Argument injection vulnerability in Microsoft Internet Explorer, when running on systems with Firefox installed and certain URIs registered, allows remote attackers to conduct cross-browser scripting attacks and execute arbitrary commands via shell metacharacters in a (1) FirefoxURL or (2) FirefoxHTML URI, which are inserted into the command line that is created when invoking firefox.exe. NOTE: it has been debated as to whether the issue is in Internet Explorer or Firefox. As of 20070711, it is CVE's opinion that IE appears to be failing to properly delimit the URL argument when invoking Firefox, and this issue could arise with other protocol handlers in IE as well. However, Mozilla has stated that it will address the issue with a "defense in depth" fix that will "prevent IE from sending Firefox malicious data."

The version of Google Chrome installed on the remote host is earlier than 1.0.154.48. Such versions are reportedly affected by a protocol-handler command injection vulnerability that could allow an attacker to carry out cross-browser scripting attacks.

The version of Google Chrome installed on the remote host is earlier than 1.0.154.48.  Such versions are reportedly affected by a protocol- handler command-injection vulnerability that could allow an attacker to carry out cross-browser scripting attacks.

This update brings Mozilla Firefox to security update version 2.0.0.5

Following security problems were fixed :

  - Crashes with evidence of memory corruption The usual     collection of stability fixes for crashes that look     suspicious but haven't been proven to be exploitable.
    (MFSA 2007-18)

    25 were in the browser engine, reported by Mozilla     developers and community members Bernd Mielke, Boris     Zbarsky, David Baron, Daniel Veditz, Jesse Ruderman,     Lukas Loehrer, Martijn Wargers, Mats Palmgren, Olli     Pettay, Paul Nickerson,and Vladimir Sukhoy.
    (CVE-2007-3734)

    7 were in the JavaScript engine reported by Asaf Romano,     Jesse Ruderman, Igor Bukanov. (CVE-2007-3735)

  - XSS using addEventListener and setTimeout. (MFSA 2007-19     / CVE-2007-3736)

    moz_bug_r_a4 reported that scripts could be injected     into another site's context by exploiting a timing issue     using addEventLstener or setTimeout.

  - frame spoofing Ronen Zilberman and Michal Zalewski both     reported that it was possible to exploit a timing issue     to inject content into about:blank frames in a page.
    (MFSA 2007-20 / CVE-2007-3089)

  - Privilege escallation using an event handler attached to     an element not in the document. (MFSA 2007-21 /     CVE-2007-3737)

    Reported by moz_bug_r_a4.

  - File type confusion due to %00 in name. (MFSA 2007-22 /     CVE-2007-3285)

    Ronald van den Heetkamp reported that a filename URL     containing %00 (encoded null) can cause Firefox to     interpret the file extension differently than the     underlying Windows operating system potentially leading     to unsafe actions such as running a program.

  - Remote code execution by launching Firefox from Internet     Explorer. (MFSA 2007-23 / CVE-2007-3670)

    Greg MacManus of iDefense and Billy Rios of Verisign     independently reported that links containing a quote (')     character could be used in Internet Explorer to launch     registered URL Protocol handlers with extra command-line     parameters. Firefox and Thunderbird are among those     which can be launched, and both support a '-chrome'     option that could be used to run malware.

    This problem does not affect Linux.

  - unauthorized access to wyciwyg:// documents. (MFSA     2007-24 / CVE-2007-3656)

    Michal Zalewski reported that it was possible to bypass     the same-origin checks and read from cached (wyciwyg)     documents

  - XPCNativeWrapper pollution shutdown and moz_bug_r_a4     reported two separate ways to modify an XPCNativeWrapper     such that subsequent access by the browser would result     in executing user-supplied code. (MFSA 2007-25 /     CVE-2007-3738)

Various flaws were discovered in the layout and JavaScript engines. By tricking a user into opening a malicious email, an attacker could execute arbitrary code with the user's privileges. Please note that JavaScript is disabled by default for emails, and it is not recommended to enable it. (CVE-2007-3734, CVE-2007-3735, CVE-2007-3844)

Jesper Johansson discovered that spaces and double-quotes were not correctly handled when launching external programs. In rare configurations, after tricking a user into opening a malicious email, an attacker could execute helpers with arbitrary arguments with the user's privileges. (CVE-2007-3670, CVE-2007-3845).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update fixes several security issues in Mozilla SeaMonkey 1.0.9.

