MA-157.042009: MyCERT Alert - Mozilla Firefox, Thunderbird and SeaMonkey - Multiple Remote Vulnerabilities 1.0 Introduction A few vulnerabilities have been reported in Mozilla Foundation products and the vulnerabilities are as below: 1.1 Crashes with evidence of memory corruption (rv:1.9.0.9) This vulnerability is reported in the following products and versions: - Firefox 3.0.8 and below
- Thunderbird 2.0.0.21 and below
- SeaMonkey 1.1.15 and below
1.2 URL spoofing with box drawing character This vulnerability is reported in the following products and versions: - Firefox 3.0.8 and below
- Thunderbird 2.0.0.20 and below
- SeaMonkey 1.1.14 and below
1.3 jar: scheme ignores the content-disposition: header on the inner URI This vulnerability is reported in the following products and versions:
1.4 Same-origin violations when Adobe Flash loaded via view-source: scheme This vulnerability is reported in the following products and versions:
1.5 XSS hazard using third-party stylesheets and XBL bindings This vulnerability is reported in the following products and versions:
1.6 Same-origin violations in XMLHttpRequest and XPCNativeWrapper.toString This vulnerability is reported in the following products and versions:
1.7 Malicious search plugins can inject code into arbitrary sites This vulnerability is reported in the following products and versions:
1.8 POST data sent to wrong site when saving web page with embedded frame This vulnerability is reported in the following products and versions: - Firefox 3.0.8 and below
- SeaMonkey 1.1.16 and below
1.9 Firefox allows Refresh header to redirect to javascript: URIs This vulnerability is reported in the following products and versions:
2.0 Impact An attacker who successfully exploit these vulnerabilities can bypass same-origin restrictions, obtain potentially sensitive information, and execute arbitrary script code with elevated privileges. Other attacks are also possible. 3.0 Affected Products The detail list of the vulnerable products and versions are as below: - Mozilla Thunderbird 2.0 8
- Mozilla Thunderbird 2.0 17
- Mozilla Thunderbird 2.0 16
- Mozilla Thunderbird 2.0 15
- Mozilla Thunderbird 2.0 .6
- Mozilla Thunderbird 2.0 .5
- Mozilla Thunderbird 2.0 .4
- Mozilla Thunderbird 2.0 .19
- Mozilla Thunderbird 2.0 .14
- Mozilla Thunderbird 2.0 .13
- Mozilla Thunderbird 2.0 .12
- Mozilla Thunderbird 2.0.0.21
- Mozilla Thunderbird 2.0.0.18
- Mozilla SeaMonkey 1.1.16
- Mozilla SeaMonkey 1.1.15
- Mozilla SeaMonkey 1.1.15
- Mozilla SeaMonkey 1.1.14
- Mozilla SeaMonkey 1.1.13
- Mozilla SeaMonkey 1.1.12
- Mozilla SeaMonkey 1.1.11
- Mozilla SeaMonkey 1.1.10
- Mozilla SeaMonkey 1.1.9
- Mozilla SeaMonkey 1.1.8
- Mozilla SeaMonkey 1.1.7
- Mozilla SeaMonkey 1.1.6
- Mozilla SeaMonkey 1.1.5
- Mozilla SeaMonkey 1.1.4
- Mozilla SeaMonkey 1.1.3
- Mozilla SeaMonkey 1.1.2
- Mozilla SeaMonkey 1.1.1
- Mozilla SeaMonkey 1.0.99
- Mozilla SeaMonkey 1.0.9
- Mozilla SeaMonkey 1.0.8
- Mozilla SeaMonkey 1.0.7
- Mozilla SeaMonkey 1.0.6
- Mozilla SeaMonkey 1.0.5
- Mozilla SeaMonkey 1.0.3
- Mozilla SeaMonkey 1.0.2
- Mozilla SeaMonkey 1.0.1
- Mozilla SeaMonkey 1.1 beta
- Mozilla SeaMonkey 1.0 dev
- Mozilla SeaMonkey 1.0
- Mozilla Firefox 3.0.8
- Mozilla Firefox 3.0.7 Beta
- Mozilla Firefox 3.0.7
- Mozilla Firefox 3.0.6
- Mozilla Firefox 3.0.5
- Mozilla Firefox 3.0.4
- Mozilla Firefox 3.0.3
- Mozilla Firefox 3.0.2
- Mozilla Firefox 3.0.1
- Mozilla Firefox 3.0 Beta 5
- Mozilla Firefox 3.0
4.0 Recommendation MyCERT highly recommends users of these applications to upgrade to the latest version the affected products. The current latest versions are as below: 5.0 References |
