The CSSLoaderImpl::DoSheetComplete function in layout/style/nsCSSLoader.cpp in Mozilla Firefox 3.0.x before 3.0.18, 3.5.x before 3.5.8, and 3.6.x before 3.6.2; Thunderbird before 3.0.2; and SeaMonkey before 2.0.3 changes the case of certain strings in a stylesheet before adding this stylesheet to the XUL cache, which might allow remote attackers to modify the browser's font and other CSS attributes, and potentially disrupt rendering of a web page, by forcing the browser to perform this erroneous stylesheet caching.

From Red Hat Security Advisory 2010:0154 :

An updated thunderbird package that fixes several security issues is now available for Red Hat Enterprise Linux 4.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Mozilla Thunderbird is a standalone mail and newsgroup client.

Several flaws were found in the processing of malformed HTML mail content. An HTML mail message containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2009-2462, CVE-2009-2463, CVE-2009-2466, CVE-2009-3072, CVE-2009-3075, CVE-2009-3380, CVE-2009-3979, CVE-2010-0159)

A use-after-free flaw was found in Thunderbird. An attacker could use this flaw to crash Thunderbird or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2009-3077)

A heap-based buffer overflow flaw was found in the Thunderbird string to floating point conversion routines. An HTML mail message containing malicious JavaScript could crash Thunderbird or, potentially, execute arbitrary code with the privileges of the user running Thunderbird.
(CVE-2009-0689)

A use-after-free flaw was found in Thunderbird. Under low memory conditions, viewing an HTML mail message containing malicious content could result in Thunderbird executing arbitrary code with the privileges of the user running Thunderbird. (CVE-2009-1571)

A flaw was found in the way Thunderbird created temporary file names for downloaded files. If a local attacker knows the name of a file Thunderbird is going to download, they can replace the contents of that file with arbitrary contents. (CVE-2009-3274)

A flaw was found in the way Thunderbird displayed a right-to-left override character when downloading a file. In these cases, the name displayed in the title bar differed from the name displayed in the dialog body. An attacker could use this flaw to trick a user into downloading a file that has a file name or extension that is different from what the user expected. (CVE-2009-3376)

A flaw was found in the way Thunderbird processed SOCKS5 proxy replies. A malicious SOCKS5 server could send a specially crafted reply that would cause Thunderbird to crash. (CVE-2009-2470)

Descriptions in the dialogs when adding and removing PKCS #11 modules were not informative. An attacker able to trick a user into installing a malicious PKCS #11 module could use this flaw to install their own Certificate Authority certificates on a user's machine, making it possible to trick the user into believing they are viewing trusted content or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2009-3076)

All Thunderbird users should upgrade to this updated package, which resolves these issues. All running instances of Thunderbird must be restarted for the update to take effect.

From Red Hat Security Advisory 2010:0113 :

Updated SeaMonkey packages that fix several security issues are now available for Red Hat Enterprise Linux 3 and 4.

This update has been rated as having critical security impact by the Red Hat Security Response Team.

SeaMonkey is an open source Web browser, email and newsgroup client, IRC chat client, and HTML editor.

A use-after-free flaw was found in SeaMonkey. Under low memory conditions, visiting a web page containing malicious content could result in SeaMonkey executing arbitrary code with the privileges of the user running SeaMonkey. (CVE-2009-1571)

Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause SeaMonkey to crash or, potentially, execute arbitrary code with the privileges of the user running SeaMonkey. (CVE-2010-0159)

All SeaMonkey users should upgrade to these updated packages, which correct these issues. After installing the update, SeaMonkey must be restarted for the changes to take effect.

From Red Hat Security Advisory 2010:0112 :

Updated firefox packages that fix several security issues are now available for Red Hat Enterprise Linux 4 and 5.

This update has been rated as having critical security impact by the Red Hat Security Response Team.

Mozilla Firefox is an open source Web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox.

