English | Deutsch | Español
 
Home ▼
Home About Us Contact Us Privacy Partner Programs Testimonials In Press Mailing Lists Abuse Developer APIs
Bookkeeping
Online ▼
Home Free Trial FAQ
Open/Create Company File Accept an Invite Order/Renew
Security
Audits ▼
Home Dedicated audits Advanced audits Standard audits Recurring audits No Risk audits Desktop audits Basic audit Security Seal FAQ Price/Feature Summary Order New Tests All Tests Confidentiality Vulnerability search Run Audit Scheduler IP Permissions Audit Configuration Editor Scan Queue Reminder Notification Schedule Seal Reports Reports Style Editor
Managed
DNS ▼
About Order FAQ Acceptable Use Policy Dynamic DNS Clients
Configure Domains Dyanmic DNS Update Password
Network
Monitor ▼
Enterprise Package Advanced Package Standard Package Free Trial FAQ Price/Feature Summary Order/Renew Examples
Configure/Status Alert Profiles
Research
Reports ▼
Home FAQ Glossary Archive
 Login/Register 
 
 Vulnerability   
Search   		     Search 324607 CVE descriptions
and 145615 test descriptions,
access 10,000+ cross references.
Tests   CVE   All  

Test ID:1.3.6.1.4.1.25623.1.0.71224
Category:Mandrake Local Security Checks
Title:Mandriva Security Advisory MDVSA-2012:031 (firefox)
Summary:NOSUMMARY
Description:Description:
The remote host is missing an update to firefox
announced via advisory MDVSA-2012:031.

Security issues were identified and fixed in mozilla firefox:

Security researcher regenrecht reported via TippingPoint'
s Zero Day
Initiative that a flaw in the Mozilla SVG implementation could result
in an out-of-bounds memory access if SVG elements were removed during
a DOMAttrModified event handler (CVE-2011-3658).

Firefox prevents the dropping of javascript: links onto a frame
to prevent malicious sites from tricking users into performing
a cross-site scripting (XSS) attacks on themselves. Security
researcher Soroush Dalili reported a way to bypass this protection
(CVE-2012-0455).

Security researcher Atte Kettunen from OUSPG found two issues with
Firefox's handling of SVG using the Address Sanitizer tool. The first
issue, critically rated, is a use-after-free in SVG animation that
could potentially lead to arbitrary code execution. The second issue
is rated moderate and is an out of bounds read in SVG Filters. This
could potentially incorporate data from the user'
s memory, making it
accessible to the page content (CVE-2012-0456, CVE-2012-0457).

Security researcher Mariusz Mlynski reported that an attacker able
to convince a potential victim to set a new home page by dragging a
link to the home button can set that user's home page to a javascript:
URL. Once this is done the attacker's page can cause repeated crashes
of the browser, eventually getting the script URL loaded in the
privileged about:sessionrestore context (CVE-2012-0458).

Mozilla developers identified and fixed several memory safety
bugs in the browser engine used in Firefox and other Mozilla-based
products. Some of these bugs showed evidence of memory corruption
under certain circumstances, and we presume that with enough effort
at least some of these could be exploited to run arbitrary code
(CVE-2012-0461, CVE-2012-0464).

The mozilla firefox packages has been upgraded to the latest respective
versions which is not affected by these security flaws.

Additionally the NSS and NSPR packages has been upgraded to the latest
versions. The SQLite packages has been upgraded to the 3.7.7.1 version.

