U.S. CERT Cyber Security Alert SA04-261A Multiple vulnerabilities in Mozilla products

United States Computer Emergency Readiness Team ^ | September 17, 2004 | U.S. -CERT (Computer Emergency Readiness Team)

[Stoat]

Home | FAQ | Contact | Privacy Policy | Unsubscribe from Alerts

Search US-CERT > Advanced Search

National Cyber Alert System

Cyber Security Alert SA04-261A

	Multiple vulnerabilities in Mozilla products Original release date: September 17, 2004 Last revised: -- Source: US-CERT Systems Affected Mozilla Suite (Mozilla web browser, Mozilla Mail) Firefox web browser Thunderbird email client Overview By taking advantage of one or more vulnerabilities in Mozilla products, an attacker may be able to take control of your computer. Solution Upgrade to the latest version Mozilla has released updated versions of the affected products. You can download the latest versions: Mozilla Firefox Thunderbird Description There are vulnerabilities in various features of Mozilla's web browsers and email clients. Some of the vulnerabilities are connected to the way the application handles URLs or images. In one instance, an attacker could cause an application to crash or could take control of your computer by convincing you to view a malicious web site or email message. For more technical information, see US-CERT Technical Alert TA04-261A. References Known Vulnerabilities in Mozilla - <http://www.mozilla.org/projects/security/known-vulnerabilities.html> US-CERT Technical Cyber Security Alert TA04-261A - <http://www.us-cert.gov/cas/techalerts/TA04-261A.html> Feedback can be directed to US-CERT. Copyright 2004 Carnegie Mellon University. Terms of use Revision History September 17, 2004: Initial release
Last updated September 17, 2004

[Stoat]

Uber-Geeks please see the "technical" version of this alert at:

http://www.us-cert.gov/cas/techalerts/TA04-261A.html

[Centurion2000]

Quite a few actually

Several vulnerabilities have been reported in the Mozilla web browser and derived products. More detailed information is available in the individual vulnerability notes:

VU#414240 - Mozilla Mail vulnerable to buffer overflow via writeGroup() function in nsVCardObj.cpp

Mozilla Mail contains a stack overflow vulnerability in the display routines for VCards. By sending an email message with a crafted VCard, a remote attacker may be able to execute arbitrary code on the victim's machine with the privileges of the current user. This can be exploited in the preview mode as well.

VU#847200 - Mozilla contains integer overflows in bitmap image decoder

A vulnerability in the way Mozilla and its derived programs handle certain bitmap images could allow a remote attacker to execute arbitrary code on a vulnerable system.

VU#808216 - Mozilla contains heap overflow in UTF8 conversion of hostname portion of URLs

A vulnerability in the way Mozilla and its derived programs handle certain malformed URLs could allow a remote attacker to execute arbitrary code on a vulnerable system.

VU#125776 - Multiple buffer overflows in Mozilla POP3 protocol handler

There are multiple buffer overflow vulnerabilities in the Mozilla POP3 protocol handler that could allow a malicious POP3 server to execute arbitrary code on the affected system.

VU#327560 - Mozilla "send page" feature contains a buffer overflow vulnerability

There is a buffer overflow vulnerability in the Mozilla "send page" feature that could allow a remote attacker to execute arbitrary code.

VU#651928 - Mozilla allows arbitrary code execution via link dragging

A vulnerability affecting Mozilla web browsers may allow violation of cross-domain scripting policies and possibly execute code originating from a remote source.

[steveo]

And the beast shall be made legion. Its numbers shall be increased a thousand thousand fold. The din of a million keyboards like unto a great storm shall cover the earth, and the followers of Mammon shall tremble.

from The Book of Mozilla, 3:31

(Red Letter Edition)

[Buford T. Justice]

And I thought it was regarded as a more secure alternative to Explorer.

[proxy_user]

Well, you will notice that the vulnerabilities were fixed almost as soon as they were discovered.

If you have the code, you could fix them yourself if you like.

Mistakes can happen, but at least the architecture is not inherently insecure.

[aft_lizard]

Its more secure because thre are far fewer users of it, not to mention its open source. That being said I have updated it.

[Arkinsaw]

Thanks for the post. Updated.

[Stoat]

"Thanks for the post. Updated." You're welcome; I'm happy if this has been of some help :-)

[FreedomFarmer]

Ah, now we know what the geeks in Redmond write in their spare time, now that their stock options are tanking.

[konaice]

Aft_lizard said:
"Its more secure because thre are far fewer users of it"

Ah, I see you buy into the Microsoft FUD that MS software is only insecure because its popular.

Would you keep your Money in a bank that was robbed daily because the claim they were popular, while they never bother locking the vault door, or even having a vault in the first place?

Where did you get the idea that because something is popular it has to be a security sieve?

I'd really like to know - because that's Bill Gates' favorite excuse. But then, Bill has the honor of having the only browser that the Dept of Homeland Security recommends you NOT use:

http://www.kb.cert.org/vuls/id/713878

[Solamente]

My FireFox and Thunderbird are up to date! I'm saved!!!

[Fiddlstix]

BTTT

[aft_lizard]

Can you disprove it? You like using jingos to make a point too? Sorry but the fact remains that if Mozilla was the number one software we would all be bitching about security problems, popups and other annoyances. Not to mention since Mozilla is open source, its hard not to argue that since the coding is open that it is easier to crack and infect. So tell me again why its safer other than it has fewer users?

Seriously you cant buy the anti-argument that its simply the program and not the amount of users.

Question to you. If you were a hacker looking to cause great amount of damage to the internet, would you choose Opera? Mozilla or IE?

Eagerly waiting.

[fritzz]

I am using Firebird 0.7. Which do I download. Mozilla, Firefox, or Thunderbird? I don't use the mail utility.

[Stoat]

"I am using Firebird 0.7. Which do I download. Mozilla, Firefox, or Thunderbird? I don't use the mail utility."

If you don't use the mail and you want a fast, lean and mean browser, try Firefox; I love it to pieces :-)

[fritzz]

Thanks.

[asgardshill]

But, but, but ... I thought this was impossible! They said that only Microsoft products have vulnerabilities and that I would become 50 pounds lighter, a foot taller, and my winkie would lengthen by 2 inches if I stopped using them!

[Stoat]

You're welcome :-)

[NJ_gent]

"And I thought it was regarded as a more secure alternative to Explorer."

It is - but there's a difference between more secure and perfect. If and when God starts coding, we'll get some perfect software. Until then, I'd rather be exposed to Mozilla's handfull of security flaws per year than Internet Explorer's flood of security flaws per week.

[NJ_gent]

"Its more secure because thre are far fewer users of it"

The security of the code has nothing to do with the number of people using it. Mozilla tends to be far more secure than Internet Explorer because it's been designed with security in mind, and because it's not so tightly integrated into the OS as to bring about the end of the security world for a computer whenever a small security flaw is found.