| Description: | Description:
The remote host is missing updates announced in
advisory RHSA-2005:386.
Mozilla is an open source Web browser, advanced email and newsgroup client,
IRC chat client, and HTML editor.
Vladimir V. Perepelitsa discovered a bug in the way Mozilla handles
anonymous functions during regular expression string replacement. It is
possible for a malicious web page to capture a random block of browser
memory. The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2005-0989 to this issue.
Doron Rosenberg discovered a bug in the way Mozilla displays pop-up
windows. If a user choses to open a pop-up window whose URL is malicious
javascript, the script will be executed with elevated privileges.
(CVE-2005-1153)
A bug was found in the way Mozilla handles the javascript global scope for
a window. It is possible for a malicious web page to define a global
variable known to be used by a different site, allowing malicious code to
be executed in the context of the site. (CVE-2005-1154)
Michael Krax discovered a bug in the way Mozilla handles favicon links. A
malicious web page can programatically define a favicon link tag as
javascript, executing arbitrary javascript with elevated privileges.
(CVE-2005-1155)
Michael Krax discovered a bug in the way Mozilla installed search plugins.
If a user chooses to install a search plugin from a malicious site, the new
plugin could silently overwrite an existing plugin. This could allow the
malicious plugin to execute arbitrary code and stealm sensitive
information. (CVE-2005-1156 CVE-2005-1157)
A bug was found in the way Mozilla validated several XPInstall related
javascript objects. A malicious web page could pass other objects to the
XPInstall objects, resulting in the javascript interpreter jumping to
arbitrary locations in memory. (CVE-2005-1159)
A bug was found in the way the Mozilla privileged UI code handled DOM nodes
from the content window. A malicious web page could install malicious
javascript code or steal data requiring a user to do commonplace actions
such as clicking a link or opening the context menu. (CVE-2005-1160)
Users of Mozilla are advised to upgrade to this updated package which
contains Mozilla version 1.7.7 to correct these issues.
Solution:
Please note that this update is available via
Red Hat Network. To use Red Hat Network, launch the Red
Hat Update Agent with the following command: up2date
http://rhn.redhat.com/errata/RHSA-2005-386.html
http://www.mozilla.org/projects/security/known-vulnerabilities.html#mozilla1.7.7
Risk factor : High
CVSS Score:
7.5
|