Following security problems were fixed :

  - MFSA 2007-18: Crashes with evidence of memory corruption

    The usual collection of stability fixes for crashes that     look suspicious but haven't been proven to be     exploitable.

    25 were in the browser engine, reported by Mozilla     developers and community members Bernd Mielke, Boris     Zbarsky, David Baron, Daniel Veditz, Jesse Ruderman,     Lukas Loehrer, Martijn Wargers, Mats Palmgren, Olli     Pettay, Paul Nickerson,and Vladimir Sukhoy     (CVE-2007-3734)

    7 were in the JavaScript engine reported by Asaf Romano,     Jesse Ruderman, Igor Bukanov (CVE-2007-3735)

  - MFSA 2007-19 / CVE-2007-3736: XSS using addEventListener     and setTimeout

    moz_bug_r_a4 reported that scripts could be injected     into another site's context by exploiting a timing issue     using addEventLstener or setTimeout.

  - MFSA 2007-20 / CVE-2007-3089: frame spoofing

    Ronen Zilberman and Michal Zalewski both reported that     it was possible to exploit a timing issue to inject     content into about:blank frames in a page.

  - MFSA 2007-21 / CVE-2007-3737: Privilege escalation using     an event handler attached to an element not in the     document

    Reported by moz_bug_r_a4.

  - MFSA 2007-22 / CVE-2007-3285: File type confusion due to     %00 in name

    Ronald van den Heetkamp reported that a filename URL     containing %00 (encoded null) can cause Firefox to     interpret the file extension differently than the     underlying Windows operating system potentially leading     to unsafe actions such as running a program.

  - MFSA 2007-23 / CVE-2007-3670: Remote code execution by     launching Firefox from Internet Explorer

    Greg MacManus of iDefense and Billy Rios of Verisign     independently reported that links containing a quote (')     character could be used in Internet Explorer to launch     registered URL Protocol handlers with extra command-line     parameters. Firefox and Thunderbird are among those     which can be launched, and both support a '-chrome'     option that could be used to run malware.

    This problem does not affect Linux.

  - MFSA 2007-24 / CVE-2007-3656: unauthorized access to     wyciwyg:// documents

    Michal Zalewski reported that it was possible to bypass     the same-origin checks and read from cached (wyciwyg)     documents

  - MFSA 2007-25 / CVE-2007-3738: XPCNativeWrapper pollution

    shutdown and moz_bug_r_a4 reported two separate ways to     modify an XPCNativeWrapper such that subsequent access     by the browser would result in executing user-supplied     code.

This update fixes several security issues in Mozilla SeaMonkey 1.1.3.

Following security problems were fixed :

  - MFSA 2007-18: Crashes with evidence of memory corruption

    The usual collection of stability fixes for crashes that     look suspicious but haven't been proven to be     exploitable.

    25 were in the browser engine, reported by Mozilla     developers and community members Bernd Mielke, Boris     Zbarsky, David Baron, Daniel Veditz, Jesse Ruderman,     Lukas Loehrer, Martijn Wargers, Mats Palmgren, Olli     Pettay, Paul Nickerson,and Vladimir Sukhoy     (CVE-2007-3734)

    7 were in the JavaScript engine reported by Asaf Romano,     Jesse Ruderman, Igor Bukanov (CVE-2007-3735)

  - MFSA 2007-19 / CVE-2007-3736: XSS using addEventListener     and setTimeout

    moz_bug_r_a4 reported that scripts could be injected     into another site's context by exploiting a timing issue     using addEventLstener or setTimeout.

  - MFSA 2007-20 / CVE-2007-3089: frame spoofing

    Ronen Zilberman and Michal Zalewski both reported that     it was possible to exploit a timing issue to inject     content into about:blank frames in a page.

  - MFSA 2007-21 / CVE-2007-3737: Privilege escalation using     an event handler attached to an element not in the     document

    Reported by moz_bug_r_a4.

