Advisories MDVSA-2010:042: firefox

[paul]

Security issues were identified and fixed in firefox 3.0.x and 3.5.x:

 

Mozilla developers identified and fixed several stability bugs in the

browser engine used in Firefox and other Mozilla-based products. Some

of these crashes showed evidence of memory corruption under certain

circumstances and we presume that with enough effort at least some

of these could be exploited to run arbitrary code (CVE-2010-0159).

 

Security researcher Orlando Barrera II reported via TippingPoint's Zero

Day Initiative that Mozilla's implementation of Web Workers contained

an error in its handling of array data types when processing posted

messages. This error could be used by an attacker to corrupt heap

memory and crash the browser, potentially running arbitrary code on

a victim's computer (CVE-2010-0160).

 

Security researcher Alin Rad Pop of Secunia Research reported that

the HTML parser incorrectly freed used memory when insufficient space

was available to process remaining input. Under such circumstances,

memory occupied by in-use objects was freed and could later be filled

with attacker-controlled text. These conditions could result in the

execution or arbitrary code if methods on the freed objects were

subsequently called (CVE-2009-1571).

 

Security researcher Hidetake Jo of Microsoft Vulnerability Research

reported that the properties set on an object passed to showModalDialog

were readable by the document contained in the dialog, even when

the document was from a different domain. This is a violation of the

same-origin policy and could result in a website running untrusted

JavaScript if it assumed the dialogArguments could not be initialized

by another site. An anonymous security researcher, via TippingPoint's

Zero Day Initiative, also independently reported this issue to Mozilla

(CVE-2009-3988).

 

Mozilla security researcher Georgi Guninski reported that when a SVG

document which is served with Content-Type: application/octet-stream

is embedded into another document via an tag with

type=image/svg+xml, the Content-Type is ignored and the SVG document

is processed normally. A website which allows arbitrary binary data to

be uploaded but which relies on Content-Type: application/octet-stream

to prevent script execution could have such protection bypassed. An

attacker could upload a SVG document containing JavaScript as a binary

file to a website, embed the SVG document into a malicous page on

another site, and gain access to the script environment from the

SVG-serving site, bypassing the same-origin policy (CVE-2010-0162).

 

Packages for 2008.0 are provided for Corporate Desktop 2008.0

customers.

 

Additionally, some packages which require so, have been rebuilt and

are being provided as updates.