| Description: | Summary:
Mozilla Firefox/Seamonkey/Thunderbird is prone to multiple vulnerabilities.
Vulnerability Insight:
The flaws are due to:
- A wildcard IP address in the 'subject&qts' Common Name field of an X.509
certificate.
- not properly setting the minimum key length for 'Diffie-Hellman Ephemeral'
(DHE) mode, which makes it easier for remote attackers to defeat
cryptographic protection mechanisms via a brute-force attack.
- Passing an excessively long string to 'document.write' could cause text
rendering routines to end up in an inconsistent state with sections of
stack memory being overwritten with the string data.
- not properly handling certain modal calls made by 'javascript: URLs' in
circumstances related to opening a new window and performing cross-domain
navigation.
- an untrusted search path vulnerability.
- Use-after-free vulnerability in the nsBarProp function.
- error in 'LookupGetterOrSetter' function, which does not properly support
'window.__lookupGetter__ function' calls that lack arguments.
Vulnerability Impact:
Successful exploitation will let attackers to cause a denial of service
or execute arbitrary code.
Affected Software/OS:
Seamonkey version prior to 2.0.9
Firefox version prior to 3.5.14 and 3.6.x before 3.6.11
Thunderbird version proior to 3.0.9 and 3.1.x before 3.1.5
Solution:
Upgrade to Firefox version 3.6.11 or 3.5.14 or later
Upgrade to Seamonkey version 2.0.9 or later
Upgrade to Thunderbird version 3.0.9 or 3.1.5 or later
CVSS Score:
9.3
CVSS Vector:
AV:N/AC:M/Au:N/C:C/I:C/A:C
|
