Multiple Security Vulnerabilities in Mozilla 1.4 and 1.7 for Solaris and for Sun JDS for Linux

---

Multiple Security Vulnerabilities in Mozilla 1.4 and 1.7 for Solaris and for Sun JDS for Linux

1. Impact

Multiple security vulnerabilities are present in Mozilla version 1.4 (Solaris 8 and 9) and Mozilla version 1.7 (Solaris 8, 9 and 10) and under Sun Java Desktop System (JDS) for Linux. (Mozilla can be used as a web browser and editor, an irc client, an email client, and a news client).

These issues may allow a remote unprivileged user who controls a website that is visited by a local user using the Mozilla browser to execute code with elevated privileges, gain unauthorized access to data stored on the local machine, or cause a Denial of Service (DoS) to the Mozilla browser.

Bug 6415128 - For Mozilla 1.4 and 1.7:

Mozilla contains an integer overflow flaw within the CSS letter spacing property. This flaw may result in a remote user executing arbitrary code with the privileges of the local user when an affected site is visited.

This issue is described in the following documents:

http://www.mozilla.org/security/announce/mfsa2006-22.html
http://www.kb.cert.org/vuls/id/179014
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-1730

Bug 6415131 - For Mozilla 1.4 and 1.7:

Mozilla contains a flaw within the XBL bindings which may allow a remote user the ability to execute JavaScript code within the XBL bindings with the privileges of the local user when an affected site is visited.

This issue is described in the following documents:

http://www.mozilla.org/security/announce/mfsa2006-16.html
http://www.kb.cert.org/vuls/id/488774
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-1733

Bug 6415133 - For Mozilla 1.4 and 1.7:

Mozilla contains a flaw within the "Object.watch" method which may allow a remote user the ability to execute arbitrary JavaScript code with the privileges of the local user when an affected site is visited.

This issue is described in the following documents:

http://www.mozilla.org/security/announce/mfsa2006-15.html
http://www.kb.cert.org/vuls/id/842094
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-1734

Bug 6415135 - For Mozilla 1.4 and 1.7:

Mozilla contains a flaw within the "eval" method of the XBL bindings which may allow a remote user the ability to execute arbitrary JavaScript code with the privileges of the local user when an affected site is visited.

This issue is described in the following documents:

http://www.mozilla.org/security/announce/mfsa2006-14.html
http://www.kb.cert.org/vuls/id/813230
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-1735

Bug 6415138 - For Mozilla 1.4 and 1.7:

Mozilla contains a flaw within the processing of HTML tags that may allow a remote user the ability to execute arbitrary code with the privileges of the local user when an affected site is visited.

This issue is described in the following documents:

http://www.mozilla.org/security/announce/mfsa2006-18.html
http://www.kb.cert.org/vuls/id/736934
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-0749

 
Bug 6412730 - For Mozilla 1.4 and 1.7:

Mozilla contains a flaw within the "XULDocument.presist" method which may allow a remote attacker to inject XML into the localstore (localstore.rdf) when an affected site is visited. The injected XML might be acted upon at startup thus executing arbitrary code.

This issue is described in the following documents:

http://www.mozilla.org/security/announce/mfsa2006-05.html
http://www.kb.cert.org/vuls/id/592425
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-0296

Bug 6424493 - For Mozilla 1.4 and 1.7:

Mozilla contains a flaw that may allow a remote attacker to execute arbitrary code with the privileges of the local user when a site is viewed with an invalid order for the table related tags.

This issue is described in the following documents:

http://www.mozilla.org/security/announce/mfsa2006-27.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-0748

Bug 6424545 - For Mozilla 1.4 and 1.7:

Mozilla contains a flaw that may allow a remote attacker to gain "chrome" privilege when using the print preview feature of the browser.

This issue is described in the following documents:

http://www.mozilla.org/security/announce/mfsa2006-25.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-1727

Bug 6424548 - For Mozilla 1.4 and 1.7:

Mozilla contains a flaw that may allow a remote attacker the ability to read any local file when a site is viewed.

This issue is described in the following documents:

http://www.mozilla.org/security/announce/mfsa2006-23.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-1729

Bug 6424551 - For Mozilla 1.4 and 1.7:

Mozilla Mail contains a flaw that may allow an attacker to execute arbitrary JavaScript when a mail message is forwarded as embedded text.

This issue is described in the following documents:

http://www.mozilla.org/security/announce/mfsa2006-21.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-0884

Bug 6424560 - For Mozilla 1.4 and 1.7:

Mozilla contains a flaw within ".valueOf.call()" and ".valueOf.apply()" that may allow a remote attacker to inject script into another window.

