Summary
The host is installed with Mozilla firefox/thunderbird/seamonkey and is prone to enter key dialog bypass and use-after-free memory corruption vulnerabilities.
Impact
Successful exploitation will let attackers to, attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code.
Impact Level: System/Application
Solution
Upgrade to Mozilla Firefox version 7.0 or later,
For updates refer to http://www.mozilla.com/en-US/firefox/all.html
Upgrade to SeaMonkey version to 2.4 or later
http://www.mozilla.org/projects/seamonkey/
Upgrade to Thunderbird version to 7.0 or later
http://www.mozilla.org/en-US/thunderbird/
Insight
The flaws are due to
- not preventing manual add-on installation in response to the holding of the Enter key.
- a use-after-free error existing when parsing OGG headers.
Affected
SeaMonkey version prior to 2.4
Thunderbird version prior to 7.0
Mozilla Firefox version 4.x through 6
References
Severity
Classification
-
CVE CVE-2011-3001, CVE-2011-3005 -
CVSS Base Score: 9.3
AV:N/AC:M/Au:N/C:C/I:C/A:C
Related Vulnerabilities
- Active Perl Locale::Maketext Module Multiple Code Injection Vulnerabilities (Windows)
- Adobe Flash Player Code Execution and DoS Vulnerabilities (Linux)
- Adobe AIR Multiple Vulnerabilities -01 April 13 (Windows)
- Adobe Acrobat Multiple Vulnerabilities April-2012 (Mac OS X)
- Adobe Air Multiple Vulnerabilities -01 May 13 (Mac OS X)