Login or Register to Ask a Question and Join Our Community


Security Advisories (RSS)

USN-895-1: Firefox 3.0 and Xulrunner 1.9 vulnerabilities

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Special Forums Cybersecurity Security Advisories (RSS) USN-895-1: Firefox 3.0 and Xulrunner 1.9 vulnerabilities
# 1  
Old 02-17-2010
USN-895-1: Firefox 3.0 and Xulrunner 1.9 vulnerabilities
Referenced CVEs:
CVE-2009-1571, CVE-2009-3988, CVE-2010-0159, CVE-2010-0160, CVE-2010-0162


Description:
===========================================================Ubuntu Security Notice USN-895-1 February 17, 2010firefox-3.0, xulrunner-1.9 vulnerabilitiesCVE-2009-1571, CVE-2009-3988, CVE-2010-0159, CVE-2010-0160,CVE-2010-0162===========================================================A security issue affects the following Ubuntu releases:Ubuntu 8.04 LTSUbuntu 8.10Ubuntu 9.04This advisory also applies to the corresponding versions ofKubuntu, Edubuntu, and Xubuntu.The problem can be corrected by upgrading your system to thefollowing package versions:Ubuntu 8.04 LTS: firefox-3.0 3.0.18+build1+nobinonly-0ubuntu0.8.04.1 xulrunner-1.9 1.9.0.18+build1+nobinonly-0ubuntu0.8.04.1Ubuntu 8.10: abrowser 3.0.18+build1+nobinonly-0ubuntu0.8.10.1 firefox-3.0 3.0.18+build1+nobinonly-0ubuntu0.8.10.1 xulrunner-1.9 1.9.0.18+build1+nobinonly-0ubuntu0.8.10.1Ubuntu 9.04: abrowser 3.0.18+build1+nobinonly-0ubuntu0.9.04.1 firefox-3.0 3.0.18+build1+nobinonly-0ubuntu0.9.04.1 xulrunner-1.9 1.9.0.18+build1+nobinonly-0ubuntu0.9.04.1After a standard system upgrade you need to restart Firefox and anyapplications that use xulrunner to effect the necessary changes.Details follow:Several flaws were discovered in the browser engine of Firefox. If a userwere tricked into viewing a malicious website, a remote attacker couldcause a denial of service or possibly execute arbitrary code with theprivileges of the user invoking the program. (CVE-2010-0159)Orlando Barrera II discovered a flaw in the Web Workers implementation ofFirefox. If a user were tricked into posting to a malicious website, anattacker could cause a denial of service or possibly execute arbitrary codewith the privileges of the user invoking the program. (CVE-2010-0160)Alin Rad Pop discovered that Firefox's HTML parser would incorrectly freememory under certain circumstances. If the browser could be made to accessthese freed memory objects, an attacker could exploit this to executearbitrary code with the privileges of the user invoking the program.(CVE-2009-1571)Hidetake Jo discovered that the showModalDialog in Firefox did not alwayshonor the same-origin policy. An attacker could exploit this to rununtrusted JavaScript from other domains. (CVE-2009-3988)Georgi Guninski discovered that the same-origin check in Firefox could bebypassed by utilizing a crafted SVG image. If a user were tricked intoviewing a malicious website, an attacker could exploit this to read datafrom other domains. (CVE-2010-0162)





More...
Login or Register to Ask a Question

Previous Thread | Next Thread
Login or Register to Ask a Question