This issue is described in the following documents:

http://www.mozilla.org/security/announce/mfsa2006-19.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1731

Bug 6424563 - For Mozilla 1.4 and 1.7:

Mozilla contains a flaw within the "window.controllers" array that may allow a malicious site to inject script into content from another site.

This issue is described in the following documents:

http://www.mozilla.org/security/announce/mfsa2006-17.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1732

Bug 6424567 - For Mozilla 1.4 and 1.7:

Mozilla contains a flaw with the handling of layered transparent images that may allow a malicious site to convince visitors to save the image and then fool them by uploading an executable instead. Should the user later double-click the saved "image" within a file manager, it would be executing with the privileges of the local user.

This issue is described in the following documents:

http://www.mozilla.org/security/announce/mfsa2006-13.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1736

Bug 6424568 - For Mozilla 1.4 and 1.7:

Mozilla contains a flaw in the browser's secure-site indicators that may allow a malicious site to spoof a local user into thinking they are still at a secure site.

This issue is described in the following documents:

http://www.mozilla.org/security/announce/mfsa2006-12.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1740

Bug 6415143 - For Mozilla 1.4 and 1.7:

Mozilla contains a flaw within DHTML which may allow a remote user the ability to execute arbitrary code with the privileges of the local user when an affected site is visited.

This issue is described in the following documents:

http://www.mozilla.org/security/announce/mfsa2006-20.html
http://www.kb.cert.org/vuls/id/350262
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-1724

Bug 6415142 - For Mozilla 1.4 and 1.7:

Mozilla contains several flaws that may allow a remote attacker to execute arbitrary code. There exists a buffer overflow within the CSS border-rendering code that may allow the remote attacker to execute arbitrary code. There exists a 16-bit integer overflow that may allow a remote attacker to execute the supplied data as JavaScript bytecode. When programmatically changing the "-moz-grid" and "-moz-grid-group" display styles, a remote attacker may be able to execute arbitrary code. There exists a buffer overflow within the "InstallTrigger.install()" method that was introduced by the fix for mfsa2005-58.

This issue is described in the following documents:

http://www.mozilla.org/security/announce/mfsa2006-11.html
http://www.kb.cert.org/vuls/id/329500
http://www.kb.cert.org/vuls/id/252324
http://www.kb.cert.org/vuls/id/935556
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-1737
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-1738
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-1739
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-1790

Bug 6424573 - For Mozilla 1.4 and 1.7:

Mozilla contains a flaw within the JavaScript engine for routines that use temporary variables. This flaw may allow a malicious site to execute arbitrary code including installing software as the local user.

This issue is described in the following documents:

http://www.mozilla.org/security/announce/mfsa2006-10.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1742

Bug 6424574 - For Mozilla 1.4 and 1.7:

Mozilla contains a flaw that may allow a malicious site to inject JavaScript code into a new site using a modal alert. This vulnerability may allow an attacker to steal confidential information that the new site might contain.

This issue is described in the following documents:

http://www.mozilla.org/security/announce/mfsa2006-09.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1741

Bug 6424577 - For Mozilla 1.4 and 1.7:

Mozilla contains a flaw which may allow a Denial of Service (DOS) to occur when the browser displays a very long title.

This issue is described in the following documents:

http://www.mozilla.org/security/announce/mfsa2006-03.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4134

Bug 6424579 - For Mozilla 1.4 and 1.7:

Mozilla contains a flaw within the JavaScript engine which may cause a temporary variable to be freed during garbage collection. This flaw may be used by a remote attacker to execute arbitrary code with the permissions of the local user.

This issue is described in the following documents:

http://www.mozilla.org/security/announce/mfsa2006-01.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0292
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0293

2. Contributing Factors

This issue can occur in the following releases:

SPARC Platform

• Mozilla 1.4 (for Solaris 8)
• Mozilla 1.4 (for Solaris 9)
• Mozilla 1.7 (for Solaris 8 and 9) without patch 120671-02
• Mozilla 1.7 (for Solaris 10) without patch 119115-19

x86 Platform

• Mozilla 1.4 (for Solaris 8)
• Mozilla 1.4 (for Solaris 9)
• Mozilla 1.7 (for Solaris 8 and 9) without patch 120672-02
• Mozilla 1.7 (for Solaris 10) without patch 119116-19

Linux Platform

• Sun Java Desktop System (JDS) Release 2 without the updated RPMs

Note: These issues (for Mozilla 1.4) only occur with Mozilla versions "mozilla-1.4.1-224b" or earlier.

