)

  - Security researcher Richard Moore reported that when an     SSL certificate was created with a common name     containing a wildcard followed by a partial IP address a     valid SSL connection could be established with a server     whose IP address matched the wildcard range by browsing     directly to the IP address. It is extremely unlikely     that such a certificate would be issued by a Certificate     Authority. (MFSA 2010-70 / CVE-2010-3170)

  - Dmitri Gribenko reported that the script used to launch     Mozilla applications on Linux was effectively including     the current working directory in the LD_LIBRARY_PATH     environment variable. If an attacker was able to place     into the current working directory a malicious shared     library with the same name as a library that the     bootstrapping script depends on the attacker could have     their library loaded instead of the legitimate library.
    (MFSA 2010-71 / CVE-2010-3182)

Updated firefox packages that fix several security issues are now available for Red Hat Enterprise Linux 4 and 5.

The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox.

Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2010-3169, CVE-2010-2762)

Several use-after-free and dangling pointer flaws were found in Firefox. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2010-2760, CVE-2010-2766, CVE-2010-2767, CVE-2010-3167, CVE-2010-3168)

Multiple buffer overflow flaws were found in Firefox. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2010-2765, CVE-2010-3166)

Multiple cross-site scripting (XSS) flaws were found in Firefox. A web page containing malicious content could cause Firefox to run JavaScript code with the permissions of a different website.
(CVE-2010-2768, CVE-2010-2769)

A flaw was found in the Firefox XMLHttpRequest object. A remote site could use this flaw to gather information about servers on an internal private network. (CVE-2010-2764)

For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 3.6.9. You can find a link to the Mozilla advisories in the References section of this erratum.

Note: After installing this update, Firefox will fail to connect (with HTTPS) to a server using the SSL DHE (Diffie-Hellman Ephemeral) key exchange if the server's ephemeral key is too small. Connecting to such servers is a security risk as an ephemeral key that is too small makes the SSL connection vulnerable to attack. Refer to the Solution section for further information.

All Firefox users should upgrade to these updated packages, which contain Firefox version 3.6.9, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect.

This update brings Mozilla SeaMonkey to version 2.0.9, fixing various bugs and security issues.

The following security issues were fixed: MFSA 2010-49 / CVE-2010-3169: Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code.

MFSA 2010-50 / CVE-2010-2765: Security researcher Chris Rohlf of Matasano Security reported that the implementation of the HTML frameset element contained an integer overflow vulnerability. The code responsible for parsing the frameset columns used an 8-byte counter for the column numbers, so when a very large number of columns was passed in the counter would overflow. When this counter was subsequently used to allocate memory for the frameset, the memory buffer would be too small, potentially resulting in a heap buffer overflow and execution of attacker-controlled memory.

MFSA 2010-51 / CVE-2010-2767: Security researcher Sergey Glazunov reported a dangling pointer vulnerability in the implementation of navigator.plugins in which the navigator object could retain a pointer to the plugins array even after it had been destroyed. An attacker could potentially use this issue to crash the browser and run arbitrary code on a victim's computer.

MFSA 2010-52 / CVE-2010-3131: Security researcher Haifei Li of FortiGuard Labs reported that Firefox could be used to load a malicious code library that had been planted on a victim's computer.
Firefox attempts to load dwmapi.dll upon startup as part of its platform detection, so on systems that don't have this library, such as Windows XP, Firefox will subsequently attempt to load the library from the current working directory. An attacker could use this vulnerability to trick a user into downloading a HTML file and a malicious copy of dwmapi.dll into the same directory on their computer and opening the HTML file with Firefox, thus causing the malicious code to be executed. If the attacker was on the same network as the victim, the malicious DLL could also be loaded via a UNC path. The attack also requires that Firefox not currently be running when it is asked to open the HTML file and accompanying DLL. As this is a Windows only problem, it does not affect the Linux version. It is listed for completeness only.

MFSA 2010-53 / CVE-2010-3166: Security researcher wushi of team509 reported a heap buffer overflow in code routines responsible for transforming text runs. A page could be constructed with a bidirectional text run which upon reflow could result in an incorrect length being calculated for the run of text. When this value is subsequently used to allocate memory for the text too small a buffer may be created potentially resulting in a buffer overflow and the execution of attacker controlled memory.

MFSA 2010-54 / CVE-2010-2760: Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that there was a remaining dangling pointer issue leftover from the fix to CVE-2010-2753. Under certain circumstances one of the pointers held by a XUL tree selection could be freed and then later reused, potentially resulting in the execution of attacker-controlled memory.

MFSA 2010-55 / CVE-2010-3168: Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that XUL objects could be manipulated such that the setting of certain properties on the object would trigger the removal of the tree from the DOM and cause certain sections of deleted memory to be accessed. In products based on Gecko version 1.9.2 (Firefox 3.6, Thunderbird 3.1) and newer this memory has been overwritten by a value that will cause an unexploitable crash. In products based on Gecko version 1.9.1 (Firefox 3.5, Thunderbird 3.0, and SeaMonkey 2.0) and older an attacker could potentially use this vulnerability to crash a victim's browser and run arbitrary code on their computer.

