Skip Navigation

  • Home
  • Contact us
  • FAQ
  • Glossary
  • Public key
  • Sitemap
  • Cymraeg
  • What's new
CPNI - Centre for the Protection of National Infastructure

Advanced search

  • About CPNI
  • The threats
  • Security planning
  • Methods of attack
  • Protecting your assets
  • Products and services
    • CSIRTUK advisories
      • Advisories archive
    • General protective security publications
    • InfoSec briefings
    • InfoSec technical notes
    • InfoSec vulnerability disclosures
    • Good practice guidelines
    • Viewpoints
    • Information exchanges
    • Risk Management Delivery Group
  • Research
Home > Products and services > CSIRTUK advisories > Advisories archive > April 2005 > New version of Firefox and Mozilla fix several vulnerabilities

April 2005

New version of Firefox and Mozilla fix several vulnerabilities

ID: 00335
Ref: 309/2005
Date: 20 April 2005:17:04:07
Version: 1
Title: New version of Firefox and Mozilla fix several vulnerabilities
Abstract: The Mozilla Organization have released new versions of Firefox and Mozilla
Vendors affected: Mozilla
Applications affected: Mozilla

Title
=====
New version of Firefox and Mozilla fix several vulnerabilities

Detail
======

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
AUSCERT External Security Bulletin Redistribution

ESB-2005.0325 -- The Mozilla Organization
New version of Firefox and Mozilla fix several vulnerabilities
20 April 2005

===========================================================================

AusCERT Security Bulletin Summary
---------------------------------

Product: Firefox 1.0.2 and prior
Mozilla 1.7.6 and prior
Publisher: The Mozilla Organization
Operating System: Linux variants
Mac OS X
UNIX variants
Windows
Impact: Execute Arbitrary Code/Commands
Access Privileged Data
Increased Privileges
Access: Remote/Unauthenticated
CVE Names: CAN-2005-0752 CAN-2005-0989

The Mozilla Organization have released new versions of Firefox and Mozilla
which fix the following vulnerabilities:

Mozilla and Firefox:

o MFSA 2005-33 (CAN-2005-0989) "Javascript "lambda" replace exposes memory
contents"
http://www.mozilla.org/security/announce/mfsa2005-33.html

o MFSA 2005-35 "Showing blocked javascript: popup uses wrong privilege
context"
http://www.mozilla.org/security/announce/mfsa2005-35.html

o MFSA 2005-36 "Cross-site scripting through global scope pollution"
http://www.mozilla.org/security/announce/mfsa2005-36.html

o MFSA 2005-37 "Code execution through javascript: favicons"
http://www.mozilla.org/security/announce/mfsa2005-37.html

o MFSA 2005-38 "Search plugin cross-site scripting"
http://www.mozilla.org/security/announce/mfsa2005-38.html

o MFSA 2005-40 "Missing Install object instance checks"
http://www.mozilla.org/security/announce/mfsa2005-40.html

o MFSA 2005-41 "Privilege escalation via DOM property overrides"
http://www.mozilla.org/security/announce/mfsa2005-41.html

Firefox only:

o MFSA 2005-34 (CAN-2005-0752) "javascript: PLUGINSPAGE code execution"
http://www.mozilla.org/security/announce/mfsa2005-34.html

o MFSA 2005-39 "Arbitrary code execution from Firefox sidebar panel II"
http://www.mozilla.org/security/announce/mfsa2005-39.html

The most serious of these flaws could allow a remote malicious user to
execute arbitrary code with the privileges of the user running the
vulnerable software.

Full details of known and fixed vulnerabilities in various Mozilla based
software is available at

http://www.mozilla.org/projects/security/known-vulnerabilities.html


AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:

http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================

- -----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBQmX4VCh9+71yA2DNAQL4hgP9GqZPqfH0qJceMc6W2smXuXEjo/wyHqjU
z36lfYFhRNxALZCJEByzUMRA33XaKT8T1UF5JjvE6fZs2O+VvgCKbnm5uajbKt6D
7AEnlWlplTverrqBxggc0l/vJC6aBsECFosOqBbWFv3yr1OTuqLgk2pWZAc0mZdS
CO7dDON5Tak=
=Ih3y
- -----END PGP SIGNATURE-----


  • Accessibility |
  • Terms and conditions |
  • Privacy statement |
  • Data protection act |
  • Freedom of information |