Multiple Security Vulnerabilities in Firefox Versions Before 2.0.0.19 May Allow Execution of Arbitrary Code or Access to Unauthorized Data

---

Multiple Security Vulnerabilities in Firefox Versions Before 2.0.0.19 May Allow Execution of Arbitrary Code or Access to Unauthorized Data

1. Impact

Multiple security vulnerabilities in firefox(1) versions prior to 2.0.0.19 shipped with Solaris 10 may allow an unprivileged remote user to execute arbitrary code on the system where firefox(1) is being run, gain unauthorized access to sensitive data, perform Cross-Site Scripting (XSS) attacks to bypass access controls, read or modify data in other web sites, or inject code into web pages to obtain sensitive data from the user or information stored in cookies

Certain vulnerabilities may also allow a user to crash the firefox(1) application which is a type of Denial of Service (DoS).

The following URL provides additional details about the vulnerabilities addressed in Firefox versions prior to 2.0.0.19:

http://www.mozilla.org/security/known-vulnerabilities/firefox20.html

The following CVEs correspond to the Mozilla Foundation Security Advisories referenced in the above URL for Firefox versions 2.0.0.15 through 2.0.0.19:


2. Contributing Factors

These issues can occur in the following releases:

SPARC Platform

• Firefox 2.0 for Solaris 10 without patch 125539-06
• OpenSolaris based upon builds snv_89 through snv_94

x86 Platform

• Firefox 2.0 for Solaris 10 without patch 125540-06
• OpenSolaris based upon builds snv_89 through snv_94

Notes:

1. Solaris 8 and Solaris 9 do not ship Firefox and therefore are not affected by these issues.
2. Firefox 2.x is no longer shipped with OpenSolaris starting with snv_95 which includes Firefox 3.x.

3. Symptoms

There are no predictable symptoms that would indicate the described issues have been exploited.

4. Workaround

For the following Mozilla Foundation Security Advisories there is a workaround of disabling Java Script:


For Mozilla Foundation Security Advisory MFSA 2008-35, the following is a workaround:

This attack only works if the user is using another internet-connected application with Firefox not running. Using Firefox, or making sure it is at least running, prevents this attack.

For Mozilla Foundation Security Advisory MFSA 2008-40, the following is a workaround:


5. Resolution

These issues are addressed in the following releases:

SPARC Platform

• Firefox 2.0 for Solaris 10 with patch 125539-06 or later
• OpenSolaris based upon builds snv_95 or later

x86 Platform

• Firefox 2.0 for Solaris 10 with patch 125540-06 or later
• OpenSolaris based upon builds snv_95 or later

For more information on Security Sun Alerts, see Technical Instruction ID 213557.

This Sun Alert notification is being provided to you on an "AS IS" basis. This Sun Alert notification may contain information provided by third parties. The issues described in this Sun Alert notification may or may not impact your system(s). Sun makes no representations, warranties, or guarantees as to the information contained herein. ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This Sun Alert notification contains Sun proprietary and confidential information. It is being provided to you pursuant to the provisions of your agreement to purchase services from Sun, or, if you do not have such an agreement, the Sun.com Terms of Use. This Sun Alert notification may only be used for the purposes contemplated by these agreements.

Copyright 2000-2009 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved.




Attachments

This solution has no attachment