A use-after-free flaw was found in Firefox. Under low memory conditions, visiting a web page containing malicious content could result in Firefox executing arbitrary code with the privileges of the user running Firefox. (CVE-2009-1571)

Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2010-0159, CVE-2010-0160)

Two flaws were found in the way certain content was processed. An attacker could use these flaws to create a malicious web page that could bypass the same-origin policy, or possibly run untrusted JavaScript. (CVE-2009-3988, CVE-2010-0162)

For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 3.0.18. You can find a link to the Mozilla advisories in the References section of this errata.

All Firefox users should upgrade to these updated packages, which contain Firefox version 3.0.18, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect.

An updated thunderbird package that fixes several security issues is now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Mozilla Thunderbird is a standalone mail and newsgroup client.

Several flaws were found in the processing of malformed HTML mail content. An HTML mail message containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2009-2462, CVE-2009-2463, CVE-2009-2466, CVE-2009-3072, CVE-2009-3075, CVE-2009-3380, CVE-2009-3979, CVE-2010-0159)

A use-after-free flaw was found in Thunderbird. An attacker could use this flaw to crash Thunderbird or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2009-3077)

A heap-based buffer overflow flaw was found in the Thunderbird string to floating point conversion routines. An HTML mail message containing malicious JavaScript could crash Thunderbird or, potentially, execute arbitrary code with the privileges of the user running Thunderbird.
(CVE-2009-0689)

A use-after-free flaw was found in Thunderbird. Under low memory conditions, viewing an HTML mail message containing malicious content could result in Thunderbird executing arbitrary code with the privileges of the user running Thunderbird. (CVE-2009-1571)

A flaw was found in the way Thunderbird created temporary file names for downloaded files. If a local attacker knows the name of a file Thunderbird is going to download, they can replace the contents of that file with arbitrary contents. (CVE-2009-3274)

A flaw was found in the way Thunderbird displayed a right-to-left override character when downloading a file. In these cases, the name displayed in the title bar differed from the name displayed in the dialog body. An attacker could use this flaw to trick a user into downloading a file that has a file name or extension that is different from what the user expected. (CVE-2009-3376)

A flaw was found in the way Thunderbird processed SOCKS5 proxy replies. A malicious SOCKS5 server could send a specially crafted reply that would cause Thunderbird to crash. (CVE-2009-2470)

Descriptions in the dialogs when adding and removing PKCS #11 modules were not informative. An attacker able to trick a user into installing a malicious PKCS #11 module could use this flaw to install their own Certificate Authority certificates on a user's machine, making it possible to trick the user into believing they are viewing trusted content or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2009-3076)

All Thunderbird users should upgrade to this updated package, which resolves these issues. All running instances of Thunderbird must be restarted for the update to take effect.

The remote host is affected by the vulnerability described in GLSA-201301-01 (Mozilla Products: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Mozilla Firefox,       Thunderbird, SeaMonkey, NSS, GNU IceCat, and XULRunner. Please review the       CVE identifiers referenced below for details.
  Impact :

    A remote attacker could entice a user to view a specially crafted web       page or email, possibly resulting in execution of arbitrary code or a       Denial of Service condition. Furthermore, a remote attacker may be able       to perform Man-in-the-Middle attacks, obtain sensitive information,       bypass restrictions and protection mechanisms, force file downloads,       conduct XML injection attacks, conduct XSS attacks, bypass the Same       Origin Policy, spoof URL&rsquo;s for phishing attacks, trigger a vertical       scroll, spoof the location bar, spoof an SSL indicator, modify the       browser&rsquo;s font, conduct clickjacking attacks, or have other unspecified       impact.
    A local attacker could gain escalated privileges, obtain sensitive       information, or replace an arbitrary downloaded file.
  Workaround :

    There is no known workaround at this time.

The remote Redhat Enterprise Linux 4 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2010:0154 advisory.

    Mozilla Thunderbird is a standalone mail and newsgroup client.

