The nsDocument::SetScriptGlobalObject function in content/base/src/nsDocument.cpp in Mozilla Firefox 3.5.x before 3.5.2, when certain add-ons are enabled, does not properly handle a Link HTTP header, which allows remote attackers to execute arbitrary JavaScript with chrome privileges via a crafted web page, related to an incorrect security wrapper.

The remote host is affected by the vulnerability described in GLSA-201301-01 (Mozilla Products: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Mozilla Firefox,       Thunderbird, SeaMonkey, NSS, GNU IceCat, and XULRunner. Please review the       CVE identifiers referenced below for details.
  Impact :

    A remote attacker could entice a user to view a specially crafted web       page or email, possibly resulting in execution of arbitrary code or a       Denial of Service condition. Furthermore, a remote attacker may be able       to perform Man-in-the-Middle attacks, obtain sensitive information,       bypass restrictions and protection mechanisms, force file downloads,       conduct XML injection attacks, conduct XSS attacks, bypass the Same       Origin Policy, spoof URL&rsquo;s for phishing attacks, trigger a vertical       scroll, spoof the location bar, spoof an SSL indicator, modify the       browser&rsquo;s font, conduct clickjacking attacks, or have other unspecified       impact.
    A local attacker could gain escalated privileges, obtain sensitive       information, or replace an arbitrary downloaded file.
  Workaround :

    There is no known workaround at this time.

Updated firefox packages that fix several security issues are now available for Red Hat Enterprise Linux 4 and 5.

This update has been rated as having critical security impact by the Red Hat Security Response Team.

Mozilla Firefox is an open source Web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. nspr provides the Netscape Portable Runtime (NSPR).

Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2009-3070, CVE-2009-3071, CVE-2009-3072, CVE-2009-3074, CVE-2009-3075)

A use-after-free flaw was found in Firefox. An attacker could use this flaw to crash Firefox or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2009-3077)

A flaw was found in the way Firefox handles malformed JavaScript. A website with an object containing malicious JavaScript could execute that JavaScript with the privileges of the user running Firefox.
(CVE-2009-3079)

Descriptions in the dialogs when adding and removing PKCS #11 modules were not informative. An attacker able to trick a user into installing a malicious PKCS #11 module could use this flaw to install their own Certificate Authority certificates on a user's machine, making it possible to trick the user into believing they are viewing a trusted site or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2009-3076)

A flaw was found in the way Firefox displays the address bar when window.open() is called in a certain way. An attacker could use this flaw to conceal a malicious URL, possibly tricking a user into believing they are viewing a trusted site. (CVE-2009-2654)

A flaw was found in the way Firefox displays certain Unicode characters. An attacker could use this flaw to conceal a malicious URL, possibly tricking a user into believing they are viewing a trusted site. (CVE-2009-3078)

For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 3.0.14. You can find a link to the Mozilla advisories in the References section of this errata.

All Firefox users should upgrade to these updated packages, which contain Firefox version 3.0.14, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect.

Update to new upstream Firefox version 3.0.13, fixing multiple security issues detailed in the upstream advisories:
http://www.mozilla.org/security/known-vulnerabilities/firefox30.html#f irefox3.0.13 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. Note: Issues described in MFSA 2009-42 and MFSA 2009-43 were previously addressed via rebase of the NSS packages.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Update to new upstream Firefox version 3.5.2, fixing multiple security issues detailed in the upstream advisories:
http://www.mozilla.org/security/known- vulnerabilities/firefox35.html#firefox3.5.2 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The installed version of Mozilla Firefox 3.5 is earlier than 3.5.2. Such versions are potentially affected by a privilege-escalation vulnerability. The issues exists when the browser with an add-on implementing a Content Policy opens pages that have a 'Link:' HTTP header. An attacker can exploit this issue to execute arbitrary JavaScript code with chrome privileges.

Versions of Mozilla Firefox 3.5.x prior to 3.5.2 are affected by a privilege-escalation vulnerability. The issues exists when the browser with an add-on implementing a Content Policy opens pages that have a 'Link:' HTTP header. An attacker can exploit this issue to execute arbitrary JavaScript code with chrome privileges.

The installed version of Firefox 3.5 is earlier than 3.5.2.  Such versions are potentially affected by the following security issues :

  - A SOCKS5 proxy that replies with a hostname containing     more than 15 characters can corrupt the subsequent     data stream.  This can lead to a denial of service,     though there is reportedly no memory corruption.
    (MFSA 2009-38)

  - The location bar and SSL indicators can be spoofed     by calling window.open() on an invalid URL. A remote     attacker could use this to perform a phishing attack.
    (MFSA 2009-44)

  - Unspecified JavaScript-related vulnerabilities can lead     to memory corruption, and possibly arbitrary execution     of code. (MFSA 2009-45, MFSA 2009-47)

  - If an add-on has a 'Link:' HTTP header when it is installed,     the window's global object receives an incorrect security     wrapper, which could lead to arbitrary JavaScript being     executed with chrome privileges. (MFSA 2009-46)

ID	Name	Product	Family	Severity
63402	GLSA-201301-01 : Mozilla Products: Multiple vulnerabilities (BEAST)	Nessus	Gentoo Local Security Checks	critical
40932	CentOS 4 / 5 : firefox / seamonkey (CESA-2009:1430)	Nessus	CentOS Local Security Checks	critical
40921	RHEL 4 / 5 : firefox (RHSA-2009:1430)	Nessus	Red Hat Local Security Checks	critical
40484	Fedora 10 : Miro-2.0.5-3.fc10 / blam-1.8.5-13.fc10 / epiphany-2.24.3-9.fc10 / etc (2009-8288)	Nessus	Fedora Local Security Checks	critical
40483	Fedora 11 : kazehakase-0.5.6-11.svn3771_trunk.fc11.4 / Miro-2.0.5-3.fc11 / blam-1.8.5-13.fc11 / etc (2009-8279)	Nessus	Fedora Local Security Checks	critical
801244	Mozilla Firefox 3.5 < 3.5.2 Proxy Response DoS	Log Correlation Engine	Web Clients	high
5116	Mozilla Firefox 3.5.x < 3.5.2 Privilege Escalation	Nessus Network Monitor	Web Clients	medium
40479	Firefox 3.5.x < 3.5.2 Multiple Vulnerabilities	Nessus	Windows	high

Detections

Analytics

CVE-2009-2665

high

Tenable Plugins

critical

critical

critical

critical

critical

high

medium

high