MFSA 2010-56 / CVE-2010-3167: Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that the implementation of XUL's content view contains a dangling pointer vulnerability. One of the content view's methods for accessing the internal structure of the tree could be manipulated into removing a node prior to accessing it, resulting in the accessing of deleted memory. If an attacker can control the contents of the deleted memory prior to its access they could use this vulnerability to run arbitrary code on a victim's machine.

MFSA 2010-57 / CVE-2010-2766: Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that code used to normalize a document contained a logical flaw that could be leveraged to run arbitrary code. When the normalization code ran, a static count of the document's child nodes was used in the traversal, so a page could be constructed that would remove DOM nodes during this normalization which could lead to the accessing of a deleted object and potentially the execution of attacker-controlled memory.

MFSA 2010-58 / CVE-2010-2770: Security researcher Marc Schoenefeld reported that a specially crafted font could be applied to a document and cause a crash on Mac systems. The crash showed signs of memory corruption and presumably could be used by an attacker to execute arbitrary code on a victim's computer. This issue probably does not affect the Linux builds and so is listed for completeness.

MFSA 2010-59 / CVE-2010-2762: Mozilla developer Blake Kaplan reported that the wrapper class XPCSafeJSObjectWrapper (SJOW), a security wrapper that allows content-defined objects to be safely accessed by privileged code, creates scope chains ending in outer objects. Users of SJOWs which expect the scope chain to end on an inner object may be handed a chrome privileged object which could be leveraged to run arbitrary JavaScript with chrome privileges. Michal Zalewski's recent contributions helped to identify this architectural weakness.

MFSA 2010-60 / CVE-2010-2763: Mozilla security researcher mozbugr_a4 reported that the wrapper class XPCSafeJSObjectWrapper (SJOW) on the Mozilla 1.9.1 development branch has a logical error in its scripted function implementation that allows the caller to run the function within the context of another site. This is a violation of the same-origin policy and could be used to mount an XSS attack.

MFSA 2010-61 / CVE-2010-2768: Security researchers David Huang and Collin Jackson of Carnegie Mellon University CyLab (Silicon Valley campus) reported that the type attribute of an tag can override the charset of a framed HTML document, even when the document is included across origins. A page could be constructed containing such an tag which sets the charset of the framed document to UTF-7. This could potentially allow an attacker to inject UTF-7 encoded JavaScript into a site, bypassing the site's XSS filters, and then executing the code using the above technique.

MFSA 2010-62 / CVE-2010-2769: Security researcher Paul Stone reported that when an HTML selection containing JavaScript is copy-and-pasted or dropped onto a document with designMode enabled the JavaScript will be executed within the context of the site where the code was dropped.
A malicious site could leverage this issue in an XSS attack by persuading a user into taking such an action and in the process running malicious JavaScript within the context of another site.

MFSA 2010-63 / CVE-2010-2764: Matt Haggard reported that the statusText property of an XMLHttpRequest object is readable by the requestor even when the request is made across origins. This status information reveals the presence of a web server and could be used to gather information about servers on internal private networks. This issue was also independently reported to Mozilla by Nicholas Berthaume.

MFSA 2010-64: Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. References

Paul Nickerson, Jesse Ruderman, Olli Pettay, Igor Bukanov and Josh Soref reported memory safety problems that affected Firefox 3.6 and Firefox 3.5.

  - Memory safety bugs - Firefox 3.6, Firefox 3.5

  - CVE-2010-3176

Jesse Ruderman reported a crash which affected Firefox 3.5 only.

    - https://bugzilla.mozilla.org/show_bug.cgi?id=476547

  - CVE-2010-3174

MFSA 2010-65 / CVE-2010-3179: Security researcher Alexander Miller reported that passing an excessively long string to document.write could cause text rendering routines to end up in an inconsistent state with sections of stack memory being overwritten with the string data.
An attacker could use this flaw to crash a victim's browser and potentially run arbitrary code on their computer.

MFSA 2010-66 / CVE-2010-3180: Security researcher Sergey Glazunov reported that it was possible to access the locationbar property of a window object after it had been closed. Since the closed window's memory could have been subsequently reused by the system it was possible that an attempt to access the locationbar property could result in the execution of attacker-controlled memory.

MFSA 2010-67 / CVE-2010-3183: Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that when window.__lookupGetter__ is called with no arguments the code assumes the top JavaScript stack value is a property name. Since there were no arguments passed into the function, the top value could represent uninitialized memory or a pointer to a previously freed JavaScript object. Under such circumstances the value is passed to another subroutine which calls through the dangling pointer, potentially executing attacker-controlled memory.

