Thursday, November 13, 2008

Vulnerabilities In Mozilla Firefox, SeaMonkey and Thunderbird

There have been found several vulnerabilities in Mozilla products. Firefox 2 update fixes totally eleven vulnerabilities. Firefox 3 and SeaMonkey new versions contain fixes to ten vulnerabilities of which five are critical. In Thunderbird there were found six vulnerabilities of which some are critical.

Vulnerabilities enable escalation of user privileges, obtaining sensitive information and a remote attacker cause a denial of service (crash) and possibly execute arbitrary code in target system.

Mozilla recommends disabling JavaScript until updates have been installed. Recommendation concerns especially Thunderbird email client for which hasn't update available yet. In Thunderbird JavaScript is disabled by default.

Vulnerable software:
- Mozilla Firefox prior version 2.0.0.18
- Mozilla Firefox prior version 3.0.4
- Mozilla Thunderbird prior version 2.0.0.18
- Mozilla SeaMonkey prior version 1.1.13

Solution:
Users are instructed to update their versions to following ones:
- Mozilla Firefox 2.0.0.18
- Mozilla Firefox 3.0.4
- Mozilla Thunderbird 2.0.0.18 (version is not released yet)
- Mozilla SeaMonkey 1.1.13

Update can be made with automatic update functionality in correspondent software product or by installing new versions from http://www.mozilla.com/ and http://www.seamonkey-project.org/.

More information on vulnerabilities:
- http://www.mozilla.org/security/announce/2008/mfsa2008-47.html
- http://www.mozilla.org/security/announce/2008/mfsa2008-48.html
- http://www.mozilla.org/security/announce/2008/mfsa2008-49.html
- http://www.mozilla.org/security/announce/2008/mfsa2008-50.html
- http://www.mozilla.org/security/announce/2008/mfsa2008-51.html
- http://www.mozilla.org/security/announce/2008/mfsa2008-52.html
- http://www.mozilla.org/security/announce/2008/mfsa2008-53.html
- http://www.mozilla.org/security/announce/2008/mfsa2008-54.html
- http://www.mozilla.org/security/announce/2008/mfsa2008-55.html
- http://www.mozilla.org/security/announce/2008/mfsa2008-56.html
- http://www.mozilla.org/security/announce/2008/mfsa2008-57.html
- http://www.mozilla.org/security/announce/2008/mfsa2008-58.html
- CVE-2008-0017
- CVE-2008-4582
- CVE-2008-5012
- CVE-2008-5013
- CVE-2008-5014
- CVE-2008-5015
- CVE-2008-5016
- CVE-2008-5017
- CVE-2008-5018
- CVE-2008-5019
- CVE-2008-5021
- CVE-2008-5022
- CVE-2008-5023
- CVE-2008-5024

No comments: