Vigil@nce: Firefox/Seamonkey/Thunderbird: several vulnerabilities
July 2008 by Vigil@nce
SYNTHESIS
Several vulnerabilities were announced in Firefox/Seamonkey/Thunderbird, the worst one leading to code execution.
Gravity: 4/4
Consequences: user access/rights
Provenance: document
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 16/07/2008
Identifier: VIGILANCE-VUL-7948
IMPACTED PRODUCTS
– Mozilla Firefox [confidential versions]
– Mozilla SeaMonkey [confidential versions]
– Mozilla Thunderbird [confidential versions]
DESCRIPTION
Several vulnerabilities were announced in Firefox/Seamonkey/Thunderbird.
An attacker can create a HTML page using several references to a
CSS object, in order to create an overflow leading to code
execution. [grav:4/4; 440230, CVE-2008-2785, MFSA 2008-34]
When Firefox is not running, and when the victim clicks on a
"file:" or "chrome:" uri to launch Firefox, the attacker can
access to a local script or chrome document, which leads to code
execution. [grav:3/4; 441120, 441169, CVE-2008-2933, MFSA 2008-35, VU#130923]
CHARACTERISTICS
Identifiers: 440230, 441120, 441169, CVE-2008-2785, CVE-2008-2933, MFSA 2008-34, MFSA 2008-35, VIGILANCE-VUL-7948, VU#130923