Re: UC CERT Warning on Mozilla Products Including SeaMonkey - Mozilla

This is a discussion on Re: UC CERT Warning on Mozilla Products Including SeaMonkey - Mozilla ; Michael wrote: > ************************************************* > > From the US CERT Bulletin: > > http://www.kb.cert.org/vuls/id/592425 > > > Vulnerability Note VU#592425 > > Mozilla-based products fail to validate user input to the attribute name > in "XULDocument.persist" > > Overview > ...

+ Reply to Thread
Results 1 to 8 of 8

Thread: Re: UC CERT Warning on Mozilla Products Including SeaMonkey

  1. Re: UC CERT Warning on Mozilla Products Including SeaMonkey

    Michael wrote:
    > *************************************************
    >
    > From the US CERT Bulletin:
    >
    > http://www.kb.cert.org/vuls/id/592425
    >
    >
    > Vulnerability Note VU#592425
    >
    > Mozilla-based products fail to validate user input to the attribute name
    > in "XULDocument.persist"
    >
    > Overview
    > A vulnerability in some Mozilla products that could allow a remote
    > attacker to execute Javascript commands with the permissions of the user
    > running the affected application.
    > I. Description
    > According to the Mozilla advisory on this issue:
    >
    > XULDocument.persist() did not validate the attribute name,
    > allowing an attacker to inject XML into localstore.rdf that would be
    > read and acted upon at startup. This could include JavaScript commands
    > that would be run with the permissions of the browser.
    >
    > Note: Thunderbird could be vulnerable if JavaScript is enabled.
    > This is not the default setting and we strongly discourage users from
    > turning on JavaScript in mail. Thunderbird is not vulnerable in its
    > default configuration.
    >
    >
    > This vulnerability affects Mozilla Firefox, _*SeaMonkey*_, Thunderbird,
    > and potentially any other Mozilla-based application. The exploit code
    > for this vulnerability could be remotely supplied through a web page or
    > in an email message.
    >
    > ************************************************** ***************
    >
    > Any word on a security update for SM 1.0?
    >
    > Nothing is mentioned on the SeaMonkey web site or Blog.


    http://www.mozilla.org/security/anno...sa2006-05.html

    --
    *Rinaldi*
    As Zeus said to Narcissus, "Watch yourself."

  2. Re: UC CERT Warning on Mozilla Products Including SeaMonkey

    Rinaldi J. Montessi wrote:
    > Michael wrote:
    >> *************************************************
    >>
    >> From the US CERT Bulletin:
    >>
    >> http://www.kb.cert.org/vuls/id/592425
    >>
    >>
    >> Vulnerability Note VU#592425
    >>
    >> Mozilla-based products fail to validate user input to the attribute
    >> name in "XULDocument.persist"
    >>
    >> Overview A vulnerability in some Mozilla products that could allow
    >> a remote attacker to execute Javascript commands with the
    >> permissions of the user running the affected application. I.
    >> Description According to the Mozilla advisory on this issue:
    >>
    >> XULDocument.persist() did not validate the attribute name, allowing
    >> an attacker to inject XML into localstore.rdf that would be read
    >> and acted upon at startup. This could include JavaScript commands
    >> that would be run with the permissions of the browser.
    >>
    >> Note: Thunderbird could be vulnerable if JavaScript is enabled.
    >> This is not the default setting and we strongly discourage users
    >> from turning on JavaScript in mail. Thunderbird is not vulnerable
    >> in its default configuration.
    >>
    >>
    >> This vulnerability affects Mozilla Firefox, _*SeaMonkey*_,
    >> Thunderbird, and potentially any other Mozilla-based application.
    >> The exploit code for this vulnerability could be remotely supplied
    >> through a web page or in an email message.
    >>
    >> ************************************************** ***************
    >>
    >> Any word on a security update for SM 1.0?
    >>
    >> Nothing is mentioned on the SeaMonkey web site or Blog.

    >
    > http://www.mozilla.org/security/anno...sa2006-05.html


    Interesting that the vulnerability was reported by Mozilla Corporation

    --
    *Rinaldi*
    "I'd love to go out with you, but the last time I went out, I never
    came back."