    Several flaws were found in the processing of malformed HTML mail content.
    An HTML mail message containing malicious content could cause Thunderbird     to crash or, potentially, execute arbitrary code with the privileges of the     user running Thunderbird. (CVE-2009-2462, CVE-2009-2463, CVE-2009-2466,     CVE-2009-3072, CVE-2009-3075, CVE-2009-3380, CVE-2009-3979, CVE-2010-0159)

    A use-after-free flaw was found in Thunderbird. An attacker could use this     flaw to crash Thunderbird or, potentially, execute arbitrary code with the     privileges of the user running Thunderbird. (CVE-2009-3077)

    A heap-based buffer overflow flaw was found in the Thunderbird string to     floating point conversion routines. An HTML mail message containing     malicious JavaScript could crash Thunderbird or, potentially, execute     arbitrary code with the privileges of the user running Thunderbird.
    (CVE-2009-0689)

    A use-after-free flaw was found in Thunderbird. Under low memory     conditions, viewing an HTML mail message containing malicious content could     result in Thunderbird executing arbitrary code with the privileges of the     user running Thunderbird. (CVE-2009-1571)

    A flaw was found in the way Thunderbird created temporary file names for     downloaded files. If a local attacker knows the name of a file Thunderbird     is going to download, they can replace the contents of that file with     arbitrary contents. (CVE-2009-3274)

    A flaw was found in the way Thunderbird displayed a right-to-left override     character when downloading a file. In these cases, the name displayed in     the title bar differed from the name displayed in the dialog body. An     attacker could use this flaw to trick a user into downloading a file that     has a file name or extension that is different from what the user expected.
    (CVE-2009-3376)

    A flaw was found in the way Thunderbird processed SOCKS5 proxy replies. A     malicious SOCKS5 server could send a specially-crafted reply that would     cause Thunderbird to crash. (CVE-2009-2470)

    Descriptions in the dialogs when adding and removing PKCS #11 modules were     not informative. An attacker able to trick a user into installing a     malicious PKCS #11 module could use this flaw to install their own     Certificate Authority certificates on a user's machine, making it possible     to trick the user into believing they are viewing trusted content or,     potentially, execute arbitrary code with the privileges of the user running     Thunderbird. (CVE-2009-3076)

    All Thunderbird users should upgrade to this updated package, which     resolves these issues. All running instances of Thunderbird must be     restarted for the update to take effect.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Multiple vulnerabilities has been found and corrected in mozilla-thunderbird :

Mozilla Thunderbird before 2.0.0.24 and SeaMonkey before 1.1.19 process e-mail attachments with a parser that performs casts and line termination incorrectly, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted message, related to message indexing (CVE-2009-0689).

Integer overflow in a base64 decoding function in Mozilla Firefox before 3.0.12 and Thunderbird allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unspecified vectors (CVE-2009-2463).

Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 3.0.14, and 3.5.x before 3.5.3, allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors (CVE-2009-3072).

Multiple unspecified vulnerabilities in the JavaScript engine in Mozilla Firefox before 3.0.14, and 3.5.x before 3.5.2, allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors (CVE-2009-3075).

Mozilla Firefox before 3.0.14, and 3.5.x before 3.5.3, does not properly manage pointers for the columns (aka TreeColumns) of a XUL tree element, which allows remote attackers to execute arbitrary code via a crafted HTML document, related to a dangling pointer vulnerability. (CVE-2009-3077)

Mozilla Firefox before 3.0.15 and 3.5.x before 3.5.4, and SeaMonkey before 2.0, does not properly handle a right-to-left override (aka RLO or U+202E) Unicode character in a download filename, which allows remote attackers to spoof file extensions via a crafted filename, as demonstrated by displaying a non-executable extension for an executable file (CVE-2009-3376).

Mozilla Firefox before 3.0.16 and 3.5.x before 3.5.6, and SeaMonkey before 2.0.1, allows remote attackers to send authenticated requests to arbitrary applications by replaying the NTLM credentials of a browser user (CVE-2009-3983).

Mozilla Thunderbird before 2.0.0.24 and SeaMonkey before 1.1.19 process e-mail attachments with a parser that performs casts and line termination incorrectly, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted message, related to message indexing (CVE-2010-0163).

This update provides the latest version of Thunderbird which are not vulnerable to these issues.

Packages for 2008.0 and 2009.0 are provided due to the Extended Maintenance Program for those products.

Additionally, some packages which require so, have been rebuilt and are being provided as updates.

