Login or Register to Ask a Question and Join Our Community


Security Advisories (RSS)

USN-920-1: Firefox 3.0 and Xulrunner vulnerabilities

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Special Forums Cybersecurity Security Advisories (RSS) USN-920-1: Firefox 3.0 and Xulrunner vulnerabilities
# 1  
Old 04-09-2010
USN-920-1: Firefox 3.0 and Xulrunner vulnerabilities
Referenced CVEs:
CVE-2010-0174, CVE-2010-0175, CVE-2010-0176, CVE-2010-0177, CVE-2010-0178, CVE-2010-0179


Description:
===========================================================Ubuntu Security Notice USN-920-1 April 09, 2010firefox-3.0, xulrunner-1.9 vulnerabilitiesCVE-2010-0174, CVE-2010-0175, CVE-2010-0176, CVE-2010-0177,CVE-2010-0178, CVE-2010-0179===========================================================A security issue affects the following Ubuntu releases:Ubuntu 8.04 LTSUbuntu 8.10Ubuntu 9.04This advisory also applies to the corresponding versions ofKubuntu, Edubuntu, and Xubuntu.The problem can be corrected by upgrading your system to thefollowing package versions:Ubuntu 8.04 LTS: firefox-3.0 3.0.19+nobinonly-0ubuntu0.8.04.1 xulrunner-1.9 1.9.0.19+nobinonly-0ubuntu0.8.04.1Ubuntu 8.10: abrowser 3.0.19+nobinonly-0ubuntu0.8.10.1 firefox-3.0 3.0.19+nobinonly-0ubuntu0.8.10.1 xulrunner-1.9 1.9.0.19+nobinonly-0ubuntu0.8.10.1Ubuntu 9.04: abrowser 3.0.19+nobinonly-0ubuntu0.9.04.1 firefox-3.0 3.0.19+nobinonly-0ubuntu0.9.04.1 xulrunner-1.9 1.9.0.19+nobinonly-0ubuntu0.9.04.1After a standard system upgrade you need to restart Firefox and anyapplications that use Xulrunner to effect the necessary changes.Details follow:Martijn Wargers, Josh Soref, Jesse Ruderman, and Ehsan Akhgari discoveredflaws in the browser engine of Firefox. If a user were tricked into viewinga malicious website, a remote attacker could cause a denial of service orpossibly execute arbitrary code with the privileges of the user invokingthe program. (CVE-2010-0174)It was discovered that Firefox could be made to access previously freedmemory. If a user were tricked into viewing a malicious website, a remoteattacker could cause a denial of service or possibly execute arbitrary codewith the privileges of the user invoking the program. (CVE-2010-0175,CVE-2010-0176, CVE-2010-0177)Paul Stone discovered that Firefox could be made to change a mouse clickinto a drag and drop event. If the user could be tricked into performingthis action twice on a crafted website, an attacker could executearbitrary JavaScript with chrome privileges. (CVE-2010-0178)It was discovered that the XMLHttpRequestSpy module as used by the Firebugadd-on could be used to escalate privileges within the browser. If the userhad the Firebug add-on installed and were tricked into viewing a maliciouswebsite, an attacker could potentially run arbitrary JavaScript.(CVE-2010-0179)





More...
Login or Register to Ask a Question

Previous Thread | Next Thread
Login or Register to Ask a Question