HOME > ADVISORIES


   ADVISORIES

CERT-In Advisory CIAD-2006-41
Multiple Vulnerabilities in Mozilla Products

Original issue date: November 13, 2006

Severity Rating: High

Systems Affected

  • Mozilla Firefox version 1.5.0.7 and prior
  • Mozilla Thunderbird version 1.5.0.7 and prior
  • Mozilla SeaMonkey version 1.0.5 and prior

Overview

Multiple vulnerabilities have been reported in Mozilla which could be exploited by remote attackers to execute arbitrary code on the affected system and bypass certain security restriction.

Description

1. Mozilla Network Security Services library fails to properly verify RSA signatures ( CVE-2006-5462 )

A vulnerability has been reported in Mozilla because it fails to properly verify RSA digital signatures by ignoring data at the end of a signature. This could allow remote attackers to forge an RSA signature and bypass security restrictions.

This vulnerability may affect any application that uses the Mozilla NSS librbary, including SSL/TLS and email certificates.

2. Mozilla arbitrary JavaScript bytecode execution vulnerability ( CVE- 2006-5463 )

A vulnerability has been reported in mozilla while handling JavaScript objects. This could allow a remote attacker to execute arbitrary JavaScript bytecode by modifying already running script objects.

This vulnerability is requiring to enabling JavaScript.

3. Multiple memory corruption error vulnerability ( CVE-2006-5464 , CVE-2006-5747 , CVE-2006-5748 )

Multiple vulnerabilities have been reported in Mozilla due to a memory corruption error in layout engine, JavaScript engine and XML.prototype.hasOwnProperty while handling simultaneous events which could be exploited by remote attackers to execute arbitrary commands.

Vendor Information

Mozilla Foundation
http://www.mozilla.org

Solution

Upgrade to Firefox 1.5.0.8, Thunderbird 1.5.0.8, and SeaMonkey 1.0.6
http://www.mozilla.org/products/


References

Mozilla Foundation Security Advisories
http://www.mozilla.org/security/announce/2006/mfsa2006-65.html
http://www.mozilla.org/security/announce/2006/mfsa2006-66.html
http://www.mozilla.org/security/announce/2006/mfsa2006-67.html

FrSIRT
http://www.frsirt.com/english/advisories/2006/4387


 Secunia
http://secunia.com/advisories/22722/


Security Focus
http://www.securityfocus.com/archive/1/451104

US-CERT
http://www.us-cert.gov/cas/techalerts/TA06-312A.html

CVE Name
CVE-2006-5462
CVE-2006-5463
CVE-2006-5464
CVE-2006-5747
CVE-2006-5748

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003