Computer Security
[EN] securityvulns.ru no-pyccku


Mozilla Firefox / Thunderbird / SeaMonkey multiple security vulnerabilities
updated since 19.02.2010
Published:25.02.2010
Source:
SecurityVulns ID:10631
Type:client
Threat Level:
8/10
Description:Multiple memory corruptions, use-after-free, crossite scripting.
Affected:MOZILLA : SeaMonkey 2.0
 MOZILLA : Firefox 3.0
 MOZILLA : Firefox 3.5
 MOZILLA : Firefox 3.6
 MOZILLA : Thunderbird 3.0
CVE:CVE-2010-0162 (Mozilla Firefox 3.0.x before 3.0.18 and 3.5.x before 3.5.8, and SeaMonkey before 2.0.3, does not properly support the application/octet-stream content type as a protection mechanism against execution of web script in certain circumstances involving SVG and the EMBED element, which allows remote attackers to bypass the Same Origin Policy and conduct cross-site scripting (XSS) attacks via an embedded SVG document.)
 CVE-2010-0160 (The Web Worker functionality in Mozilla Firefox 3.0.x before 3.0.18 and 3.5.x before 3.5.8, and SeaMonkey before 2.0.3, does not properly handle array data types for posted messages, which allows remote attackers to cause a denial of service (heap memory corruption and application crash) or possibly execute arbitrary code via unspecified vectors.)
 CVE-2010-0159 (The browser engine in Mozilla Firefox 3.0.x before 3.0.18 and 3.5.x before 3.5.8, Thunderbird before 3.0.2, and SeaMonkey before 2.0.3 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to the nsBlockFrame::StealFrame function in layout/generic/nsBlockFrame.cpp, and unspecified other vectors.)
 CVE-2009-3988 (Mozilla Firefox 3.0.x before 3.0.18 and 3.5.x before 3.5.8, and SeaMonkey before 2.0.3, does not properly restrict read access to object properties in showModalDialog, which allows remote attackers to bypass the Same Origin Policy and conduct cross-site scripting (XSS) attacks via crafted dialogArguments values.)
 CVE-2009-1571 (Use-after-free vulnerability in the HTML parser in Mozilla Firefox 3.0.x before 3.0.18 and 3.5.x before 3.5.8, Thunderbird before 3.0.2, and SeaMonkey before 2.0.3 allows remote attackers to execute arbitrary code via unspecified method calls that attempt to access freed objects in low-memory situations.)
Original documentdocumentZDI, ZDI-10-019: Mozilla Firefox showModalDialog Cross-Domain Scripting Vulnerability (25.02.2010)
 documentSECUNIA, Secunia Research: Mozilla Firefox Memory Corruption Vulnerability (19.02.2010)
 documentMOZILLA, Mozilla Foundation Security Advisory 2010-05 (19.02.2010)
 documentMOZILLA, Mozilla Foundation Security Advisory 2010-04 (19.02.2010)
 documentMOZILLA, Mozilla Foundation Security Advisory 2010-03 (19.02.2010)
 documentMOZILLA, Mozilla Foundation Security Advisory 2010-02 (19.02.2010)
 documentMOZILLA, Mozilla Foundation Security Advisory 2010-01 (19.02.2010)

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod