 |
|
|
|
| From: | MOZILLA | | Date: | 03.07.2008 | | Subject: | Mozilla Foundation Security Advisory 2008-28 |
Mozilla Foundation Security Advisory 2008-28
Title: Arbitrary socket connections with Java LiveConnect on Mac OS X
Impact: High
Announced: July 1, 2008
Reporter: Gregory Fleischer
Products: Firefox, SeaMonkey
Fixed in: Firefox 3.0
Firefox 2.0.0.15
SeaMonkey 1.1.10
Description
Security researcher Gregory Fleischer reported a vulnerability in the way Mozilla indicates the origin of a document to the Java Embedding Plugin (JEP) that ships with Firefox on Mac OS X. This vulnerability could allow a malicious Java applet to bypass the same-origin policy and create arbitrary socket connections to other domains.
Workaround
Disable Java on Mac OS X until a version containing these fixes can be installed.
References
* https://bugzilla.mozilla.org/show_bug.cgi?id=408329
* CVE-2008-2806
|
|
|
|
|
|
|
|
