Vous êtes ici: index » cert » avis

Avis du CERT RENATER

Par défaut, cette page vous affichera les derniers messages envoyés par le CERT RENATER à la communauté. Vous pouvez affiner par année ou par type de message. Si aucun critère n'est précisé, seuls les derniers messages sont affichés

Date : Fri, 28 Jul 2006 10:31:03 +0200
Type : VULN
Sujet : CERT-Renater : 2006/VULN410 (US-CERT: Mozilla Products Contain Multiple Vulnerabilities)
====================================================================                                    CERT-Renater

                         Note d'Information No. 2006/VULN410
_____________________________________________________________________

DATE                      : 28/07/2006

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Mozilla Products.

======================================================================

                         National Cyber Alert System

                  Technical Cyber Security Alert TA06-208A


Mozilla Products Contain Multiple Vulnerabilities

    Original release date: July 27, 2006
    Last revised: --
    Source: US-CERT


Systems Affected

      * Mozilla SeaMonkey
      * Mozilla Firefox
      * Mozilla Thunderbird

    Any products based on Mozilla components, specifically Gecko, may also
    be affected.


Overview

    The Mozilla web browser and derived products contain several
    vulnerabilities, the most serious of which could allow a remote
    attacker to execute arbitrary code on an affected system.


I. Description

    Several vulnerabilities have been reported in the Mozilla web browser
    and derived products. More detailed information is available in the
    individual vulnerability notes, including the following:


    VU#476724 - Mozilla products fail to properly handle frame references

    Mozilla products fail to properly handle frame or window references.
    This may allow a remote attacker to execute arbitrary code on a
    vulnerable system.
    (CVE-2006-3801)


    VU#670060 - Mozilla fails to properly release JavaScript references

    Mozilla products fail to properly release memory. This vulnerability
    may allow a remote attacker to execute code on a vulnerable system.
    (CVE-2006-3677)


    VU#239124 - Mozilla fails to properly handle simultaneous XPCOM events

    Mozilla products are vulnerable to memory corruption via simultaneous
    XPCOM events. This may allow a remote attacker to execute arbitrary
    code on a vulnerable system.
    (CVE-2006-3113)


    VU#265964 - Mozilla products contain a race condition

    Mozilla products contain a race condition. This vulnerability may
    allow a remote attacker to execute code on a vulnerable system.
    (CVE-2006-3803)


    VU#897540 - Mozilla products VCard attachment buffer overflow

    Mozilla products fail to properly handle malformed VCard attachments,
    allowing a buffer overflow to occur. This vulnerability may allow a
    remote attacker to execute arbitrary code on a vulnerable system.
    (CVE-2006-3804)


    VU#876420 - Mozilla fails to properly handle garbage collection

    The Mozilla JavaScript engine fails to properly perform garbage
    collection, which may allow a remote attacker to execute arbitrary
    code on a vulnerable system.
    (CVE-2006-3805)


    VU#655892 - Mozilla JavaScript engine contains multiple integer
    overflows

    The Mozilla JavaScript engine contains multiple integer overflows.
    This vulnerability may allow a remote attacker to execute arbitrary
    code on a vulnerable system.
    (CVE-2006-3806)


    VU#687396 - Mozilla products fail to properly validate JavaScript
    constructors

    Mozilla products fail to properly validate references returned by
    JavaScript constructors. This vulnerability may allow a remote
    attacker to execute arbitrary code on a vulnerable system.
    (CVE-2006-3807)


    VU#527676 - Mozilla contains multiple memory corruption
    vulnerabilities

    Mozilla products contain multiple vulnerabilities that can cause
    memory corruption. This may allow a remote attacker to execute
    arbitrary code on a vulnerable system.
    (CVE-2006-3811)


II. Impact

    A remote, unauthenticated attacker could execute arbitrary code on a
    vulnerable system. An attacker may also be able to cause the
    vulnerable application to crash.


III. Solution

Upgrade

    Upgrade to Mozilla Firefox 1.5.0.5, Mozilla Thunderbird 1.5.0.5, or
    SeaMonkey 1.0.3.

Disable JavaScript and Java

    These vulnerabilities can be mitigated by disabling JavaScript and
    Java in all affected products. Instructions for disabling Java in
    Firefox can be found in the "Securing Your Web Browser" document.


Appendix A. References

      * US-CERT Vulnerability Notes Related to July Mozilla Security
        Advisories -
        

      * CVE-2006-3081 -
        

      * CVE-2006-3677 -
        

      * CVE-2006-3113 -
        

      * CVE-2006-3803 -
        

      * CVE-2006-3804 -
        

      * CVE-2006-3805 -
        

      * CVE-2006-3806 -
        

      * CVE-2006-3807 -
        

      * CVE-2006-3811 -
        

      * Mozilla Foundation Security Advisories -
        

      * Known Vulnerabilities in Mozilla Products -
        

      * Securing Your Web Browser -
 



  ____________________________________________________________________

    The most recent version of this document can be found at:

      
  ____________________________________________________________________

    Feedback can be directed to US-CERT Technical Staff. Please send
    email to  with "TA06-208A Feedback VU#239124" in the
    subject.
  ____________________________________________________________________

    For instructions on subscribing to or unsubscribing from this
    mailing list, visit .
  ____________________________________________________________________

    Produced 2006 by US-CERT, a government organization.

    Terms of use:

      
  ____________________________________________________________________


Revision History

    Jul 27, 2006: Initial release




======================================================================

           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================