Affected: Enterprise Server 5.0

Solution:
To upgrade automatically use MandrakeUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

http://www.securityspace.com/smysecure/catid.html?in=MDVSA-2012:031
http://www.mozilla.org/security/announce/2011/mfsa2011-55.html
http://www.mozilla.org/security/announce/2012/mfsa2012-13.html
http://www.mozilla.org/security/announce/2012/mfsa2012-14.html
http://www.mozilla.org/security/announce/2012/mfsa2012-16.html
http://www.mozilla.org/security/announce/2012/mfsa2012-19.html

Risk factor : High

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2011-3658
http://www.mandriva.com/security/advisories?name=MDVSA-2011:192
http://www.mandriva.com/security/advisories?name=MDVSA-2012:031
http://osvdb.org/77953
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14664
http://www.securitytracker.com/id?1026445
http://www.securitytracker.com/id?1026446
http://www.securitytracker.com/id?1026447
http://secunia.com/advisories/47302
http://secunia.com/advisories/47334
http://secunia.com/advisories/48495
http://secunia.com/advisories/48553
http://secunia.com/advisories/48823
http://secunia.com/advisories/49055
SuSE Security Announcement: openSUSE-SU-2012:0007 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00001.html
SuSE Security Announcement: openSUSE-SU-2012:0039 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00009.html
SuSE Security Announcement: openSUSE-SU-2012:0417 (Google Search)
http://lists.opensuse.org/opensuse-updates/2012-03/msg00042.html
http://www.ubuntu.com/usn/USN-1401-1
XForce ISS Database: firefox-domattrmodified-code-exec(71910)
https://exchange.xforce.ibmcloud.com/vulnerabilities/71910
Common Vulnerability Exposure (CVE) ID: CVE-2012-0455
BugTraq ID: 52458
http://www.securityfocus.com/bid/52458
Debian Security Information: DSA-2433 (Google Search)
http://www.debian.org/security/2012/dsa-2433
Debian Security Information: DSA-2458 (Google Search)
http://www.debian.org/security/2012/dsa-2458
http://www.mandriva.com/security/advisories?name=MDVSA-2012:032
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14829
RedHat Security Advisories: RHSA-2012:0387
http://rhn.redhat.com/errata/RHSA-2012-0387.html
RedHat Security Advisories: RHSA-2012:0388
http://rhn.redhat.com/errata/RHSA-2012-0388.html
http://www.securitytracker.com/id?1026801
http://www.securitytracker.com/id?1026803
http://www.securitytracker.com/id?1026804
http://secunia.com/advisories/48359
http://secunia.com/advisories/48402
http://secunia.com/advisories/48414
http://secunia.com/advisories/48496
http://secunia.com/advisories/48513
http://secunia.com/advisories/48561
http://secunia.com/advisories/48624
http://secunia.com/advisories/48629
http://secunia.com/advisories/48920
SuSE Security Announcement: SUSE-SU-2012:0424 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2012-03/msg00014.html
SuSE Security Announcement: SUSE-SU-2012:0425 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2012-03/msg00015.html
http://www.ubuntu.com/usn/USN-1400-1
http://www.ubuntu.com/usn/USN-1400-2
http://www.ubuntu.com/usn/USN-1400-3
http://www.ubuntu.com/usn/USN-1400-4
http://www.ubuntu.com/usn/USN-1400-5
Common Vulnerability Exposure (CVE) ID: CVE-2012-0456
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15007
Common Vulnerability Exposure (CVE) ID: CVE-2012-0457
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14775
Common Vulnerability Exposure (CVE) ID: CVE-2012-0458
BugTraq ID: 52460
http://www.securityfocus.com/bid/52460
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15122
Common Vulnerability Exposure (CVE) ID: CVE-2012-0461
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15009
Common Vulnerability Exposure (CVE) ID: CVE-2012-0464
BugTraq ID: 52465
http://www.securityfocus.com/bid/52465
http://pwn2own.zerodayinitiative.com/status.html
http://www.zdnet.com/blog/security/mozilla-knew-of-pwn2own-bug-before-cansecwest/10757
http://www.zdnet.com/blog/security/researchers-hack-into-newest-firefox-with-zero-day-flaw/10663
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14170
CopyrightCopyright (c) 2012 E-Soft Inc. http://www.securityspace.com

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit.

To run a free test of this vulnerability against your system, register below.



© 1998-2025 E-Soft Inc. All rights reserved.