The remote host is running a version of Mozilla Firefox 3.6.x prior to 3.6.2. Such versions are potentially affected by multiple security issues :

 - The WOFF decoder contains an integer overflow in a font decrompression routine. (MFSA 2010-08)
 - Deleted image frames are reused when handling 'multipart/x-mixed-replace' images. (MFSA 2010-09)
 - The 'window.location' object is made a normal overridable object. (MFSA 2010-10)
 - Multiple crashes can result in arbitrary code execution. (MFSA 2010-11)
 - A cross-site scripting issue when using 'addEventListener' and 'setTimeout' on a wrapped object. (MFSA 2010-12)
 - Documents fail to call certain security checks when attempting to preload images. (MFSA 2010-13)
 - It is possible to corrupt a user's XUL cache. (MFSA 2010-14)
 - The asynchronous Authorization Prompt is not always attached to the correct window. (MFSA 2010-15)
 - Multiple crashes cna result in arbitrary code execution. (MFSA 2010-16)
 - An error exists in the way '<option>' elements are inserted into a XUL tree '<optgroup>'. (MFSA 2010-18)
 - An error exists in the implementation of the 'windows.navigator.plugins' object. (MFSA 2010-19)
 - A browser applet can be used to turn a simple mouse click into a drag-and-drop action, potentially resulting in the unintended loading of resources in a user's browser. (MFSA 2010-20)
 - Session renegotiations are not handled properly, which can be exploited to insert arbitrary plaintext by a man-in-the-middle. (MFSA 2010-22)
 - When an image points to a resource that redirects to a 'mailto: ' URL, the external mail handler application is launched. (MFSA 2010-23)
 - XML documents fail to call certain security checks when loading new content. (MFSA 2010-24)

The installed version of Firefox 3.6.x is earlier than 3.6.2.  Such versions are potentially affected by multiple security issues :
 
  - The WOFF decoder contains an integer overflow in a font     decompression routine. (MFSA 2010-08)

  - Deleted image frames are reused when handling     'multipart/x-mixed-replace' images. (MFSA 2010-09)

  - The 'window.location' object is made a normal     overridable object. (MFSA 2010-10)

  - Multiple crashes can result in arbitrary code execution.
    (MFSA 2010-11)

  - A cross-site scripting issue when using     'addEventListener' and 'setTimeout' on a wrapped object.     (MFSA 2010-12)

  - Documents fail to call certain security checks when     attempting to preload images. (MFSA 2010-13)

  - It is possible to corrupt a user's XUL cache.     (MFSA 2010-14)

  - The asynchronous Authorization Prompt is not always     attached to the correct window. (MFSA 2010-15)   
  - Multiple crashes can result in arbitrary code execution.
    (MFSA 2010-16)

  - An error exists in the way '<option>' elements are     inserted into a XUL tree '<optgroup>' (MFSA 2010-18)

  - An error exists in the implementation of the     'windows.navigator.plugins' object. (MFSA 2010-19)

  - A browser applet can be used to turn a simple mouse     click into a drag-and-drop action, potentially resulting     in the unintended loading of resources in a user's     browser. (MFSA 2010-20)

  - Session renegotiations are not handled properly, which     can be exploited to insert arbitrary plaintext by a     man-in-the-middle. (MFSA 2010-22)

  - When an image points to a resource that redirects to a     'mailto:' URL, the external mail handler application is     launched. (MFSA 2010-23)     
  - XML documents fail to call certain security checks when     loading new content. (MFSA 2010-024)

An updated thunderbird package that fixes several security issues is now available for Red Hat Enterprise Linux 4.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Mozilla Thunderbird is a standalone mail and newsgroup client.

