| VID |
28784 |
| Severity |
40 |
| Port |
139,445 |
| Protocol |
TCP |
| Class |
SMB |
| Detailed Description |
A version of Mozilla Firefox which is older than 3.5.4 has been installed on the host. Mozilla is an open-source based Web browser, developed by the Mozilla project. Mozilla Firefox versions 3.5.x prior to 3.5.4 are vulnerable to multiple vulnerabilities.
- It may be possible for a malicious web page to steal form history. (MFSA 2009-52)
- By predicting the filename of an already downloaded file in the downloads directory, a local attacker may be able to trick the browser into opening an incorrect file. (MFSA 2009-53)
- Recursive creation of JavaScript web-workers could crash the browser or allow execution of arbitrary code on the remote system.(MFSA 2009-54)
- Provided the browser is configured to use Proxy Auto-configuration it may be possible for an
attacker to crash the browser or execute arbitrary code. (MFSA 2009-55)
- Mozilla's GIF image parser is affected by a heap-based buffer overflow. (MFSA 2009-56)
- A vulnerability in XPCOM utility 'XPCVariant::VariantDataToJS' could allow executing arbitrary JavaScript code with chrome privileges. (MFSA 2009-57)
- A vulnerability in Mozilla's string to floating point number conversion routine could allow arbitrary code execution on the remote system. (MFSA 2009-59)
- It may be possible to read text from a web page using JavaScript function 'document.getSelection() from a different domain. (MFSA 2009-61)
- If a file contains right-to-left override character (RTL) in the filename it may be possible for an attacker to obfuscate the filename and extension of the file being downloaded. (MFSA 2009-62)
- Multiple memory safety bugs in media libraries could potentially allow arbitrary code execution.(MFSA 2009-63)
- Multiple memory corruption vulnerabilities could potentially allow arbitrary code execution.(MFSA 2009-64)
* Note: This check requires an account with administrative privileges which can log into the host to scan. Absence of this condition will result in the check not being performed and a False Negative for all vulnerable hosts.
* References:
http://www.mozilla.org/security/announce/2009/mfsa2009-52.html
http://www.mozilla.org/security/announce/2009/mfsa2009-53.html
http://www.mozilla.org/security/announce/2009/mfsa2009-54.html
http://www.mozilla.org/security/announce/2009/mfsa2009-55.html
http://www.mozilla.org/security/announce/2009/mfsa2009-56.html
http://www.mozilla.org/security/announce/2009/mfsa2009-57.html
http://www.mozilla.org/security/announce/2009/mfsa2009-59.html
http://www.mozilla.org/security/announce/2009/mfsa2009-61.html
http://www.mozilla.org/security/announce/2009/mfsa2009-62.html
http://www.mozilla.org/security/announce/2009/mfsa2009-63.html
http://www.mozilla.org/security/announce/2009/mfsa2009-64.html
* Platforms Affected:
Mozilla Project, Firefox versions 3.5.x prior to 3.5.4
Microsoft Windows Any version
Linux Any version |
| Recommendation |
Upgrade to the latest version of Firefox (3.5.4 or later), available from the Mozilla Firefox Download Web page at http://www.mozilla.or.kr/ |
| Related URL |
CVE-2009-1563,CVE-2009-3274,CVE-2009-3370~3383 (CVE) |
| Related URL |
36851,36852,36853,36854,36855,36856,36857,36858,36866,36867,36869,36870,36871,36872,36873,36875 (SecurityFocus) |
| Related URL |
(ISS) |
|
