11 giugno 2009 di c.m.g

Mozilla Firefox/Thunderbird/SeaMonkey MFSA 2009-24 through -32 Multiple Remote Vulnerabilities

Security Focus riporta un bollettino di sicurezza (Bugtraq ID 35326) in cui si spiega che Mozilla Foundation ha rilasciato multipli security advisories specifici per varie vulnerabilità riscontrate in Firefox, Thunderbird e SeaMonkey.

Dei malintenzionati possono sfruttare queste falle per compromettere il computer di un utente ignaro ed esporlo ad attacchi di tipo: bypassing di restizioni same-origin, divulgazione non autorizzata di informazioni potenzialmente sensibili e permettere l'esecuzione di codice script arbitrario malevolo con privilegi di livello elevato; altri attacchi potrebbero essere possibili.

Versioni software fallate:
Mozilla Thunderbird 2.0 8
Mozilla Thunderbird 2.0 17
Mozilla Thunderbird 2.0 16
Mozilla Thunderbird 2.0 15
Mozilla Thunderbird 2.0 .9
Mozilla Thunderbird 2.0 .6
Mozilla Thunderbird 2.0 .5
Mozilla Thunderbird 2.0 .4
Mozilla Thunderbird 2.0 .19
Mozilla Thunderbird 2.0 .14
Mozilla Thunderbird 2.0 .13
Mozilla Thunderbird 2.0 .12
Mozilla Thunderbird 1.5 beta 2
Mozilla Thunderbird 1.5 14
Mozilla Thunderbird 1.5 12
Mozilla Thunderbird 1.5 .9
Mozilla Thunderbird 1.5 .13
Mozilla Thunderbird 1.5
Mozilla Thunderbird 1.0.8
Mozilla Thunderbird 1.0.7
Mozilla Thunderbird 1.0.6
Mozilla Thunderbird 1.0.5
Mozilla Thunderbird 1.0.2
Mozilla Thunderbird 1.0.1
Mozilla Thunderbird 1.0
Mozilla Thunderbird 0.9
Mozilla Thunderbird 0.8
Mozilla Thunderbird 0.7.3
Mozilla Thunderbird 0.7.2
Mozilla Thunderbird 0.7.1
Mozilla Thunderbird 0.7
Mozilla Thunderbird 0.6
Mozilla Thunderbird 2.0.0.21
Mozilla Thunderbird 2.0.0.18
Mozilla Thunderbird 1.5.0.8
Mozilla Thunderbird 1.5.0.7
Mozilla Thunderbird 1.5.0.5
Mozilla Thunderbird 1.5.0.4
Mozilla Thunderbird 1.5.0.2
Mozilla Thunderbird 1.5.0.10
Mozilla Thunderbird 1.5.0.1
Mozilla SeaMonkey 1.1.16
Mozilla SeaMonkey 1.1.15
Mozilla SeaMonkey 1.1.15
Mozilla SeaMonkey 1.1.14
Mozilla SeaMonkey 1.1.13
Mozilla SeaMonkey 1.1.12
Mozilla SeaMonkey 1.1.11
Mozilla SeaMonkey 1.1.10
Mozilla SeaMonkey 1.1.9
Mozilla SeaMonkey 1.1.8
Mozilla SeaMonkey 1.1.7
Mozilla SeaMonkey 1.1.6
Mozilla SeaMonkey 1.1.5
Mozilla SeaMonkey 1.1.4
Mozilla SeaMonkey 1.1.3
Mozilla SeaMonkey 1.1.2
Mozilla SeaMonkey 1.1.1
Mozilla SeaMonkey 1.0.99
Mozilla SeaMonkey 1.0.9
Mozilla SeaMonkey 1.0.8
Mozilla SeaMonkey 1.0.7
Mozilla SeaMonkey 1.0.6
Mozilla SeaMonkey 1.0.5
Mozilla SeaMonkey 1.0.3
Mozilla SeaMonkey 1.0.2
Mozilla SeaMonkey 1.0.1
Mozilla SeaMonkey 1.1 beta
Mozilla SeaMonkey 1.0 dev
Mozilla SeaMonkey 1.0
Mozilla Firefox 3.0.10
Mozilla Firefox 3.0.9
Mozilla Firefox 3.0.8
Mozilla Firefox 3.0.7 Beta
Mozilla Firefox 3.0.7
Mozilla Firefox 3.0.6
Mozilla Firefox 3.0.5
Mozilla Firefox 3.0.4
Mozilla Firefox 3.0.3
Mozilla Firefox 3.0.2
Mozilla Firefox 3.0.1
Mozilla Firefox 2.0 8
Mozilla Firefox 2.0 20
Mozilla Firefox 2.0 17
Mozilla Firefox 2.0 16
Mozilla Firefox 2.0 .9
Mozilla Firefox 2.0 .7
Mozilla Firefox 2.0 .6
Mozilla Firefox 2.0 .5
Mozilla Firefox 2.0 .4
Mozilla Firefox 2.0 .3
Mozilla Firefox 2.0 .19
Mozilla Firefox 2.0 .10
Mozilla Firefox 2.0 .1
Mozilla Firefox 1.5 beta 2
Mozilla Firefox 1.5 beta 1
Mozilla Firefox 1.5 12
Mozilla Firefox 1.5 .8
Mozilla Firefox 1.5 .6
Mozilla Firefox 1.5
Mozilla Firefox 1.5
Mozilla Firefox 1.0.8
Mozilla Firefox 1.0.7
Mozilla Firefox 1.0.6
Mozilla Firefox 1.0.5
Mozilla Firefox 1.0.5
Mozilla Firefox 1.0.4
Mozilla Firefox 1.0.3
Mozilla Firefox 1.0.2
+ MandrakeSoft Linux Mandrake 10.2 x86_64
+ MandrakeSoft Linux Mandrake 10.2
+ MandrakeSoft Linux Mandrake 10.2
+ RedHat Desktop 4.0
+ RedHat Desktop 4.0
+ RedHat Enterprise Linux AS 4
+ RedHat Enterprise Linux AS 4
+ RedHat Enterprise Linux ES 4
+ RedHat Enterprise Linux ES 4
+ RedHat Enterprise Linux WS 4
+ RedHat Enterprise Linux WS 4
Mozilla Firefox 1.0.1
Mozilla Firefox 1.0
Mozilla Firefox 0.10.1
Mozilla Firefox 0.10
Mozilla Firefox 0.9.3
Mozilla Firefox 0.9.2
Mozilla Firefox 0.9.1
Mozilla Firefox 0.9 rc
Mozilla Firefox 0.9
Mozilla Firefox 0.8
Mozilla Firefox 3.0 Beta 5
Mozilla Firefox 3.0
Mozilla Firefox 2.0.0.3
Mozilla Firefox 2.0.0.2
Mozilla Firefox 2.0.0.18
Mozilla Firefox 2.0.0.15
Mozilla Firefox 2.0.0.14
Mozilla Firefox 2.0.0.13
Mozilla Firefox 2.0.0.12
Mozilla Firefox 2.0.0.11
Mozilla Firefox 2.0.0.10
Mozilla Firefox 2.0.0.10
Mozilla Firefox 2.0 RC3
Mozilla Firefox 2.0 RC2
Mozilla Firefox 2.0 beta 1
Mozilla Firefox 2.0
Mozilla Firefox 1.5.0.9
Mozilla Firefox 1.5.0.7
Mozilla Firefox 1.5.0.6
Mozilla Firefox 1.5.0.5
Mozilla Firefox 1.5.0.4
Mozilla Firefox 1.5.0.3
Mozilla Firefox 1.5.0.2
Mozilla Firefox 1.5.0.2
Mozilla Firefox 1.5.0.11
Mozilla Firefox 1.5.0.11
Mozilla Firefox 1.5.0.10
Mozilla Firefox 1.5.0.1

