By
Published: 27 Jul 2006 1:00
The Mozilla Foundation addressed several critical security flaws on 26 Julywith the release of new versions of its Firefox Web browser, Thunderbird email client and SeaMonkey all-in-one Internet application suite.
Of the 13 flaws addressed, eight have been deemed critical and could be used to conduct cross-site scripting attacks or compromise an end-user's system.
In a posting on its Web site, Danish vulnerability clearinghouse Secunia called the security flaws "highly critical."
Several of the vulnerabilities were reported by H.D. Moore, who has received publicity for his "Month of Vulnerabilities." Moore has published a new browser vulnerability each day this month in an effort to create awareness about the types of bugs that plague modern browsers and the techniques used to discover them.
Mozilla detailed each of the flaws as follows:
A critical flaw in which a JavaScript reference to a frame or window in certain circumstances is not properly cleared when the referenced content goes away. This pointer to a deleted object could be used to execute native code supplied by the attacker.
A critical JavaScript object navigator vulnerability that, when used in a Web page, Java would reference properties of the window.navigator object as it started up. If the page replaced the navigator object before starting Java, then the browser would crash in a way that could be exploited to run native code supplied by an attacker.
A critical memory corruption error in Firefox within the handling of simultaneously happening XPCOM events, which leads to use of a deleted timer object. This generally results in a crash but could potentially be exploited to execute arbitrary code on a user's system when a malicious Web site is visited.
A high-risk issue in which a malicious page can hijack native DOM methods on a document object in another domain, which will run the attacker's script when called by the victim page. This could be used to steal login cookies, password or other sensitive data on a target page, or to perform actions on behalf of a logged-in user.
A critical flaw involving a race condition where JavaScript garbage collection deletes a temporary variable still being used in the creation of a new Function object. The resulting use of a deleted object may be potentially exploitable to run native code provided by an attacker.
A critical problem pertaining to a VCard attachment with a malformed base64 field, such as a photo, can trigger a heap buffer overwrite. The overwrite is accompanied by an integer underflow that would attempt to copy more data than the typical machine has, leading to a crash.
Critical flaws in the JavaScript engine, including additional places where an untimely garbage collection could delete a temporary object that was in active use. Some of these may allow an attacker to run arbitrary code given the right conditions. Plus potential integer overflow issues with long strings in the toSource() methods of the Object, Array and String objects as well as string function arguments.
A critical privilege escalation issue in which named JavaScript functions have a parent object created using the standard Object() constructor (ECMA-specified behaviour) and that this constructor can be redefined by script (also ECMA-specified behaviour). If the Object() constructor is changed to return a reference to a privileged object with useful properties, it is possible to have attacker-supplied script executed with elevated privileges by calling the function. This could be used to install malware or take other malicious actions.
A moderate problem in which a malicious Proxy AutoConfig (PAC) server could serve a PAC script that can execute code with elevated privileges by setting the required FindProxyForURL function to the eval method on a privileged object that leaked into the PAC sandbox. By redirecting the victim to a specially-crafted URL -- easily done since the PAC script controls which proxy to use -- the URL "hostname" can be executed as privileged script.
A moderate issue in which scripts granted the UniversalBrowserRead privilege can leverage that into the equivalent of the far more powerful UniversalXPConnect, since they are allowed to "read" into a privileged context. This grants an attacker the ability to run scripts with the full privilege of the user running the browser, possibly installing malware or snooping on private data.
A high-risk flaw in which cross-site scripting attacks could be performed using the construct XPCNativeWrapper(window).Function(...), which creates a function that appears to belong to the window in question, even after it has been navigated to the target site.
A critical problem involving crashes with evidence of memory corruption. It is presumed that the memory corruption could be exploited to run arbitrary code with enough effort.
A moderate issue in which chrome URL's could be made to reference remote files, which would run scripts with full privilege. There is no known way for Web content to successfully load a chrome URL, but if a user could be convinced to do so manually (perhaps by copying a link and pasting it into the location bar), this could be exploited. All the security issues are mitigated when organisations upgrade to Firefox 1.5.0.5, Thunderbird 1.5.0.5 and SeaMonkey 1.0.3, respectively.
Read more on Operating systems software
