TITLE:
Firefox Multiple Vulnerabilities

SECUNIA ADVISORY ID:
SA18700

VERIFY ADVISORY:
http://secunia.com/advisories/18700/

CRITICAL:
Highly critical

IMPACT:
Security Bypass, Cross Site Scripting, Exposure of system
information, Exposure of sensitive information, System access

WHERE:
>From remote

SOFTWARE:
Mozilla Firefox 0.x
http://secunia.com/product/3256/
Mozilla Firefox 1.x
http://secunia.com/product/4227/

DESCRIPTION:
Multiple vulnerabilities have been reported in Firefox, which can be
exploited by malicious people to bypass certain security
restrictions, conduct cross-site scripting attacks, potentially
disclose sensitive information, and potentially compromise a user's
system.

1) Some errors in the JavaScript engine where certain temporary
variables are not properly protected may be exploited to execute
arbitrary code via a user-defined method triggering garbage
collection.

One of the vulnerabilities affects only version 1.5. The other
affects version 1.5 and prior.

2) An error in the dynamic style handling can be exploited to
reference freed memory by changing the style of an element from
"position:relative" to "position:static".

Successful exploitation may allow execution of arbitrary code.

The vulnerability has been reported in version 1.5.

3) An error in the "QueryInterface" method of the Location and
Navigator objects can be exploited to cause a memory corruption.

Successful exploitation may allow execution of arbitrary code.

The vulnerability has been reported in version 1.5.

4) An input validation error in the processing of the attribute name
when calling "XULDocument.persist()" can be exploited to inject
arbitrary XML and JavaScript code in "localstore.rdf", which will be
executed with the permissions of the browser the next time the
browser starts up again.

5) Some integer overflows in the E4X, SVG, and Canvas functionalities
may be exploited to execute arbitrary code.

The vulnerabilities have been reported in version 1.5.

6) A boundary error in the "nsExpatDriver::ParseBuffer()" function in
the XML parser may be exploited to disclose data on the heap.

The vulnerability does not affect version 1.0.

7) The internal "AnyName" object of the E4X functionality is not
properly protected. This can be exploited to create a communication
channel between two windows or frames having different domains.

This does not pose any direct risks and does not allow bypass of
same-origin restrictions or disclosure of web content from other
domains.

The vulnerability does not affect version 1.0.

SOLUTION:
Update to version 1.5.0.1.
http://www.mozilla.com/firefox/

PROVIDED AND/OR DISCOVERED BY:
1) Igor Bukanov
2) Martijn Wargers
3) Georgi Guninski
4) moz_bug_r_a4
5) Georgi Guninski
6) Johnny Stenback
7) Brendan Eich

ORIGINAL ADVISORY:
Mozilla:
http://www.mozilla.org/security/announce/mfsa2006-01.html
http://www.mozilla.org/security/announce/mfsa2006-02.html
http://www.mozilla.org/security/announce/mfsa2006-04.html
http://www.mozilla.org/security/announce/mfsa2006-05.html
http://www.mozilla.org/security/announce/mfsa2006-06.html
http://www.mozilla.org/security/announce/mfsa2006-07.html
http://www.mozilla.org/security/announce/mfsa2006-08.html

----------------------------------------------------------------------

About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.

Subscribe:
http://secunia.com/secunia_security_advisories/

Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/


Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.

----------------------------------------------------------------------