The Mozilla Foundation addressed several critical security flaws on 26 Julywith the release of new versions of its Firefox Web browser, Thunderbird email client and SeaMonkey all-in-one Internet application suite.
Of the 13 flaws addressed, eight have been deemed critical and could be used to conduct cross-site scripting attacks or compromise an end-user's system.
In a posting on its Web site, Danish vulnerability clearinghouse Secunia called the security flaws "highly critical."
Several of the vulnerabilities were reported by H.D. Moore, who has received publicity for his "Month of Vulnerabilities." Moore has published a new browser vulnerability each day this month in an effort to create awareness about the types of bugs that plague modern browsers and the techniques used to discover them.
Mozilla detailed each of the flaws as follows:
A critical memory corruption error in Firefox within the handling of simultaneously happening XPCOM events, which leads to use of a deleted timer object. This generally results in a crash but could potentially be exploited to execute arbitrary code on a user's system when a malicious Web site is visited.
A high-risk issue in which a malicious page can hijack native DOM methods on a document object in another domain, which will run the attacker's script when called by the victim page. This could be used to steal login cookies, password or other sensitive data on a target page, or to perform actions on behalf of a logged-in user.
A critical problem pertaining to a VCard attachment with a malformed base64 field, such as a photo, can trigger a heap buffer overwrite. The overwrite is accompanied by an integer underflow that would attempt to copy more data than the typical machine has, leading to a crash.
A moderate problem in which a malicious Proxy AutoConfig (PAC) server could serve a PAC script that can execute code with elevated privileges by setting the required FindProxyForURL function to the eval method on a privileged object that leaked into the PAC sandbox. By redirecting the victim to a specially-crafted URL -- easily done since the PAC script controls which proxy to use -- the URL "hostname" can be executed as privileged script.
A moderate issue in which scripts granted the UniversalBrowserRead privilege can leverage that into the equivalent of the far more powerful UniversalXPConnect, since they are allowed to "read" into a privileged context. This grants an attacker the ability to run scripts with the full privilege of the user running the browser, possibly installing malware or snooping on private data.
A high-risk flaw in which cross-site scripting attacks could be performed using the construct XPCNativeWrapper(window).Function(...), which creates a function that appears to belong to the window in question, even after it has been navigated to the target site.
A critical problem involving crashes with evidence of memory corruption. It is presumed that the memory corruption could be exploited to run arbitrary code with enough effort.
A moderate issue in which chrome URL's could be made to reference remote files, which would run scripts with full privilege. There is no known way for Web content to successfully load a chrome URL, but if a user could be convinced to do so manually (perhaps by copying a link and pasting it into the location bar), this could be exploited.
All the security issues are mitigated when organisations upgrade to Firefox 126.96.36.199, Thunderbird 188.8.131.52 and SeaMonkey 1.0.3, respectively.