  - MFSA 2007-22 / CVE-2007-3285: File type confusion due to     %00 in name

    Ronald van den Heetkamp reported that a filename URL     containing %00 (encoded null) can cause Firefox to     interpret the file extension differently than the     underlying Windows operating system potentially leading     to unsafe actions such as running a program.

  - MFSA 2007-23 / CVE-2007-3670: Remote code execution by     launching Firefox from Internet Explorer

    Greg MacManus of iDefense and Billy Rios of Verisign     independently reported that links containing a quote (')     character could be used in Internet Explorer to launch     registered URL Protocol handlers with extra command-line     parameters. Firefox and Thunderbird are among those     which can be launched, and both support a '-chrome'     option that could be used to run malware.

    This problem does not affect Linux.

  - MFSA 2007-24 / CVE-2007-3656: unauthorized access to     wyciwyg:// documents

    Michal Zalewski reported that it was possible to bypass     the same-origin checks and read from cached (wyciwyg)     documents

  - MFSA 2007-25 / CVE-2007-3738: XPCNativeWrapper pollution

    shutdown and moz_bug_r_a4 reported two separate ways to     modify an XPCNativeWrapper such that subsequent access     by the browser would result in executing user-supplied     code.

This update fixes several security problems in Mozilla Thunderbird 1.5.0.12.

Following security problems were fixed :

  - MFSA 2007-18: Crashes with evidence of memory corruption

    The usual collection of stability fixes for crashes that     look suspicious but haven't been proven to be     exploitable.

    25 were in the browser engine, reported by Mozilla     developers and community members Bernd Mielke, Boris     Zbarsky, David Baron, Daniel Veditz, Jesse Ruderman,     Lukas Loehrer, Martijn Wargers, Mats Palmgren, Olli     Pettay, Paul Nickerson,and Vladimir Sukhoy     (CVE-2007-3734)

    7 were in the JavaScript engine reported by Asaf Romano,     Jesse Ruderman, Igor Bukanov (CVE-2007-3735)

  - MFSA 2007-19 / CVE-2007-3736: XSS using addEventListener     and setTimeout

    moz_bug_r_a4 reported that scripts could be injected     into another site's context by exploiting a timing issue     using addEventLstener or setTimeout.

  - MFSA 2007-20 / CVE-2007-3089: frame spoofing

    Ronen Zilberman and Michal Zalewski both reported that     it was possible to exploit a timing issue to inject     content into about:blank frames in a page.

  - MFSA 2007-21 / CVE-2007-3737: Privilege escalation using     an event handler attached to an element not in the     document

    Reported by moz_bug_r_a4.

  - MFSA 2007-22 / CVE-2007-3285: File type confusion due to     %00 in name

    Ronald van den Heetkamp reported that a filename URL     containing %00 (encoded null) can cause Firefox to     interpret the file extension differently than the     underlying Windows operating system potentially leading     to unsafe actions such as running a program.

  - MFSA 2007-23 / CVE-2007-3670: Remote code execution by     launching Firefox from Internet Explorer

    Greg MacManus of iDefense and Billy Rios of Verisign     independently reported that links containing a quote (')     character could be used in Internet Explorer to launch     registered URL Protocol handlers with extra command-line     parameters. Firefox and Thunderbird are among those     which can be launched, and both support a '-chrome'     option that could be used to run malware.

    This problem does not affect Linux.

  - MFSA 2007-24 / CVE-2007-3656: unauthorized access to     wyciwyg:// documents

    Michal Zalewski reported that it was possible to bypass     the same-origin checks and read from cached (wyciwyg)     documents

  - MFSA 2007-25 / CVE-2007-3738: XPCNativeWrapper pollution

    shutdown and moz_bug_r_a4 reported two separate ways to     modify an XPCNativeWrapper such that subsequent access     by the browser would result in executing user-supplied     code.

This update brings Mozilla Firefox to security update version 2.0.0.5

Following security problems were fixed :

  - MFSA 2007-18: Crashes with evidence of memory corruption

    The usual collection of stability fixes for crashes that     look suspicious but haven't been proven to be     exploitable.