Falle scoperte da:
Bob Clary, Jesse Ruderman, Alexander Sack, Bret McMillan, Tomeo Vizoso, Matt McCutchen, Martijn Warger, Jesse Ruderman, Adam Hauner, Igor Bukanov, Pavel Cvrcek, Gregory Fleischer, Microsoft security researchers Shuo Chen, Ziqing Mao, Yi-Min Wang, and Ming

Soluzione:
Sono state rilasciate versioni aggiornate che risolvono i problemi, più nello specifico:

Mozilla Thunderbird 2.0.0.22
Mozilla SeaMonkey 1.1.17
Mozilla Firefox 3.0.11

Sono pronte per il download dal sito ufficiale.



Advisories d'origine:
MFSA 2009-24: Crashes with evidence of memory corruption (rv:1.9.0.11) (Mozilla)
MFSA 2009-25: URL spoofing with invalid unicode characters (Mozilla)
MFSA 2009-26: Arbitrary domain cookie access by local file: resources (Mozilla)
MFSA 2009-27: SSL tampering via non-200 responses to proxy CONNECT requests (Mozilla)
MFSA 2009-28: Race condition while accessing the private data of a NPObject JS w (Mozilla)
MFSA 2009-29: Arbitrary code execution using event listeners attached to an elem (Mozilla)
MFSA 2009-30: Incorrect principal set for file: resources loaded via location ba (Mozilla)
MFSA 2009-31: XUL scripts bypass content-policy checks (Mozilla)
MFSA 2009-32: JavaScript chrome privilege escalation (Mozilla)





Fonte: SecurityFocus