Firefox fixes multiple flaws
Mozilla has fixed 13 flaws affecting Firefox, SeaMonkey and
Thunderbird. Attackers could exploit the vulnerabilities to take
complete control of affected systems, bypass security restrictions,
disclose sensitive information and launch arbitrary scripting code,
the French Security Incident Response Team (FrSIRT) said in an
advisory.
The 13 flaws include:
- Memory corruption errors when handling malformed HTML or
JavaScript code, which malicious Web sites could exploit to crash a
vulnerable application or execute arbitrary commands.
- Errors when handling HTTP headers received through certain
proxy servers, which attackers could exploit to conduct HTTP
response smuggling attacks.
- An error when processing broken images accessed via the "View
Image" feature, which malicious Web sites could exploit to conduct
cross-site scripting attacks.
- An error where content-defined setters on an object prototype
are called by privileged UI code, which attackers could exploit to
compromise a vulnerable system.
- An error when handling a specially crafted text input box,
which malicious Web sites could exploit to gain access to arbitrary
files on a vulnerable system.
The flaws affect:
- Firefox versions prior to 1.5.0.4
- Thunderbird versions prior to 1.5.0.4
- SeaMonkey versions prior to 1.0.2
Users are advised to upgrade to Firefox 1.5.0.4, Thunderbird
1.5.0.4, and SeaMonkey 1.0.2.
Microsoft investigates Windows flaw
Attackers could exploit a new flaw in Microsoft Windows to cause a
denial of service, Danish vulnerability clearinghouse Secunia said
in an advisory.
"The vulnerability is caused due to a boundary error in
inetcomm.dll within the processing of URLs with the "mhtml:" URI
handler," Secunia said. "This can be exploited to cause a
stack-based buffer overflow via an overly long URL by tricking a
user into visiting a malicious Web site with Internet Explorer or
opening a specially crafted Internet shortcut."
Secunia said successful exploitation crashes the application
using the vulnerable library. The firm has confirmed the
vulnerability on a fully patched system with Microsoft Windows XP
SP2 and Microsoft Windows 2003 Server.
Secunia said the threat can be mitigated by disabling the
"mhtml:" URI handler, though this may affect functionality.
Microsoft is investigating the flaw, according to published
reports.
Data on 1.3 million people compromised
Student loan company Texas Guaranteed (TG) said personal data on
1.3 million borrowers may have been compromised after an employee
from Hummingbird, a company TG uses to prepare a document
management system, lost a piece of equipment containing the
borrowers' names and Social Security numbers.
In a statement
on its Web site, TG said the employee lost the data May 24, and
that Hummingbird notified TG May 26. The non-profit organization
never states just what type of equipment -- be it a laptop, server,
PDA or other device -- went missing, nor how the loss occurred.
"Even though this information is not easily accessed and used,
and even though the loss appears to be inadvertent, we are issuing
this release out of an abundance of caution, because the piece of
equipment has not been located," Sue McMillin, TG's president and
CEO, said in the statement. "No personally identifiable information
other than names and Social Security numbers were included on the
piece of equipment."
She said letters will be mailed to individuals who were directly
affected, with information about their records and recommendations
on how to protect themselves from identity theft. A toll-free
information call center will also be open Monday through Friday
from 8 a.m. to 7 p.m. CT at (800) 530-0626.
F-Secure fixes buffer overflow flaw
Finnish antivirus firm F-Secure Corp. has fixed
a buffer overflow flaw in the Web console of F-Secure Anti-Virus
for Microsoft Exchange and F-Secure Internet Gatekeeper.
The high-risk buffer overflow occurs in the Web console before
authentication takes place, F-Secure said, adding that the overflow
may crash the Web console process and leave the product running
without console access. By default, the connections are only
allowed from the local host.
"It may be possible to execute arbitrary code with this
vulnerability," F-Secure said in its Web site advisory. "There are
no known exploits for this, currently."
The advisory outlines the appropriate hotfix users can apply to
solve the problem.