Hello all, Yesterday, I received a notice from US-CERT regarding Technical Cyber Security Alert TA06-153A -- Mozilla Products Contain Multiple Vulnerabilities, (available at <http://www.us-cert.gov/cas/techalerts/TA06-153A.html>). It mentions a bunch of vulnerabilities (all of which seem to affect Seamonkey, Thunderbird, and Firefox). After looking at each VU#, it appears that none of the announcements mention the Mozilla suite. Also, at least as of last night, none of them mention any CVE #'s. What's going on with this? Are any Mozilla Suite products affected by these vulnerabilities? Some of these sound critical -- and if there are no patches available for mozilla-1.7.13, well, it seems bad! "Several vulnerabilities have been reported in the Mozilla web browser and derived products. More detailed information is available in the individual vulnerability notes, including: "VU#237257 - Mozilla privilege escalation using addSelectionListener A privilege escalation vulnerability exists in the Mozilla addSelectionListener method. This may allow a remote attacker to execute arbitrary code. "VU#421529 - Mozilla contains a buffer overflow vulnerability in crypto.signText() Mozilla products contain a buffer overflow in the crypto.signText() method. This may allow a remote attacker to execute arbitrary code. "VU#575969 - Mozilla may process content-defined setters on object prototypes with elevated privileges Mozilla allows content-defined setters on object prototypes to execute with elevated privileges. This may allow a remote attacker to execute arbitrary code. "VU#243153 - Mozilla may associate persisted XUL attributes with an incorrect URL Mozilla can allow persisted XUL attributes to associate with the wrong URL. This may allow a remote attacker to execute arbitrary code. "VU#466673 - Mozilla contains multiple memory corruption vulnerabilities Mozilla contains several memory corruption vulnerabilities. This may allow a remote attacker to execute arbitrary code." -David