  3. Re: UC CERT Warning on Mozilla Products Including SeaMonkey

    Rinaldi J. Montessi wrote:
    > Rinaldi J. Montessi wrote:
    >> Michael wrote:
    >>> *************************************************
    >>>
    >>> From the US CERT Bulletin:
    >>>
    >>> http://www.kb.cert.org/vuls/id/592425
    >>>
    >>>
    >>> Vulnerability Note VU#592425
    >>>
    >>> Mozilla-based products fail to validate user input to the attribute
    >>> name in "XULDocument.persist"
    >>>
    >>> Overview A vulnerability in some Mozilla products that could allow
    >>> a remote attacker to execute Javascript commands with the
    >>> permissions of the user running the affected application. I.
    >>> Description According to the Mozilla advisory on this issue:
    >>>
    >>> XULDocument.persist() did not validate the attribute name, allowing
    >>> an attacker to inject XML into localstore.rdf that would be read
    >>> and acted upon at startup. This could include JavaScript commands
    >>> that would be run with the permissions of the browser.
    >>>
    >>> Note: Thunderbird could be vulnerable if JavaScript is enabled. This
    >>> is not the default setting and we strongly discourage users
    >>> from turning on JavaScript in mail. Thunderbird is not vulnerable
    >>> in its default configuration.
    >>>
    >>>
    >>> This vulnerability affects Mozilla Firefox, _*SeaMonkey*_,
    >>> Thunderbird, and potentially any other Mozilla-based application.
    >>> The exploit code for this vulnerability could be remotely supplied
    >>> through a web page or in an email message.
    >>>
    >>> ************************************************** ***************
    >>>
    >>> Any word on a security update for SM 1.0?
    >>>
    >>> Nothing is mentioned on the SeaMonkey web site or Blog.

    >>
    >> http://www.mozilla.org/security/anno...sa2006-05.html

    >
    > Interesting that the vulnerability was reported by Mozilla Corporation
    >

    Hello Rinaldi,

    And very interesting that it came from a bug report.

    Since Mozilla found the bug and reported the bug, and fixed the bug, why
    is it so hard for the average user to find any information about the
    fixed but on the Mozilla web site? :-(

    Michael

    --
    Character is doing the right thing...
    Even when no one is watching...
    http://www.armadilloweb.com

    A Proud User of SeaMonkey The Suite
    Get your free copy here:
    http://www.mozilla.org/projects/seamonkey/

  4. Re: UC CERT Warning on Mozilla Products Including SeaMonkey

    _Michael_ spoke thusly on 07/02/2006 11:16 PM:
    > Since Mozilla found the bug and reported the bug, and fixed the bug, why
    > is it so hard for the average user to find any information about the
    > fixed but on the Mozilla web site? :-(



    Under "What's New", click on "Several security enhancements.", which
    will take you to
    ,
    which includes a link to that security advisory.

    In the case of SeaMonkey, 1.0 is the first, and currently the only
    end-user release. The bug does not exist in SM1.0.

    For Mozilla in general, go to . At the bottom
    of the page, click on "Security Updates". The rest is pretty
    self-explanatory.
    --
    Chris Ilias - Mozilla Champion
    mozilla.test.multimedia moderator
    Mozilla links
    (Please do not email me tech support questions)

  5. Re: UC CERT Warning on Mozilla Products Including SeaMonkey

    Michael wrote:

    > Rinaldi J. Montessi wrote:
    >
    >> Rinaldi J. Montessi wrote:
    >>
    >>> Michael wrote:
    >>>
    >>>> *************************************************
    >>>>
    >>>> From the US CERT Bulletin:
    >>>>
    >>>> http://www.kb.cert.org/vuls/id/592425
    >>>>
    >>>>
    >>>> Vulnerability Note VU#592425
    >>>>
    >>>> Mozilla-based products fail to validate user input to the attribute
    >>>> name in "XULDocument.persist"
    >>>>
    >>>> Overview A vulnerability in some Mozilla products that could allow
    >>>> a remote attacker to execute Javascript commands with the
    >>>> permissions of the user running the affected application. I.
    >>>> Description According to the Mozilla advisory on this issue:
    >>>>
    >>>> XULDocument.persist() did not validate the attribute name, allowing
    >>>> an attacker to inject XML into localstore.rdf that would be read
    >>>> and acted upon at startup. This could include JavaScript commands
    >>>> that would be run with the permissions of the browser.
    >>>>
    >>>> Note: Thunderbird could be vulnerable if JavaScript is enabled. This
    >>>> is not the default setting and we strongly discourage users
    >>>> from turning on JavaScript in mail. Thunderbird is not vulnerable
    >>>> in its default configuration.
    >>>>
    >>>>
    >>>> This vulnerability affects Mozilla Firefox, _*SeaMonkey*_,
    >>>> Thunderbird, and potentially any other Mozilla-based application.
    >>>> The exploit code for this vulnerability could be remotely supplied
    >>>> through a web page or in an email message.
    >>>>
    >>>> ************************************************** ***************
    >>>>
    >>>> Any word on a security update for SM 1.0?
    >>>>
    >>>> Nothing is mentioned on the SeaMonkey web site or Blog.
    >>>
    >>>
    >>> http://www.mozilla.org/security/anno...sa2006-05.html

    >>
    >> Interesting that the vulnerability was reported by Mozilla Corporation
    >>

    > And very interesting that it came from a bug report.


    And very interesting that the bug has evidently not been fixed in the
    Mozilla Suite. We knew that the lack of security upgrades and patches
    has pretty much killed Netscape 7.2, but is this the beginning of the
    end of the Mozilla Suite for the same reason?

    Ron

  6. Re: UC CERT Warning on Mozilla Products Including SeaMonkey

    Ron Lopshire wrote:

    > And very interesting that the bug has evidently not been fixed in the
    > Mozilla Suite.


    It (and several other security problems) was already fixed in 1.7.x, but
    they haven't completed the release process.
    P.

  7. Re: UC CERT Warning on Mozilla Products Including SeaMonkey

    Ron Lopshire wrote:
    > Michael wrote:
    >
    >> Rinaldi J. Montessi wrote:
    >>
    >>> Rinaldi J. Montessi wrote:
    >>>
    >>>> Michael wrote:


    /snip/
    >
    > And very interesting that the bug has evidently not been fixed in the
    > Mozilla Suite. We knew that the lack of security upgrades and patches
    > has pretty much killed Netscape 7.2, but is this the beginning of the
    > end of the Mozilla Suite for the same reason?
    >
    > Ron


    There will be a 1.7.13 security release, and this fix will be included.
    However, yes, the day of the mozilla Suite is ended, and the day of
    SeaMonkey has dawned.

    Lee

    --
    Leonidas Jones, Mozilla Champion
    Learn about the Champs! http://mozillachampions.ufaq.org
    The UFAQ'S http://www.ufaq.org/
    http://www.mozilla.org/community/etiquette.html
    http://mozilla.com http://mozilla.org

  8. Re: UC CERT Warning on Mozilla Products Including SeaMonkey

    Leonidas Jones wrote:

    > Ron Lopshire wrote:
    >
    >>Michael wrote:
    >>
    >>
    >>>Rinaldi J. Montessi wrote:
    >>>
    >>>
    >>>>Rinaldi J. Montessi wrote:
    >>>>
    >>>>
    >>>>>Michael wrote:

    >
    >
    > /snip/
    >
    >>And very interesting that the bug has evidently not been fixed in the
    >>Mozilla Suite. We knew that the lack of security upgrades and patches
    >>has pretty much killed Netscape 7.2, but is this the beginning of the
    >>end of the Mozilla Suite for the same reason?
    >>
    >>Ron

    >
    >
    > There will be a 1.7.13 security release, and this fix will be included.
    > However, yes, the day of the mozilla Suite is ended, and the day of
    > SeaMonkey has dawned.
    >
    > Lee
    >

    "This is the dawning of the Angel SeaMonkey, SeaMonkey!!!"

    --
    Time for a change

+ Reply to Thread