To determine the version of Mozilla on a Solaris system, the following command can be run:

    % /usr/sfw/bin/mozilla -version
    Mozilla 1.7, (Sun Java Desktop System), build 2005031721

To determine the release of JDS for Linux installed on a system, the following command can be run:

    % cat /etc/sun-release    
    Sun Java Desktop System, Release 2 -build 10b (GA)
    Assembled 30 March 2004

To determine the version of Mozilla on a Linux system, the following command (on JDS for Linux) can be run:

    % rpm -qf /usr/bin/mozilla 
    mozilla-1.4.1-224b

3. Symptoms

There are no predictable symptoms that would indicate the described issues have been exploited.

4. Workaround

Different issues will require different workarounds, as described in the following options/examples:

A) Disable JavaScript. To do this in Mozilla:

1. Open the Preferences dialog from the Edit menu
2. Select the Advanced tree
3. Select the Scripts & Plug-ins leaf
4. Uncheck the Navigator and Mail & Newsgroups check boxes
5. Click the OK button

Or:

1. Enter "about:config" in the location field
2. Enter "javascript.enabled" in the search field
3. Double click on the value and change it to false
4. Click the OK button

B) Visit only trusted web sites.

C) Use the default mail message embedding when forwarding a mail message. This can be done by setting the forwarding preference:

1. Open the Preferences dialog from the Edit menu
2. Select the Mail & Newsgroups tree
3. Select the Composition leaf
4. Set the Forward messages list to "As Attachment"
5. Click the OK button

D) Only download images from trusted web sites.

E) Turn off the "Entering encrypted site" warning dialog. To do this in Mozilla:

1. Enter "about:config" in the location field
2. Enter "security.warn" in the search field
3. Double click on each "security.warn" and change the value to false
4. click the OK button

F) Turn off the browser history. To do this in Mozilla:

1. Open the Preferences dialog from the Edit menu
2. Select the Navigator tree
3. On the History leaf, set the "remember duration" to 0 days

Or:

1. Enter "about:config" in the location field
2. Enter "browser.history_expires_day" in the search field
3. Double click on the value and change it to 0
4. Click the OK button

G) Remove the "history.dat" file. This can be done by running the following commands:

    % cd $HOME/.mozilla/<profile>/*
    % rm history.dat

All of these issues can be resolved by downloading and installing/upgrading to the latest Mozilla version from the Mozilla community website at http://www.mozilla.org/releases/#1.7.13

Linux Platform

• Sun Java Desktop System (JDS) Release 2 with the updated RPMs available at:

http://download.mozilla.org/?product=firefox-3.0.1&os=linux&lang=en-US

5. Resolution

This issue is addressed in the following releases:

SPARC Platform

• Mozilla 1.7 (for Solaris 8 and 9) with patch 120671-02 or later
• Mozilla 1.7 (for Solaris 10) with patch 119115-19 or later

x86 Platform

• Mozilla 1.7 (for Solaris 8 and 9) with patch 120672-02 or later
• Mozilla 1.7 (for Solaris 10) with patch 119116-19 or later

Systems running Mozilla 1.4 will need to upgrade to Mozilla 1.7 and apply the above patches to resolve this issue. Mozilla 1.7 can be downloaded at http://www.sun.com/download/index.jsp?cat=Desktop&tab=3&subcat=Web%20Browsers

Or from the Mozilla community website at http://www.mozilla.org/releases/#1.7.13

Note: For additional issues regarding patch 119116-19, please see Sun Alert 102612 at http://sunsolve.sun.com/search/document.do?assetkey=1-26-102612-1

Linux Platform

• Sun Java Desktop System (JDS) Release 2 with the updated RPMs (see "Workaround" section)
  

For more information on Security Sun Alerts, see Technical Instruction ID 213557.

This Sun Alert notification is being provided to you on an "AS IS" basis. This Sun Alert notification may contain information provided by third parties. The issues described in this Sun Alert notification may or may not impact your system(s). Sun makes no representations, warranties, or guarantees as to the information contained herein. ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This Sun Alert notification contains Sun proprietary and confidential information. It is being provided to you pursuant to the provisions of your agreement to purchase services from Sun, or, if you do not have such an agreement, the Sun.com Terms of Use. This Sun Alert notification may only be used for the purposes contemplated by these agreements.

Copyright 2000-2008 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved.

Modification History

26-Oct-2006: Updated Resolution section
07-Dec-2006: Updated Contributing Factors and Resolution sections
04-Jan-2007: Updated Contributing Factors
08-Sep-2008: Updated Workaround section for Linux; republish Resolved

Attachments

This solution has no attachment