Several flaws were found in the processing of malformed HTML mail content. An HTML mail message containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2009-2462, CVE-2009-2463, CVE-2009-2466, CVE-2009-3072, CVE-2009-3075, CVE-2009-3380, CVE-2009-3979, CVE-2010-0159)

A use-after-free flaw was found in Thunderbird. An attacker could use this flaw to crash Thunderbird or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2009-3077)

A heap-based buffer overflow flaw was found in the Thunderbird string to floating point conversion routines. An HTML mail message containing malicious JavaScript could crash Thunderbird or, potentially, execute arbitrary code with the privileges of the user running Thunderbird.
(CVE-2009-0689)

A use-after-free flaw was found in Thunderbird. Under low memory conditions, viewing an HTML mail message containing malicious content could result in Thunderbird executing arbitrary code with the privileges of the user running Thunderbird. (CVE-2009-1571)

A flaw was found in the way Thunderbird created temporary file names for downloaded files. If a local attacker knows the name of a file Thunderbird is going to download, they can replace the contents of that file with arbitrary contents. (CVE-2009-3274)

A flaw was found in the way Thunderbird displayed a right-to-left override character when downloading a file. In these cases, the name displayed in the title bar differed from the name displayed in the dialog body. An attacker could use this flaw to trick a user into downloading a file that has a file name or extension that is different from what the user expected. (CVE-2009-3376)

A flaw was found in the way Thunderbird processed SOCKS5 proxy replies. A malicious SOCKS5 server could send a specially crafted reply that would cause Thunderbird to crash. (CVE-2009-2470)

Descriptions in the dialogs when adding and removing PKCS #11 modules were not informative. An attacker able to trick a user into installing a malicious PKCS #11 module could use this flaw to install their own Certificate Authority certificates on a user's machine, making it possible to trick the user into believing they are viewing trusted content or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2009-3076)

All Thunderbird users should upgrade to this updated package, which resolves these issues. All running instances of Thunderbird must be restarted for the update to take effect.

The installed version of Mozilla Thunderbird is earlier than 3.0.2.  Such versions are potentially affected by the following security issues : 

  - Multiple crashes can result in arbitrary code execution. (MFSA 2010-01)

  - The HTML parser incorrectly frees used memory when insufficient space is available to process remaining input. (MFSA 2010-03)

  - Multiple crashes can result in arbitrary code execution. (MFSA 2010-11)

  - A cross-site scripting issue when using 'addEventListener' and 'setTimeout' on a wrapped object. (MFSA 2010-12)

  - It is possible to corrupt a user's XUL cache. (MFSA 2010-14)

Versions of Mozilla Thunderbird prior to 3.0.2 are affected by the following vulnerabilities :

 - Multiple crashes can result in arbitrary code execution. (MFSA 2010-01)
 - The HTML parser incorrectly frees used memory when insufficient space is available to process remaining input. (MFSA 2010-03)
 - Multiple crashes can result in arbitrary code execution. (MFSA 2010-11)
 - A cross-site scripting issue when using 'addEventListener' and 'setTimeout' on a wrapped object. (MFSA 2010-12)
 - It is possible to corrupt a user's XUL cache. (MFSA 2010-14)

The installed version of Thunderbird is earlier than 3.0.2.  Such versions are potentially affected by the following security issues :

  - Multiple crashes can result in arbitrary code execution.
    (MFSA 2010-01)

  - The HTML parser incorrectly frees used memory when     insufficient space is available to process remaining     input. (MFSA 2010-03)

  - Multiple crashes can result in arbitrary code execution.
    (MFSA 2010-11)

  - A cross-site scripting issue when using     'addEventListener' and 'setTimeout' on a wrapped object.
    (MFSA 2010-12)

  - It is possible to corrupt a user's XUL cache.
    (MFSA 2010-14)

Security issues were identified and fixed in firefox 3.0.x and 3.5.x :

Mozilla developers identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code (CVE-2010-0159).

Security researcher Orlando Barrera II reported via TippingPoint's Zero Day Initiative that Mozilla's implementation of Web Workers contained an error in its handling of array data types when processing posted messages. This error could be used by an attacker to corrupt heap memory and crash the browser, potentially running arbitrary code on a victim's computer (CVE-2010-0160).

Security researcher Alin Rad Pop of Secunia Research reported that the HTML parser incorrectly freed used memory when insufficient space was available to process remaining input. Under such circumstances, memory occupied by in-use objects was freed and could later be filled with attacker-controlled text. These conditions could result in the execution or arbitrary code if methods on the freed objects were subsequently called (CVE-2009-1571).

