Impact
remote code execution
Solution
Please Install the Updated Packages.
Insight
This security update updates various Mozilla Browsers to their current security release.
- The Mozilla Firefox 3.0.x browser was updated to version 3.0.4 - The Mozilla Firefox 2.0.0.x browsers were updated to version 2.0.0.18 - On Novell Linux Desktop 9, the security patches were backported to Mozilla Firefox 1.5.0.14.
- Mozilla Thunderbird was updated to version 2.0.0.18.
- Mozilla Seamonkey was updated to version 1.1.13.
- mozilla-xulrunner190 was updated to version 1.9.0.4 - mozilla-xulrunner181 and mozilla-xulrunner were updated to include all security fixes.
- On SUSE Linux Enterprise 9, the mozilla suite received backports of all security fixes.
The update fixes following security issues:
MFSA 2008-48: Mozilla Firefox 2.x before 2.0.0.18, Thunderbird 2.x before 2.0.0.18, and SeaMonkey 1.x before 1.1.13 do not properly change the source URI when processing a canvas element and an HTTP redirect, which allows remote attackers to bypass the same origin policy and access arbitrary images that are not directly accessible to the attacker. NOTE: this issue can be leveraged to enumerate software on the client by performing redirections related to moz-icon.
MFSA 2008-49: Mozilla Firefox 2.x before 2.0.0.18
and SeaMonkey 1.x before 1.1.13 do not properly check when the Flash module has been dynamically unloaded properly, which allows remote attackers to execute arbitrary code via a crafted SWF file that "
dynamically unloads itself from an outside JavaScript function,"
which triggers an access of an expired memory address.
MFSA 2008-50 jslock.cpp in Mozilla Firefox 3.x before 3.0.2, Firefox 2.x before 2.0.0.18, Thunderbird 2.x before 2.0.0.18, and SeaMonkey 1.x before 1.1.13 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code by modifying the window.__proto__.__proto__ object in a way that causes a lock on a non-native object, which triggers an assertion failure related to the OBJ_IS_NATIVE function.
MFSA 2008-51: Mozilla Firefox 3.x before 3.0.4 assigns chrome privileges to a file: URI when it is accessed in the same tab from a chrome or privileged about: page, which makes it easier for user-assisted attackers to execute arbitrar ...
Description truncated, for more information please check the Reference URL
Affected
MozillaFirefox,MozillaThunderbird,seamonkey on openSUSE 10.2, openSUSE 10.3, openSUSE 11.0, SUSE SLES 9, Novell Linux Desktop 9, Open Enterprise Server, Novell Linux POS 9, SUSE Linux Enterprise Desktop 10 SP1, SLE SDK 10 SP1, SLE SDK 10 SP2, SUSE Linux Enterprise Server 10 SP1, SUSE Linux Enterprise Desktop 10 SP2, SUSE Linux Enterprise 10 SP2 DEBUGINFO, SUSE Linux Enterprise Server 10 SP2
References
Updated on 2015-03-25
Severity
Classification
-
CVSS Base Score: 10.0
AV:N/AC:L/Au:N/C:C/I:C/A:C
Related Vulnerabilities