Reported September 14, 2004, by
Mozilla Security Group
VERSIONS AFFECTED
- Mozilla 0.x through
Mozilla 1.7.x
Mozilla Firefox 0.x
Mozilla Thunderbird 0.x
|
DESCRIPTION
Multiple vulnerabilities have been discovered in Mozilla, Mozilla Firefox, and Mozilla
Thunderbird, the most severe of which could compromise a system. The
vulnerabilities include the following:
- Various boundary errors in nsMsgCompUtils.cpp
can be exploited to cause heap-based buffer overflows when a specially
crafted email message is forwarded. Successful exploitation can
potentially lead to execution of arbitrary code.
- Insufficient restrictions on
script-generated events on text fields can be exploited to read and write
content from and to the Clipboard.
- Boundary errors in the writeGroup()
function in nsVCardObj.cpp can be exploited to cause stack-based buffer
overflows by sending an email message containing a specially crafted
vcard. Successful exploitation may allow execution of arbitrary code but
requires that the malicious email message is opened in preview.
- Some boundary errors in nsPop3Protocol.cpp,
which handles POP3 mail communications, can be exploited to cause buffer
overflow by a malicious POP3 mail server when sending specially crafted
responses. Successful exploitation may potentially allow execution of
arbitrary code.
- A problem with overly long
links that contain non-ASCII characters can be exploited via a malicious Web
site or an email message to cause a buffer overflow, which potentially can
lead to execution of arbitrary code.
- An integer overflow when
parsing and displaying .bmp files can potentially be exploited to execute
arbitrary code by supplying an overly wide malicious .bmp image via a
malicious Web site or in an email message.
- Mozilla lets you drag links
to another window or frame. This can be exploited by tricking a user on a
malicious Web site to drag a specially crafted JavaScript link to another
window. Successful exploitation can cause script code to execute in the context
of that window. Further exploitation can--in combination with another
unspecified vulnerability--lead to execution of arbitrary code.
- Signed scripts can request
enhanced privileges, which requires that a user accept a security dialog
box. The problem is that a malicious Web site can pass a specially crafted
parameter, thereby making it possible to manipulate information displayed
in the security dialog box. Successful exploitation lets a Web site trick
users into accepting security dialog boxes, which will grant access to run
arbitrary programs.
- Some files installed with the
Linux installer are group- and world-writable. This capability can be
exploited by malicious, local users to replace files, which can lead to
execution of arbitrary code.
- Many files and directories in
the Linux installation .tar.gz archives have the wrong owner and
permissions. This condition can be exploited by malicious, local users to
replace files when the umask utility is set to be ignored when unpacking.
Successful exploitation can lead to execution of arbitrary code.
VENDOR RESPONSE
Mozilla recommends that
affected users immediately upgrade to the latest release of software.
CREDIT
Discovered by Georgi Guninski, Wladimir Palant, Gael Delalleau, Mats Palmgren,
Jesse Ruderman, Daniel Koukola, Andrew Schultz and Harald Milz.
