NASLDB: USN-149-1 : mozilla-firefox vulnerabilities
General
ID: 20544
Name: USN-149-1 : mozilla-firefox vulnerabilities
Summary: Checks dpkg output for updated package(s)
Credits: –
Classification
Risk: –
CVSS: –
CVSS Base Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS Temporal Vector: –
Port: 0
Family: Ubuntu Local Security Checks
Type: Local
Description
Secunia.com reported that one of the recent security patches in
Firefox reintroduced the frame injection patch that was originally
known as CVE-2004-0718. This allowed a malicious web site to spoof
the contents of other web sites. (CVE-2005-1937)
In several places the browser user interface did not correctly
distinguish between true user events, such as mouse clicks or
keystrokes, and synthetic events genenerated by web content. This
could be exploited by malicious web sites to generate e. g. mouse
clicks that install malicious plugins. Synthetic events are now
prevented from reaching the browser UI entirely. (CVE-2005-2260)
Scripts in XBL controls from web content continued to be run even
when Javascript was disabled. This could be combined with most
script-based exploits to attack people running vulnerable versions
who thought disabling Javascript would protect them. (CVE-2005-2261)
Matthew Mastracci discovered a flaw in the addons installation
launcher. By forcing a page navigation immediately after calling the
install method a callback function could end up running in the
context of the new page selected by the attacker. This callback
script could steal data from the new page such as cookies or
passwords, or perform actions on the user’s behalf such as make a
purchase if the user is already logged into the target site. However,
the default settings allow only http://addons.mozilla.org to bring up
this install dialog. This could only be exploited if users have added
untrustworthy sites to the installation whitelist, and if a malicious
site can convince you to install from their site. (CVE-2005-2263)
Kohei Yoshino discovered a Javascript injection vulnerability in the
sidebar. Sites can use the _search target to open links in the
Firefox sidebar. A missing security check allowed the sidebar to
inject ‘data:’ URLs containing scripts into any page open in the
browser. This could be used to steal cookies, passwords or other
sensitive data. (CVE-2005-2264)
The function for version comparison in the addons installer did not
properly verify the type of its argument. By passing specially
crafted Javascript objects to it, a malicious web site could crash
the browser and possibly even execute arbitrary code with the
privilege of the user account Firefox runs in. (CVE-2005-2265)
A child frame can call top.focus() even if the framing page comes
from a different origin and has overridden the focus() routine.
Andreas Sandblad discovered that the call is made in the context of
the child frame. This could be exploited to steal cookies and
passwords from the framed page, or take actions on behalf of a
signed-in user. However, web sites with above properties are not very
common. (CVE-2005-2266)
Several media players, for example Flash and QuickTime, support
scripted content with the ability to open URLs in the default
browser. The default behavior for Firefox was to replace the
currently open browser window’s content with the externally opened
content. Michael Krax discovered that if the external URL was a
javascript: URL it would run as if it came from the site that served
the previous content, which could be used to steal sensitive
information such as login cookies or passwords. If the media player
content first caused a privileged chrome: url to load then the
subsequent javascript: url could execute arbitrary code.
(CVE-2005-2267)
Alerts and prompts created by scripts in web pages were presented
with the generic title [JavaScript Application] which sometimes made
it difficult to know which site created them. A malicious page could
exploit this by causing a prompt to appear in front of a trusted site
in an attempt to extract information such as passwords from the user.
In the fixed version these prompts contain the hostname of the page
which created it. (CVE-2005-2268)
The XHTML DOM node handler did not take namespaces into account when
verifying node types based on their names. For example, an XHTML
document could contain an <IMG> tag with malicious contents, which
would then be processed as the standard trusted HTML <img> tag. By
tricking an user to view malicious web sites, this could be exploited
to execute attacker-specified code with the full privileges of the
user. (CVE-2005-2269)
It was discovered that some objects were not created appropriately.
This allowed malicious web content scripts to trace back the creation
chain until they found a privileged object and execute code with
higher privileges than allowed by the current site. (CVE-2005-2270)
Exploiting
Exploit Available: True
Exploitability Ease: Exploits are available
Sources
CVE: CVE-2004-0718
OSVDB: –
Bugtraq: –
scipID: –
Timeline
Vulnerability Disclosure: –
Patch Release: 2005/07/21
Plugin Release: 2006/01/15
Plugin
Version: 1.11
Filename: ubuntu_USN-149-1.nasl
Filesize: 7811 bytes
MD5 Hash: 5b796e7cb87849a985ca604d377428a4
Identification: Host/local_checks_enabled
Require Keys: Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l
Dependencies: "ssh_get_info.nasl"
Copyright: –
- Latest Plugins
- USN-1611-1 : thunderbird vulnerabilities
- USN-1610-1 : linux vulnerability
- USN-1609-1 : linux-ti-omap4 vulnerability
- SuSE 10 Security Update : PostgreSQL
- RHSA-2012-1364: bind97
- RHSA-2012-1363: bind
- RHSA-2012-1362: thunderbird
- RHSA-2012-1361: xulrunner
- Mandriva Linux Security Advisory : graphicsmagick
- FreeBSD : phpMyAdmin — Multiple XSS due to unescaped HTML output in Trigger, Procedure and Event pages and Fetching the version information from a non-SSL site is vulnerable to a MITM attack