Heads up! Firefox & Mozilla
David Eisenstein
deisenst at gtw.net
Mon Apr 17 15:24:33 UTC 2006
Hi Folks,
Over the (HOLIDAY!) weekend, Mozilla released a new Firefox (1.0.8) fixing
a set of critical vulnerabilities. The upstream (mozilla.org) chose
*not*, however, to release the Mozilla code for 1.7.13 yet, but I am told
that the updated Mozilla will be released officially in the near future.
We may, however, be able to get our hands on the sources before then and
get it in the pipeline for QA and such.
Some of the critical issues (potential remotely exploited code execution)
can be mitigated by turning off Javascript, but not all, as there is one
issue that I am told that can be triggered by HTML tags. From MFSA
2006-18 <http://www.mozilla.org/security/announce/2006/mfsa2006-18.html>,
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0749>:
"A particular sequence of HTML tags that reliably crash Mozilla clients
was reported by an anonymous researcher via TippingPoint and the Zero
Day Initiative. The crash is due to memory corruption that can be
exploited to run arbitary code.
"Mozilla mail clients will crash on the tag sequence, but without the
ability to run scripts to fill memory with the attack code it may not
be possible for an attacker to exploit this crash."
These issues affect Mozilla Firefox and Thunderbird 1.x before 1.5 and
1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0,
according to CVE-2006-0749.
Be careful out there! We'll get these out for Legacy as soon as we can.
Regards,
David Eisenstein
More information about the Fedora-security-list
mailing list