-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA06-038A Multiple Vulnerabilities in Mozilla Products Original release date: February 7, 2006 Last revised: -- Source: US-CERT Systems Affected Mozilla software, including the following, is affected: * Mozilla web browser, email and newsgroup client * Mozilla SeaMonkey * Firefox web browser * Thunderbird email client Overview Several vulnerabilities exist in the Mozilla web browser and derived products, the most serious of which could allow a remote attacker to execute arbitrary code on an affected system. I. Description Several vulnerabilities have been reported in the Mozilla web browser and derived products. More detailed information is available in the individual vulnerability notes, including: VU#592425 - Mozilla-based products fail to validate user input to the attribute name in "XULDocument.persist" A vulnerability in some Mozilla products that could allow a remote attacker to execute Javascript commands with the permissions of the user running the affected application. (CVE-2006-0296) VU#759273 - Mozilla QueryInterface memory corruption vulnerability Mozilla Firefox web browser and Thunderbird mail client contain a memory corruption vulnerability that may allow a remote attacker to execute arbitrary code. (CVE-2006-0295) II. Impact The most severe impact of these vulnerabilities could allow a remote attacker to execute arbitrary code with the privileges of the user running the affected application. Other impacts include a denial of service or local information disclosure. III. Solution Upgrade Upgrade to Mozilla Firefox 1.5.0.1 or SeaMonkey 1.0. For Mozilla-based products that have no updates available, users are strongly encouraged to disable JavaScript. Appendix A. References * Mozilla Foundation Security Advisories - <http://www.mozilla.org/security/announce/> * Mozilla Foundation Security Advisories - <http://www.mozilla.org/projects/security/known-vulnerabilities.ht ml> * US-CERT Vulnerability Note VU#592425 - <http://www.kb.cert.org/vuls/id/592425> * US-CERT Vulnerability Note VU#759273 - <http://www.kb.cert.org/vuls/id/759273> * US-CERT Vulnerability Notes Related to February Mozilla Security Advisories - <http://www.kb.cert.org/vuls/byid?searchview&query=mozilla_feb_200 6> * US-CERT Vulnerability Note VU#604745 - <http://www.kb.cert.org/vuls/id/604745> * CVE-2006-0296 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0296> * CVE-2006-0295 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0295> * Firefox - Rediscover the Web - <http://www.mozilla.com/firefox/> * The SeaMonkey Project - <http://www.mozilla.org/projects/seamonkey/> ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA06-038A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@xxxxxxxx> with "TA06-038A Feedback VU#592425" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2006 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History Feb 7, 2006: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBQ+jqRn0pj593lg50AQLZBQf9Hm+BCzOd/iwaoQVyudnE8ut/m+s/xgeG 10b2mpig57dPaSKsq9EpOitFIdHmvFha85OkAz9lfxTprrGm9kjw1lYlSH8idIst Oq4oXwpPOcwVpOY/OoVeAyGSuOdmeGl1CsMSczD10XbmWOyPf6NBnR/e8U0Vebeu GglhyODY/eKjbQ6bvDz19t76F5FwiDYKsMpo6CrEMhJWYwQXw3I4O1c9A2/t4OUP N7+ZShp5/Cql919Nhl3InYMnlNiOeQLxm45PYfXKwW0r4HCM/Rq/SEKsmuDOYtA/ 01gBu67urEw63Z0xbjoVJL/RW+5cavYS+gNbCZmaDNbR9WJP04k2PQ== =snvO -----END PGP SIGNATURE-----