SuSE 11.0 Security Update: MozillaFirefox (2009-04-07)

NASLDB: SuSE 11.0 Security Update: MozillaFirefox (2009-04-07)

General

ID: 39888
Name: SuSE 11.0 Security Update: MozillaFirefox (2009-04-07)

Summary: Check for the MozillaFirefox package

Credits: Tenable Network Security, Inc.

Classification

Risk: –

CVSS: –
CVSS Base Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSS Temporal Vector: –

Port: 0
Family: SuSE Local Security Checks
Type: Local

Description

The Mozilla Firefox Browser was updated to the 3.0.8
release. It fixes several security issues:

MFSA 2009-13 / CVE-2009-1044: Security researcher Nils
reported via TippingPoint’s Zero Day Initiative that the
XUL tree method _moveToEdgeShift was in some cases
triggering garbage collection routines on objects which
were still in use. In such cases, the browser would crash
when attempting to access a previously destroyed object and
this crash could be used by an attacker to run arbitrary
code on a victim’s computer. This vulnerability was used by
the reporter to win the 2009 CanSecWest Pwn2Own contest.
This vulnerability does not affect Firefox 2, Thunderbird
2, or released versions of SeaMonkey.

MFSA 2009-12 / CVE-2009-1169:Security researcher Guido
Landi discovered that a XSL stylesheet could be used to
crash the browser during a XSL transformation. An attacker
could potentially use this crash to run arbitrary code on a
victim’s computer. This vulnerability was also previously
reported as a stability problem by Ubuntu community member,
Andre. Ubuntu community member Michael Rooney reported
Andre’s findings to Mozilla, and Mozilla community member
Martin helped reduce Andre’s original testcase and
contributed a patch to fix the vulnerability.