ID: 3860
Date: 17/07/2009
Title: 3860 - Update to Firefox 3.5
Platform level affected:Net Application - Client
Hardware components affected:Intel PC
Specific operating systems components affected: 32-bit Windows
Other software: Web Browser
Remediation Summary:Update your copy of the software with the download available from the supplier.
Vendors affected:Mozilla
Applications affected:Firefox 3.5
Adversity source: Unknown
Attack Vector: Vulnerability exploitation
Virulence: Unknown
Warning Status: Active
Potential Damage: Remote execution/modification
Possible Duration: Unknown
Availability of fix: Available
Type of fix: Automated Patch
Source: Mozilla and AusCERT
Reliability of source: Trusted
Source URL: http://www.mozilla.org/firefox/
CVE: CVE-2009-2477
Abstract: It has been identified that Firefox 3.5 is vulnerable to a code execution vulnerability. This advisory provides information concerning an update to the product.
Product: Firefox 3.5
Operating System: UNIX variants (UNIX, Linux, OSX), Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Resolution: Mitigation
CVE Names: CVE-2009-2477
Revision History: July 17 2009: Updated patch information
July 16 2009: Initial Release
OVERVIEW
Firefox 3.5 is vulnerable to a code execution vulnerability. [1,2]
IMPACT
Firefox's Just-in-time (JIT) JavaScript compiler has a flaw which can be exploited by convincing the victim to view a malicious web page. [1, 2]
MITIGATION
The vendor recommends updating to Firefox 3.5.1, available for download from their website. [3]
REFERENCES
[1] Mozilla Security Blog
http://blog.mozilla.com/security/2009/07/14/critical-javascript-vulnerability-in-firefox-35/
[2] Firefox 3.5 new exploit - confirmed
http://isc.sans.org/diary.html?storyid=6796&rss
[3] Firefox Browser
http://www.mozilla.org/firefox/
AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin.
This advisory contains information released by the original author. Some of the information may have changed since it was released. If the issue affects you, it may be prudent to retrieve the advisory from the site of the original source to ensure that you receive the most current information concerning that problem. Reference to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by CPNI.
The views and opinions of authors expressed within this notice shall not be used for advertising or product endorsement purposes. CPNI shall not accept responsibility for any errors or omissions contained within this advisory. In particular, they shall not be liable for any loss or damage whatsoever, arising from or in connection with the usage of information contained within this advisory.
CSIRTUK is a member of the Forum of Incident Response and Security Teams (FIRST) and has contacts with other international Incident Response Teams (IRTs) in order to foster cooperation and coordination in incident prevention, to prompt rapid reaction to incidents, and to promote information sharing amongst its members and the community at large.
Fri, 17 Jul 2009 10:08:00 GMT
Domain affected: Technical