MA-168.062009: MyCERT Alert - Multiple Vulnerabilities in Mozilla Firefox 1.0 Introduction Multiple critical vulnerabilities have been identified in Mozilla Firefox. These vulnerabilities would cause the application to crash and could potentially allow an attacker to take control of the affected system. List of the vulnerabilities are as below: - JavaScript chrome privilege escalation
- Arbitrary code execution using event listeners attached to an element whose owner document is null
- Race condition while accessing the private data of a NPObject JS wrapper class object
- Crashes with evidence of memory corruption (rv:1.9.0.11)
Essentially, an attacker can trick unsuspecting users into opening a URL that contain a specially crafted Web page using Mozilla Firefox. 2.0 Impact An attacker who has successfully exploited this vulnerability could execute code remotely and gain the same privilege as the user. 3.0 Affected Products - Mozilla Firefox 3.0.10 and earlier versions
4.0 Recommendation Users are recommended to upgrade to Mozilla Firefox 3.0.11. The latest version of Mozilla Firefox can be downloaded from this URL: http://www.mozilla.com/firefox/ Generally MyCERT advice users of this product to keep themselves updated with the latest security announcements by the vendor. Users who receive suspicious attachments or URL can forward them to MyCERT for further analysis. MyCERT can be reached through the following channels: E-mail : mycert@mycert.org.my
Phone : +603 89926969 or 1-300-88-2999 (monitored during business hours)
Fax : +603 89453442
Handphone : +60 19 2665850 (24x7 call incident reporting)
SMS : +60 19 2813801 (24x7 SMS reporting)
Business Hours : Mon - Fri 08:30 -17:30 MYT
Web: http://www.mycert.org.my 5.0 References |