MFSA 2010-68 / CVE-2010-3177: Google security researcher Robert Swiecki reported that functions used by the Gopher parser to convert text to HTML tags could be exploited to turn text into executable JavaScript. If an attacker could create a file or directory on a Gopher server with the encoded script as part of its name the script would then run in a victim's browser within the context of the site.

MFSA 2010-69 / CVE-2010-3178: Security researcher Eduardo Vela Nava reported that if a web page opened a new window and used a javascript:
URL to make a modal call, such as alert(), then subsequently navigated the page to a different domain, once the modal call returned the opener of the window could get access to objects in the navigated window. This is a violation of the same-origin policy and could be used by an attacker to steal information from another website.

MFSA 2010-70 / CVE-2010-3170: Security researcher Richard Moore reported that when an SSL certificate was created with a common name containing a wildcard followed by a partial IP address a valid SSL connection could be established with a server whose IP address matched the wildcard range by browsing directly to the IP address. It is extremely unlikely that such a certificate would be issued by a Certificate Authority.

MFSA 2010-71 / CVE-2010-3182: Dmitri Gribenko reported that the script used to launch Mozilla applications on Linux was effectively including the current working directory in the LD_LIBRARY_PATH environment variable. If an attacker was able to place into the current working directory a malicious shared library with the same name as a library that the bootstrapping script depends on the attacker could have their library loaded instead of the legitimate library.

From Red Hat Security Advisory 2010:0680 :

Updated SeaMonkey packages that fix several security issues are now available for Red Hat Enterprise Linux 3 and 4.

The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

SeaMonkey is an open source web browser, email and newsgroup client, IRC chat client, and HTML editor.

Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause SeaMonkey to crash or, potentially, execute arbitrary code with the privileges of the user running SeaMonkey. (CVE-2010-3169)

A buffer overflow flaw was found in SeaMonkey. A web page containing malicious content could cause SeaMonkey to crash or, potentially, execute arbitrary code with the privileges of the user running SeaMonkey. (CVE-2010-2765)

A use-after-free flaw and several dangling pointer flaws were found in SeaMonkey. A web page containing malicious content could cause SeaMonkey to crash or, potentially, execute arbitrary code with the privileges of the user running SeaMonkey. (CVE-2010-2760, CVE-2010-2767, CVE-2010-3167, CVE-2010-3168)

A cross-site scripting (XSS) flaw was found in SeaMonkey. A web page containing malicious content could cause SeaMonkey to run JavaScript code with the permissions of a different website. (CVE-2010-2768)

All SeaMonkey users should upgrade to these updated packages, which correct these issues. After installing the update, SeaMonkey must be restarted for the changes to take effect.

The remote Oracle Linux 5 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2010-0681 advisory.

    firefox:

    [3.6.9-2.0.1.el5]
    - Add firefox-oracle-default-prefs.js and firefox-oracle-default-bookmarks.html       and remove the corresponding Red Hat ones

    [3.6.9-2]
    - Fixed xulrunner version

    [3.6.9-1]
    - Update to 3.6.9

    nspr:

    [4.8.6-1]
    - update to 4.8.6

    nss:

    [3.12.7-2.0.1.el5_5]
    - Update clean.gif in the nss-3.12.7-stripped.tar.bz2 tarball

    [3.12.7-2]
    - fix dependencies, undo previous change

    [3.12.7-1]
    - Update to 3.12.7

    xulrunner:

    [1.9.2.9-1.0.1.el5]
    - Added xulrunner-oracle-default-prefs.js and removed the corresponding       RedHat one.

    [1.9.2.9-1]
    - Update to 1.9.2.9

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Published	Updated	Severity
49946	openSUSE Security Update : MozillaThunderbird (MozillaThunderbird-3154)	Nessus	SuSE Local Security Checks	10/12/2010	1/14/2021	high
50462	openSUSE Security Update : mozilla-xulrunner191 (mozilla-xulrunner191-3421)	Nessus	SuSE Local Security Checks	11/3/2010	10/6/2025	high
50488	SuSE 10 Security Update : Mozilla Firefox (ZYPP Patch Number 7208)	Nessus	SuSE Local Security Checks	11/5/2010	1/14/2021	high
53540	RHEL 4 / 5 : firefox (RHSA-2010:0681)	Nessus	Red Hat Local Security Checks	4/23/2011	1/14/2021	high
75733	openSUSE Security Update : seamonkey (seamonkey-3372)	Nessus	SuSE Local Security Checks	6/13/2014	1/14/2021	high
68097	Oracle Linux 3 / 4 : seamonkey (ELSA-2010-0680)	Nessus	Oracle Linux Local Security Checks	7/12/2013	1/14/2021	high
68098	Oracle Linux 5 : firefox (ELSA-2010-0681)	Nessus	Oracle Linux Local Security Checks	7/12/2013	10/22/2024	medium

Detections

Analytics

Plugins Search

high

high

high

high

high

high

medium