Security Alert Mozilla Foundation

Security Alert, February 7, 2006
8 Vulnerabilities in Mozilla Suite, SeaMonkey Suite, Firefox, and Thunderbird
The following eight vulnerabilities exist in Mozilla Foundation's Mozilla Suite, SeaMonkey Suite (the code name of a new version of Mozilla Suite), Thunderbird email client, and/or Firefox browser. The first vulnerability is rated critical, the next four are rated moderate, and the final three are rated low in terms of severity. The vulnerabilities are as follows:
- XML could be injected into the browser's localstore.rdf file, which would then be read by the browser at startup. The vulnerability could allow intruders to inject JavaScript code onto a user's system.
- The browser contains integer overflow errors that could allow intruders to execute arbitrary code on an affected system.
- The products' QueryInterface method contains a flaw that causes memory corruption, which could allow intruders to execute arbitrary code on an affected system.
- Dynamic changes to certain style elements could cause the browser to attempt operations on freed memory space, which could allow intruders to execute arbitrary code on an affected system.
- Specially crafted JavaScript objects could trigger "garbage collection," which could cause the browser to attempt operations on freed memory space. The condition could allow intruders to execute arbitrary code on an affected system.
- Web pages with extremely long titles cause the browser to take a long time to start up, or to crash when the computer has insufficient memory available.
- The E4X AnyName object that's used by the products' JavaScript engine is unintentionally exposed to Web content, which could allow scripts to perform unauthorized actions.
- The products' XML parser might read beyond the end of a buffer, which could cause the browser to crash.
Mozilla Foundation released updates to the products to correct these problems. For more information, go to
http://list.windowsitpro.com/t?ctl=20228:43C5FC