Security

New security releases for Firefox and Thunderbird

Security vulnerabilities in the Firefox browser and Thunderbird mail client are scary. Both tools are widely used, exposed to arbitrary data from the Internet, and used with important (and confidential) information. A widespread exploit has the potential to affect large numbers of people in highly unfortunate ways. So, whenever the Mozilla Project fixes a set of vulnerabilities, it's worth paying attention.

The recently released Firefox 1.5.0.4 addresses a fairly long list of vulnerabilities. Some of the most significant of those (the ones rated "critical") are:

• A problem with addSelectionListener() which can cause arbitrary JavaScript code to be run in privileged context. This bug requires that the user run "find" or "select all" on a maliciously-crafted page to be exploitable.

• There is a buffer overflow in crypto.signText() which is exploitable in the usual ways.

• In this vulnerability, "content-defined setters on an object prototype were getting called by privileged UI code", allowing hostile code to be run in a privileged mode.

• Persistent XUL attributes can be associated with the wrong URL. By associating an attribute with a URL which will evaluate that attribute in a privileged context, running arbitrary code in a privileged context is possible.

• There is a whole series of memory-corrupting crashes which, it is assumed, are exploitable.

There are also several vulnerabilities which are not considered to be quite as frightening, but which are still in need of fixing.

Thunderbird 1.5.0.4 is also out, with its own vulnerability list. Only one of these is deemed critical: a double-free error on an invalid VCard which appears to be exploitable. It is worth noting, however, that Thunderbird uses much of the Firefox code base for rendering HTML, so it can also suffer from Firefox's vulnerabilities. So, in particular, if a user allows the execution of JavaScript in incoming mail (an especially bad idea which is not the default behavior), most of the Firefox vulnerabilities listed above are also exploitable in Thunderbird.

There is another common theme found in all of the Firefox vulnerabilities: they can all be mitigated by turning off JavaScript. The sad fact is that executable content seems to be a hard thing to get right; it is an ongoing source of vulnerabilities in almost every context where it can be found. So it is not surprising that many people simply turn off JavaScript entirely. It is unfortunate that so many web sites are inaccessible to browsers running without JavaScript, forcing security-conscious users to enable a problematic feature they might prefer to do without.

(See the LWN vulnerability entry for distributor updates addressing these problems. As of this writing, the list of updates is discouragingly short, with only Slackware and rPath getting fixed out within the first couple of days after disclosure).

Comments (11 posted)

evolution: denial of service

Package(s):	evolution	CVE #(s):
Created:	June 1, 2006	Updated:	June 6, 2006
Description:	Evolution is vulnerable to a denial of service attack. The display of maliciously crafted images can crash the application if the "Load images if sender is in address book" option in enabled.
Alerts:	Mandriva MDKSA-2006:094 evolution 2006-06-01

Comments (none posted)

mozilla products have multiple vulnerabilities

Package(s):	mozilla seamonkey firefox thunderbird	CVE #(s):	CVE-2006-2775 CVE-2006-2776 CVE-2006-2777 CVE-2006-2778 CVE-2006-2779 CVE-2006-2780 CVE-2006-2782 CVE-2006-2783 CVE-2006-2784 CVE-2006-2785 CVE-2006-2786 CVE-2006-2787
Created:	June 5, 2006	Updated:	August 2, 2006
Description:	There are multiple vulnerabilities in products based on Mozilla components, particularly Gecko. This CERT advisory contains details.
Alerts:	Debian DSA-1134-1 mozilla-thunderbird 2006-08-02 Ubuntu USN-297-3 mozilla-thunderbird 2006-07-26 Ubuntu USN-323-1 mozilla 2006-07-25 Ubuntu USN-296-2 firefox, mozilla-firefox 2006-07-25 Debian DSA-1120-1 mozilla-firefox 2006-07-23 Debian DSA-1118-1 mozilla 2006-07-22 Red Hat RHSA-2006:0578-01 seamonkey 2006-07-20 SuSE SUSE-SA:2006:035 MozillaFirefox,MozillaThunderbird,Seamonkey 2006-06-23 Gentoo 200606-21 mozilla-thunderbird 2006-06-19 Fedora FEDORA-2006-717 thunderbird 2006-06-15 Fedora FEDORA-2006-715 firefox 2006-06-15 Ubuntu USN-297-2 thunderbird 2006-06-15 Ubuntu USN-297-1 mozilla-thunderbird 2006-06-13 Gentoo 200606-12 mozilla-firefox 2006-06-11 Slackware SSA:2006-155-02 mozilla 2006-06-05 rPath rPSA-2006-0091-1 firefox 2006-06-02

Comments (none posted)

mysql: SQL injection vulnerability

Package(s):	mysql	CVE #(s):	CVE-2006-2753
Created:	June 2, 2006	Updated:	June 16, 2006
Description:	This MySQL 4.1.20 release announcement covers an SQL injection vulnerability.
Alerts:	Ubuntu USN-303-1 mysql-dfsg-4.1, mysql-dfsg-5.0 2006-06-16 Fedora FEDORA-2006-702 mysql 2006-06-13 Fedora FEDORA-2006-703 mysql 2006-06-13 Gentoo 200606-13 mysql 2006-06-11 Red Hat RHSA-2006:0544-01 mysql 2006-06-09 Trustix TSLSA-2006-0034 binutils, mysql, spamassassin 2006-06-09 Mandriva MDKSA-2006:097 MySQL 2006-06-07 Debian DSA-1092-1 mysql-dfsg-4.1 2006-06-08 Slackware SSA:2006-155-01 mysql 2006-06-05 rPath rPSA-2006-0089-1 mysql 2006-06-01

Comments (none posted)

rug: remote command execution

Package(s):	rug	CVE #(s):	CVE-2006-2703
Created:	June 1, 2006	Updated:	June 6, 2006
Description:	The rug tool from the RedCarpet remote administration utility does not verify SSL certificates from the server, leaving it vulnerable to a man in the middle attack. An attacker can read traffic and insert commands. Also, the /etc/ximian/rcd.conf file permissions are set incorrectly, leaving the rc password exposed.
Alerts:	SuSE SUSE-SA:2006:029 rug 2006-05-31

Comments (none posted)

spamassassin: arbitrary command execution

Package(s):	spamassassin	CVE #(s):	CVE-2006-2447
Created:	June 6, 2006	Updated:	June 15, 2006
Description:	A vulnerability has been discovered in SpamAssassin, a Perl-based spam filter using text analysis, that can allow remote attackers to execute arbitrary commands. This problem only affects systems where spamd is reachable via the internet and used with vpopmail virtual users, via the "-v" / "--vpopmail" switch, and with the "-P" / "--paranoid" switch.
Alerts:	Mandriva MDKSA-2006:103 spamassassin 2006-06-14 Gentoo 200606-09 spamassassin 2006-06-11 rPath rPSA-2006-0096-1 spamassassin 2006-06-07 Red Hat RHSA-2006:0543-01 spamassassin 2006-06-06 Fedora FEDORA-2006-598 spamassassin 2006-06-06 Fedora FEDORA-2006-658 spamassassin 2006-06-06 Debian DSA-1090-1 spamassassin 2006-06-06

Comments (none posted)

xmcd: insecure file permissions

Package(s):	xmcd	CVE #(s):	CVE-2006-2542
Created:	June 2, 2006	Updated:	June 6, 2006
Description:	The xmcdconfig creates directories world-writeable allowing local users to fill the /usr and /var partition and hence cause a denial of service. This problem has been half-fixed since version 2.3-1.
Alerts:	Debian DSA-1086-1 xmcd 2006-06-02

Comments (none posted)