CERT-In Vulnerability Note CIVN-2006-36
Mozilla Firefox Deleted Object Reference Remote Code Execution Vulnerability
Original Issue Date: May 05, 2006
Severity Rating:
High
Systems Affected
Overview A vulnerability has been reported in Mozilla Firefox ,Which could be exploited by remote attackers to cause a denial of service and execute arbitrary code.
Description
The vulnerability exists in Mozilla Firefox browser due to reference to a deleted controller context object when the design mode is on. This flow is due to implementation of based command controller functions where objects are not properly initialized.This Vulnerability could be exploited by remote attackers to take complete control of affected system by tricking a user into visiting a malicious web page.
This bug can be triggered via the iframe.contentWindow.focus () function and potentially other functions.
Solution
Upgrade to Mozilla Firefox 1.5.0.3:
http://www.mozilla.com/firefox/all.html
Vendor Information
www.mozilla.org
References
Mozilla
http://www.mozilla.org/security/announce/2006/mfsa2006-30.html
FrSirt
http://www.frsirt.com/english/advisories/2006/1614
NVD
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-1993
Security Tracker http://securitytracker.com/alerts/2006/Apr/1015981.html
Security Focus
http://www.securityfocus.com/bid/17671
Secunia
http://secunia.com/advisories/19802
Other References :
https://bugzilla.mozilla.org/show_bug.cgi?id=334515 CVE Name
CVE-2006-1993
Revisions:
March 24, 2006: Workarounds, Vendor Information and CVE Name.
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Phone: +91 11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003
|
