Mozilla Firefox debugging program Security Restriction Bypass Vulnerability

Release date:
Updated on: 2012-09-04

Affected Systems:
Mozilla Firefox & lt; 15.0
Mozilla Firefox ESR <10.0.7
Description:
--------------------------------------------------------------------------------
Bugtraq id: 55308
Cve id: CVE-2012-3973

Firefox is a very popular open-source WEB browser. Thunderbird is a mail client that supports IMAP, POP protocol, and HTML format. SeaMonkey is an open-source Web browser, mail and newsgroup client, IRC session client, and HTML editor.

After remote debugging is disabled in versions earlier than Mozilla Firefox 15.0, the debugging program in the developer-tools subsystem does not properly restrict access to the remote debugging program. The service is connected through the HTTPMonitor extension and through the HTTPMonitor port, attackers can execute arbitrary code remotely.

<* Source: Mark Poticha

Link: http://www.mozilla.org/security/announce/2012/mfsa2012-66.html
*>

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

Mozilla
-------
Mozilla has released a Security Bulletin (mfsa2012-66) and patches for this:

Mfsa2012-66: HTTPMonitor extension allows for remote debugging without explicit activation

Link: http://www.mozilla.org/security/announce/2012/mfsa2012-66.html