Multiple Vulnerabilities in Mozilla based Web Browsers

Reported September 14, 2004, by Mozilla Security Group

VERSIONS AFFECTED

DESCRIPTION
Multiple vulnerabilities have been discovered in Mozilla, Mozilla Firefox, and Mozilla Thunderbird, the most severe of which could compromise a system. The vulnerabilities include the following:

• Various boundary errors in nsMsgCompUtils.cpp can be exploited to cause heap-based buffer overflows when a specially crafted email message is forwarded. Successful exploitation can potentially lead to execution of arbitrary code.
• Insufficient restrictions on script-generated events on text fields can be exploited to read and write content from and to the Clipboard.
• Boundary errors in the writeGroup() function in nsVCardObj.cpp can be exploited to cause stack-based buffer overflows by sending an email message containing a specially crafted vcard. Successful exploitation may allow execution of arbitrary code but requires that the malicious email message is opened in preview.
• Some boundary errors in nsPop3Protocol.cpp, which handles POP3 mail communications, can be exploited to cause buffer overflow by a malicious POP3 mail server when sending specially crafted responses. Successful exploitation may potentially allow execution of arbitrary code.
• A problem with overly long links that contain non-ASCII characters can be exploited via a malicious Web site or an email message to cause a buffer overflow, which potentially can lead to execution of arbitrary code.
• An integer overflow when parsing and displaying .bmp files can potentially be exploited to execute arbitrary code by supplying an overly wide malicious .bmp image via a malicious Web site or in an email message.
• Mozilla lets you drag links to another window or frame. This can be exploited by tricking a user on a malicious Web site to drag a specially crafted JavaScript link to another window. Successful exploitation can cause script code to execute in the context of that window. Further exploitation can--in combination with another unspecified vulnerability--lead to execution of arbitrary code.
• Signed scripts can request enhanced privileges, which requires that a user accept a security dialog box. The problem is that a malicious Web site can pass a specially crafted parameter, thereby making it possible to manipulate information displayed in the security dialog box. Successful exploitation lets a Web site trick users into accepting security dialog boxes, which will grant access to run arbitrary programs.
• Some files installed with the Linux installer are group- and world-writable. This capability can be exploited by malicious, local users to replace files, which can lead to execution of arbitrary code.
• Many files and directories in the Linux installation .tar.gz archives have the wrong owner and permissions. This condition can be exploited by malicious, local users to replace files when the umask utility is set to be ignored when unpacking. Successful exploitation can lead to execution of arbitrary code.
   

VENDOR RESPONSE
Mozilla recommends that affected users immediately upgrade to the latest release of software.

CREDIT
Discovered by Georgi Guninski, Wladimir Palant, Gael Delalleau, Mats Palmgren, Jesse Ruderman, Daniel Koukola, Andrew Schultz and Harald Milz.