Mozilla Firefox/Thunderbird/SeaMonkey Memory Corruption Vulnerability

Release date:
Updated on:

Affected Systems:
Mozilla Firefox 3.5.11-3.6.10
Mozilla Thunderbird 3.0-3.1.5
Mozilla SeaMonkey 2.0.1-2.0.10
Unaffected system:
Mozilla Firefox 3.6.13
Mozilla Firefox 3.5.16
Mozilla Thunderbird 3.1.7
Mozilla Thunderbird 3.0.11
Mozilla SeaMonkey 2.0.11
Description:
--------------------------------------------------------------------------------
Bugtraq id: 45348, 45348, 45351
Cve id: CVE-2010-3769, CVE-2010-3766, CVE-2010-3767, CVE-2010-3768, CVE-2010-3769, CVE-2010-3770, CVE-2010-3771, CVE-2010-3772, CVE-2010-3773, CVE-2010-3774, CVE-2010-3775

Firefox is a very popular open-source WEB browser. Thunderbird is a mail client that supports IMAP, POP protocol, and HTML format. SeaMonkey is an open-source Web browser, mail and newsgroup client, IRC session client, and HTML editor.

Mozilla Firefox, Thunderbird, and SeaMonkey vulnerabilities allow attackers to execute cross-site scripting and spoofing attacks in affected applications, bypass certain security restrictions, and control user systems.

This vulnerability originated from
1) multiple errors in the browser engine can cause memory corruption and arbitrary code execution;
2) when processing a line change, the string passed to "document. write ()" is too long, which may cause reading data from the out-of-bounds memory location and executing arbitrary code.
3) an error occurs when you use "window. open ()" to open a new window. As a result, the "<isindex>" element is used to execute arbitrary JavaScript code with chrome permissions.
4) When an error occurs while processing the <treechildren> <div> element nested in the XUL Tree, the memory is corrupted and arbitrary code is executed.
5) when loading through the "data:" URL, an error occurs in Java LiveConnect, resulting in reading arbitrary files, starting arbitrary processes, and establishing network links.
6) An error occurred while handling the "nsDOMAttribute" node, causing memory corruption and arbitrary code execution.
7) the integer overflow vulnerability exists during array creation, causing memory corruption and arbitrary code execution.
8) XMLHttpRequestSpy object errors, resulting in JavaScript code execution.
9) an error occurs when processing documents without a solid Source Association. As a result, the same-origin policy is bypassed, the URL of the trusted site is changed, and the user is deceived to access the open site. The following error occurs: about: config or about: neterror page.
10) when processing Mac character set encoding, an error occurs in the presentation engine, resulting in arbitrary JavaScript code execution on the target website;

<* Source: Dirk Heinrich
Jesee Ruderman
Andreas Gal (http://www.andreasgal.com /)
Nils
Echo
Wooshi@gmail.com (wushi)
Yosuke Hasegawa

Link: http://www.mozilla.org/security/announce/2010/mfsa2010-75.html
Http://www.mozilla.org/security/announce/2010/mfsa2010-74.html
Http://www.mozilla.org/security/announce/2010/mfsa2010-75.html
Http://www.mozilla.org/security/announce/2010/mfsa2010-76.html
Http://www.mozilla.org/security/announce/2010/mfsa2010-77.html
Http://www.mozilla.org/security/announce/2010/mfsa2010-78.html
Http://www.mozilla.org/security/announce/2010/mfsa2010-79.html
Http://www.mozilla.org/security/announce/2010/mfsa2010-80.html
Http://www.mozilla.org/security/announce/2010/mfsa2010-81.html
Http://www.mozilla.org/security/announce/2010/mfsa2010-82.html
Http://www.mozilla.org/security/announce/2010/mfsa2010-83.html
Http://www.mozilla.org/security/announce/2010/mfsa2010-84.html
Http://www.mozilla.org/security/announce/2010/mfsa2010-83.html
*>

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

Mozilla
-------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:

Http://www.mozilla.org/