You are here

V-001: Mozilla Security vulnerabilities

October 12, 2012 - 6:00am

Addthis

PROBLEM:

Mozilla Security vulnerabilities

PLATFORM:

Vulnerabilities are reported in Firefox and Thunderbird versions prior to 16.0.1 and SeaMonkey versions prior to 2.13.1.

ABSTRACT:

Mozilla Firefox / Thunderbird / SeaMonkey Multiple Vulnerabilities

REFERENCE LINKS:

Secunia Advisory  SA50932 
Mozilla Security Blog
Mozilla Foundation Security Advisory 2012-88
Mozilla Foundation Security Advisory 2012-89
SecurityTracker Alert ID:  1027653
SecurityTracker Alert ID:  1027652
SecurityTracker Alert ID:  1027651
CVE-2012-4190
CVE-2012-4191
CVE-2012-4192
CVE-2012-4193

IMPACT ASSESSMENT:

High

DISCUSSION:

1) The protected "location" object is accessible by other domain objects, which can be exploited to bypass the same origin policy and gain access to sensitive information.

2) An unspecified error within the "FT2FontEntry::CreateFontEntry()" function can be exploited to corrupt memory.

3) An unspecified error within the "mozilla::net::FailDelayManager::Lookup()" function when handling certain websockets can be exploited to corrupt memory.

4) An error within security wrappers does not unwrap the "defaultValue" properly and can be exploited to gain access to the "location" object.

IMPACT:

Some vulnerabilities have been reported in Mozilla Firefox, Thunderbird, and SeaMonkey, which can be exploited by malicious people to bypass certain security restrictions and compromise a user's system.

SOLUTION:

Update Firefox and Thunderbird to versions 16.0.1 and SeaMonkey to version 2.13.1.

Addthis