| Beschreibung: | Description:
The remote host is missing an update to mozilla
announced via advisory MDKSA-2005:170.
A number of vulnerabilities have been discovered in Mozilla that have
been corrected in version 1.7.12:
A bug in the way Mozilla processes XBM images could be used to execute
arbitrary code via a specially crafted XBM image file (CVE-2005-2701).
A bug in the way Mozilla handles certain Unicode sequences could be
used to execute arbitrary code via viewing a specially crafted Unicode
sequence (CVE-2005-2702).
A bug in the way Mozilla makes XMLHttp requests could be abused by a
malicious web page to exploit other proxy or server flaws from the
victim's machine
however, the default behaviour of the browser is to
disallow this (CVE-2005-2703).
A bug in the way Mozilla implemented its XBL interface could be abused
by a malicious web page to create an XBL binding in such a way as to
allow arbitrary JavaScript execution with chrome permissions
(CVE-2005-2704).
An integer overflow in Mozilla's JavaScript engine could be manipulated
in certain conditions to allow a malicious web page to execute
arbitrary code (CVE-2005-2705).
A bug in the way Mozilla displays about: pages could be used to execute
JavaScript with chrome privileges (CVE-2005-2706).
A bug in the way Mozilla opens new windows could be used by a malicious
web page to construct a new window without any user interface elements
(such as address bar and status bar) that could be used to potentially
mislead the user (CVE-2005-2707).
The updated packages have been patched to address these issues and all
users are urged to upgrade immediately.
Affected versions: 10.1, Corporate 3.0
Solution:
To upgrade automatically use MandrakeUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
http://www.securityspace.com/smysecure/catid.html?in=MDKSA-2005:170
http://www.mozilla.org/security/announce/mfsa2005-58.html
Risk factor : High
CVSS Score:
7.5
|
