June 2007

ID: 139
Ref: 81/2007
Date: 30 June 2007:20:46:27
Version: 1

---

Title: Mozilla Foundation Security Advisory 2007-12
Abstract: Fixes for various Mozilla products
Vendors affected: Mozilla
Applications affected: Mozilla

---

Impact: Critical
Products: Firefox, Thunderbird, SeaMonkey

Fixed in:
Firefox 2.0.0.4
Firefox 1.5.0.12
Thunderbird 2.0.0.4
Thunderbird 1.5.0.12
SeaMonkey 1.0.9
SeaMonkey 1.1.2

Description
As part of the Firefox 2.0.0.4 and 1.5.0.12 update releases Mozilla
developers fixed many bugs to improve the stability of the product. Some
of these crashes that showed evidence of memory corruption under certain
circumstances and we presume that with enough effort at least some of
these could be exploited to run arbitrary code.

Note: Thunderbird shares the browser engine with Firefox and could be
vulnerable if JavaScript were to be enabled in mail. This is not the
default setting and we strongly discourage users from running JavaScript
in mail. Without further investigation we cannot rule out the
possibility that for some of these an attacker might be able to prepare
memory for exploitation through some means other than JavaScript, such
as large images.

Workaround
Upgrade to the fixed versions. Do not enable JavaScript in Thunderbird
or the mail portions of SeaMonkey.

References
Boris Zbarsky, Eli Friedman, Georgi Guninski, Jesse Ruderman, Martijn
Wargers and Olli Pettay reported crashes in the layout engine.

CVE-2007-2867
https://bugzilla.mozilla.org/show_bug.cgi?id=3D377216
https://bugzilla.mozilla.org/show_bug.cgi?id=3D370360
https://bugzilla.mozilla.org/show_bug.cgi?id=3D372285
https://bugzilla.mozilla.org/show_bug.cgi?id=3D306902
https://bugzilla.mozilla.org/show_bug.cgi?id=3D348492
https://bugzilla.mozilla.org/show_bug.cgi?id=3D369150
https://bugzilla.mozilla.org/show_bug.cgi?id=3D369249
https://bugzilla.mozilla.org/show_bug.cgi?id=3D372237
https://bugzilla.mozilla.org/show_bug.cgi?id=3D372376
https://bugzilla.mozilla.org/show_bug.cgi?id=3D376223
https://bugzilla.mozilla.org/show_bug.cgi?id=3D336574
https://bugzilla.mozilla.org/show_bug.cgi?id=3D336744
https://bugzilla.mozilla.org/show_bug.cgi?id=3D336994
https://bugzilla.mozilla.org/show_bug.cgi?id=3D362708
https://bugzilla.mozilla.org/show_bug.cgi?id=3D369542
https://bugzilla.mozilla.org/show_bug.cgi?id=3D371124
https://bugzilla.mozilla.org/show_bug.cgi?id=3D378273
https://bugzilla.mozilla.org/show_bug.cgi?id=3D378325
https://bugzilla.mozilla.org/show_bug.cgi?id=3D374584
https://bugzilla.mozilla.org/show_bug.cgi?id=3D375196


Brendan Eich, Igor Bukanov, Jesse Ruderman, moz_bug_r_a4 and Wladimir
Palant reported potential memory corruption in the JavaScript engine.

CVE-2007-2868
https://bugzilla.mozilla.org/show_bug.cgi?id=3D351102
https://bugzilla.mozilla.org/show_bug.cgi?id=3D369666
https://bugzilla.mozilla.org/show_bug.cgi?id=3D367561
https://bugzilla.mozilla.org/show_bug.cgi?id=3D370101
https://bugzilla.mozilla.org/show_bug.cgi?id=3D370488
https://bugzilla.mozilla.org/show_bug.cgi?id=3D375183
https://bugzilla.mozilla.org/show_bug.cgi?id=3D367630
https://bugzilla.mozilla.org/show_bug.cgi?id=3D375711
https://bugzilla.mozilla.org/show_bug.cgi?id=3D367121
https://bugzilla.mozilla.org/show_bug.cgi?id=3D369714
____________________________________________________________________________

CPNI values your feedback.

1. Which of the following most reflects the value of the advisory to
you?
(Place an 'X' next to your choice)

Very useful:__ Useful:__ Not useful:__

2. If you did not find it useful, why not?


3. Any other comments? How could we improve our advisories?


Thank you for your contribution.
______________________________________________________________________________

CPNI wishes to acknowledge the contributions of Mozilla for the
information contained in this advisory.
______________________________________________________________________________

This advisory contains information released by the original author. Some
of the information may have changed since it was released. If the issue affects you, it may be prudent to retrieve the advisory from the site of the original source to ensure that you receive the most current information
concerning that problem.

Reference to any specific commercial product, process, or service by
trade name, trademark manufacturer, or otherwise, does not constitute or imply
its endorsement, recommendation, or favouring by CPNI. The views and
opinions of authors expressed within this notice shall not be used for advertising or product endorsement purposes.

CPNI shall not accept responsibility for any errors or omissions
contained within this advisory. In particular, they shall not be liable for any loss or damage whatsoever, arising from or in connection with the usage of
information contained within this advisory.

CPNI is a member of the Forum of Incident Response and Security Teams
(FIRST) and has contacts with other international Incident Response Teams (IRTs) in order to foster cooperation and coordination in incident prevention, to prompt rapid reaction to incidents, and to promote information sharing amongst its members and the community at large.
______________________________________________________________________________