[Volontari] [Fwd: [SA25469] Mozilla Firefox Multiple Vulnerabilities] una curiosità

Ven 1 Giu 2007 00:25:12 CEST

da mesi sono iscritto alla mailing list http://secunia.com/
è una mia impressione falsata o ultimamente una valanga di alert 
riguardano l'OSS e ben poche i sw
proprietari? secondo voi cosa vuol dire, che secunia è di parte o che 
l'OSS sta diventando meno sicuro? qcuno ne sa qcosa?
devo dire che x qto riguarda le suite mozilla gli alert arrivano magari 
nel tardo pomeriggio ed alla sera c'è già l'aggiornamento, però...
sotto un esempio, gli aggiornamenti sono stati disponibili dalle 2000 circa
ciao all
rinaldo

-------- Original Message --------
Subject: 	[SA25469] Mozilla Firefox Multiple Vulnerabilities
Date: 	31 May 2007 17:33:35 -0000
From: 	Secunia Security Advisories <sec-adv a secunia.com>
To: 	reynor a libero.it

----------------------------------------------------------------------

Try a new way to discover vulnerabilities that ALREADY EXIST in your
IT infrastructure.

The Full Featured Secunia Network Software Inspector (NSI) is now
available:
http://secunia.com/network_software_inspector/

The Secunia NSI enables you to INSPECT, DISCOVER, and DOCUMENT
vulnerabilities in more than 4,000 different Windows applications.

----------------------------------------------------------------------

TITLE:
Mozilla Firefox Multiple Vulnerabilities

SECUNIA ADVISORY ID:
SA25469

VERIFY ADVISORY:
http://secunia.com/advisories/25469/

CRITICAL:
*Highly critical*

IMPACT:
Security Bypass, Spoofing, Exposure of sensitive information, DoS,
System access

WHERE:
>From remote

REVISION:
1.1 originally posted 2007-05-31

SOFTWARE:
Mozilla Firefox 1.x
http://secunia.com/product/4227/
*Mozilla Firefox 2.0.x*
http://secunia.com/product/12434/

DESCRIPTION:
Some vulnerabilities have been reported in Mozilla Firefox, which can
be exploited by malicious people to conduct spoofing attacks, bypass
certain security restrictions, and potentially compromise a user's
system.

1) Errors in the JavaScript engine can be exploited to cause memory
corruption and potentially to execute arbitrary code.

2) An error in the "addEventListener" method can be exploited to
inject script into another site, circumventing the browser's
same-origin policy. This could be used to access or modify sensitive
information from the other site.

3) An error in the handling of XUL popups can be exploited to spoof
parts of the browser such as the location bar.

SOLUTION:
*Update to version 2.0.0.4 or 1.5.0.12.
*
PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
1) Boris Zbarsky, Eli Friedman, Georgi Guninski, Martijn Wargers,
Olli Pettay, Brendan Eich, Igor Bukanov, Jesse Ruderman,
moz_bug_r_a4, and Wladimir Palant
2) moz_bug_r_a4
3) Chris Thomas

CHANGELOG:
2007-05-31: Added link to US-CERT.

ORIGINAL ADVISORY:
1) http://www.mozilla.org/security/announce/2007/mfsa2007-12.html
2) http://www.mozilla.org/security/announce/2007/mfsa2007-16.html
3) http://www.mozilla.org/security/announce/2007/mfsa2007-17.html

OTHER REFERENCES:
US-CERT VU#751636:
http://www.kb.cert.org/vuls/id/751636

----------------------------------------------------------------------

About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.

Subscribe:
http://secunia.com/secunia_security_advisories/

Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/

Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.

----------------------------------------------------------------------

Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=reynor%40libero.it

----------------------------------------------------------------------

-- 

written and sent by mozilla thunderbird open source mail client

keep control of your destiny, or someone else will