SuSE Update for MozillaFirefox,MozillaThunderbird,Seamonkey SUSE-SA:2007:049

Impact
remote code execution
Solution
Please Install the Updated Packages.
Insight
Various security problems were found and fixed in Mozilla Firefox, Thunderbird and Seamonkey. Some of them received version updates, but the Firefox and Thunderbird 1.5.0.12 versions received backports. The updates have been released over the last 10 days and the last were released today. Following security problems were fixed: - MFSA 2007-18: Crashes with evidence of memory corruption The usual collection of stability fixes for crashes that look suspicious but haven't been proven to be exploitable. 25 were in the browser engine, reported by Mozilla developers and community members Bernd Mielke, Boris Zbarsky, David Baron, Daniel Veditz, Jesse Ruderman, Lukas Loehrer, Martijn Wargers, Mats Palmgren, Olli Pettay, Paul Nickerson,and Vladimir Sukhoy CVE-2007-3734 7 were in the JavaScript engine reported by Asaf Romano, Jesse Ruderman, Igor Bukanov CVE-2007-3735 - CVE-2007-3736: XSS using addEventListener and setTimeout moz_bug_r_a4 reported that scripts could be injected into another site's context by exploiting a timing issue using addEventLstener or setTimeout. - CVE-2007-3089: frame spoofing Ronen Zilberman and Michal Zalewski both reported that it was possible to exploit a timing issue to inject content into about:blank frames in a page. - CVE-2007-3737: Privilege escalation using an event handler attached to an element not in the document Reported by moz_bug_r_a4. - CVE-2007-3285: File type confusion due to %00 in name Ronald van den Heetkamp reported that a filename URL containing %00 (encoded null) can cause Firefox to interpret the file extension differently than the underlying Windows operating system potentially leading to unsafe actions such as running a program. - CVE-2007-3670: Remote code execution by launching Firefox from Internet Explorer Greg MacManus of iDefense and Billy Rios of Verisign independently reported that links containing a quote (&quot ) character could be used in Internet Explorer to launch registered URL Protocol handlers with extra command-line parameters. Firefox and Thunderbird are among those which can be launched, and both support a &quot -chrome&quot option that could be used to run malware. This problem does not affect Linux. - CVE-2007-3656: unauthorized access to wyciwyg:// documents Michal Zalewski reported that it was possible to bypass the same-origin checks and read from cached (wyciwyg) documents Description truncated, for more information please check the Reference URL.
Affected
MozillaFirefox,MozillaThunderbird,Seamonkey on SUSE LINUX 10.1, openSUSE 10.2, SuSE Linux Enterprise Server 8, SUSE SLES 9, Novell Linux Desktop 9, Open Enterprise Server, Novell Linux POS 9, SUSE Linux Enterprise Desktop 10 SP1, SUSE Linux Enterprise Server 10 SP1
References