    25 were in the browser engine, reported by Mozilla     developers and community members Bernd Mielke, Boris     Zbarsky, David Baron, Daniel Veditz, Jesse Ruderman,     Lukas Loehrer, Martijn Wargers, Mats Palmgren, Olli     Pettay, Paul Nickerson,and Vladimir Sukhoy     (CVE-2007-3734)

    7 were in the JavaScript engine reported by Asaf Romano,     Jesse Ruderman, Igor Bukanov (CVE-2007-3735)

  - MFSA 2007-19 / CVE-2007-3736: XSS using addEventListener     and setTimeout

    moz_bug_r_a4 reported that scripts could be injected     into another site's context by exploiting a timing issue     using addEventLstener or setTimeout.

  - MFSA 2007-20 / CVE-2007-3089: frame spoofing

    Ronen Zilberman and Michal Zalewski both reported that     it was possible to exploit a timing issue to inject     content into about:blank frames in a page.

  - MFSA 2007-21 / CVE-2007-3737: Privilege escalation using     an event handler attached to an element not in the     document

    Reported by moz_bug_r_a4.

  - MFSA 2007-22 / CVE-2007-3285: File type confusion due to     %00 in name

    Ronald van den Heetkamp reported that a filename URL     containing %00 (encoded null) can cause Firefox to     interpret the file extension differently than the     underlying Windows operating system potentially leading     to unsafe actions such as running a program.

  - MFSA 2007-23 / CVE-2007-3670: Remote code execution by     launching Firefox from Internet Explorer

    Greg MacManus of iDefense and Billy Rios of Verisign     independently reported that links containing a quote (')     character could be used in Internet Explorer to launch     registered URL Protocol handlers with extra command-line     parameters. Firefox and Thunderbird are among those     which can be launched, and both support a '-chrome'     option that could be used to run malware.

    This problem does not affect Linux.

  - MFSA 2007-24 / CVE-2007-3656: unauthorized access to     wyciwyg:// documents

    Michal Zalewski reported that it was possible to bypass     the same-origin checks and read from cached (wyciwyg)     documents

  - MFSA 2007-25 / CVE-2007-3738: XPCNativeWrapper pollution

    shutdown and moz_bug_r_a4 reported two separate ways to     modify an XPCNativeWrapper such that subsequent access     by the browser would result in executing user-supplied     code.

A number of security vulnerabilities have been discovered and corrected in the latest Mozilla Firefox program, version 2.0.0.6.

This update provides the latest Firefox to correct these issues. As well, it provides Firefox 2.0.0.6 for older products.

ID	Name	Product	Family	Severity
4935	Google Chrome < 1.0.154.48 Cross-browser Command Injection	Nessus Network Monitor	Web Clients	medium
35689	Google Chrome < 1.0.154.48 Cross-browser Command Execution	Nessus	Windows	medium
29361	SuSE 10 Security Update : MozillaFirefox (ZYPP Patch Number 3932)	Nessus	SuSE Local Security Checks	high
28107	Ubuntu 6.06 LTS / 6.10 / 7.04 : mozilla-thunderbird vulnerabilities (USN-503-1)	Nessus	Ubuntu Local Security Checks	high
27444	openSUSE 10 Security Update : seamonkey (seamonkey-3986)	Nessus	SuSE Local Security Checks	high
27443	openSUSE 10 Security Update : seamonkey (seamonkey-3984)	Nessus	SuSE Local Security Checks	high
27132	openSUSE 10 Security Update : MozillaThunderbird (MozillaThunderbird-3973)	Nessus	SuSE Local Security Checks	high
27123	openSUSE 10 Security Update : MozillaFirefox (MozillaFirefox-3935)	Nessus	SuSE Local Security Checks	high
27122	openSUSE 10 Security Update : MozillaFirefox (MozillaFirefox-3933)	Nessus	SuSE Local Security Checks	high
25836	Mandrake Linux Security Advisory : mozilla-firefox (MDKSA-2007:152)	Nessus	Mandriva Local Security Checks	high
800950	Google Chrome < 1.0.154.48 Cross-browser Command Injection	Log Correlation Engine	Web Clients	medium

Detections

Analytics

CVE-2007-3670

high

Tenable Plugins

medium

medium

high

high

high

high

high

high

high

high

medium