|
|
Family: Debian Local Security Checks --> Category: infos
[DSA1044] DSA-1044-1 mozilla-firefox Vulnerability Scan
Vulnerability Scan Summary
DSA-1044-1 mozilla-firefox
Detailed Explanation for this Vulnerability Test
Several security related problems have been discovered in Mozilla
Firefox. The Common Vulnerabilities and Exposures project identifies
the following vulnerabilities:
Web pages with extremely long titles cause subsequent launches of
the browser to appear to "hang" for up to a few minutes, or even
crash if the computer has insufficient memory. [MFSA-2006-03]
The JavaScript interpreter does not properly dereference objects,
which allows remote attackers to cause a denial of service or
execute arbitrary code. [MFSA-2006-01]
The function allocation code allows attackers to cause a denial of
service and possibly execute arbitrary code. [MFSA-2006-01]
XULDocument.persist() did not validate the attribute name,
allowing a possible hacker to inject arbitrary XML and JavaScript code
into localstore.rdf that would be read and acted upon during
startup. [MFSA-2006-05]
An anonymous researcher for TippingPoint and the Zero Day
Initiative reported that an invalid and nonsensical ordering of
table-related tags can be exploited to execute arbitrary code.
[MFSA-2006-27]
A particular sequence of HTML tags can cause memory corruption
that can be exploited to execute arbitrary code. [MFSA-2006-18]
Georgi Guninski reported two variants of using scripts in an XBL
control to gain chrome rights when the page is viewed under
"Print Preview". [MFSA-2006-25]
"shutdown" discovered that the crypto.generateCRMFRequest method
can be used to run arbitrary code with the privilege of the user
running the browser, which could enable a possible hacker to install
malware. [MFSA-2006-24]
Claus Jørgensen reported that a text input box can be pre-filled
with a filename and then turned into a file-upload control,
allowing a malicious website to steal any local file whose name
they can guess. [MFSA-2006-23]
An anonymous researcher for TippingPoint and the Zero Day
Initiative discovered an integer overflow triggered by the CSS
letter-spacing property, which could be exploited to execute
arbitrary code. [MFSA-2006-22]
"moz_bug_r_a4" discovered that some internal functions return
prototypes instead of objects, which allows remote attackers to
conduct cross-site scripting attacks. [MFSA-2006-19]
"shutdown" discovered that it is possible to bypass same-origin
protections, allowing a malicious site to inject script into
content from another site, which could allow the malicious page to
steal information such as cookies or passwords from the other
site, or perform transactions on the user's behalf if the user
were already logged in. [MFSA-2006-17]
"moz_bug_r_a4" discovered that the compilation scope of privileged
built-in XBL bindings is not fully protected from web content and
can still be executed which could be used to execute arbitrary
JavaScript, which could allow a possible hacker to install malware such
as viruses and password sniffers. [MFSA-2006-16]
"shutdown" discovered that it is possible to ac
[...]
Solution : http://www.debian.org/security/2006/dsa-1044
Threat Level: High
Click HERE for more information and discussions on this network vulnerability scan.
|