Security researcher Hidetake Jo of Microsoft Vulnerability Research reported that the properties set on an object passed to showModalDialog were readable by the document contained in the dialog, even when the document was from a different domain. This is a violation of the same-origin policy and could result in a website running untrusted JavaScript if it assumed the dialogArguments could not be initialized by another site. An anonymous security researcher, via TippingPoint's Zero Day Initiative, also independently reported this issue to Mozilla (CVE-2009-3988).

Mozilla security researcher Georgi Guninski reported that when a SVG document which is served with Content-Type: application/octet-stream is embedded into another document via an <embed> tag with type=image/svg+xml, the Content-Type is ignored and the SVG document is processed normally. A website which allows arbitrary binary data to be uploaded but which relies on Content-Type: application/octet-stream to prevent script execution could have such protection bypassed. An attacker could upload a SVG document containing JavaScript as a binary file to a website, embed the SVG document into a malicous page on another site, and gain access to the script environment from the SVG-serving site, bypassing the same-origin policy (CVE-2010-0162).

The CSSLoaderImpl::DoSheetComplete function in layout/style/nsCSSLoader.cpp in Mozilla Firefox 3.0.x before 3.0.18, 3.5.x before 3.5.8, and 3.6.x before 3.6.2; Thunderbird before 3.0.2;
and SeaMonkey before 2.0.3 changes the case of certain strings in a stylesheet before adding this stylesheet to the XUL cache, which might allow remote attackers to modify the browser's font and other CSS attributes, and potentially disrupt rendering of a web page, by forcing the browser to perform this erroneous stylesheet caching (CVE-2010-0169).

Mozilla Firefox 3.0.x before 3.0.18, 3.5.x before 3.5.8, and 3.6.x before 3.6.2; Thunderbird before 3.0.2; and SeaMonkey before 2.0.3 allow remote attackers to perform cross-origin keystroke capture, and possibly conduct cross-site scripting (XSS) attacks, by using the addEventListener and setTimeout functions in conjunction with a wrapped object. NOTE: this vulnerability exists because of an incomplete fix for CVE-2007-3736 (CVE-2010-0171).

Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers.

Additionally, some packages which require so, have been rebuilt and are being provided as updates.

The remote host is running a version of Mozilla Firefox earlier than 3.0.18, 3.5.8, 3.6.  Such versions are potentially affected by multiple vulnerabilities : 

  - Several crashes can result in arbitrary code execution. (MFSA 2010-01)

  - The implementation of 'Web Workers' contains an error in its handling of array data types when processing posted messages. (MFSA 2010-02)

  - The HTML parser incorrectly frees used memory when insufficient space is available to process remaining input. (MFSA 2010-03)

  - A cross-site scripting issue due to 'window.dialogArguments' being readable cross-domain. (CVE-2010-04)

  - A cross-site scripting issue when using SVG documents and binary Content-Type. (MFSA 2010-05)

  - Multiple crashes can result in arbitrary code execution. (MFSA 2010-011)

  - A cross-site scripting issue when using 'addEventListener' and 'setTimeout' on a wrapped object. (MFSA 2010-12)

  - It is possible to corrupt a user's XUL cache. (MFSA 2010-14)

The remote host is running a version of Mozilla SeaMonkey earlier than 2.0.3.  Such versions are potentially affected by multiple vulnerabilities : 

  - Several crashes can result in arbitrary code execution. (MFSA 2010-01)

  - The implementation of 'Web Workers' contains an error in its handling of array data types when processing posted messages. (MFSA 2010-02)

  - The HTML parser incorrectly frees used memory when insufficient space is available to process remaining input. (MFSA 2010-03)

  - A cross-site scripting issue due to 'window.dialogArguments' being readable cross-domain. (CVE-2010-04)

  - A cross-site scripting issue when using SVG documents and binary Content-Type. (MFSA 2010-05)

  - Multiple crashes can result in arbitrary code execution. (MFSA 2010-11)

  - A cross-site scripting issue when using 'addEventListener' and 'setTimeout' on a wrapped object. (MFSA 2010-12)

The remote host is running a version of SeaMonkey earlier than 2.0.3.  Such versions are potentially affected by multiple vulnerabilities : 

  - Several crashes can result in arbitrary code execution. (MFSA 2010-01)

  - The implementation of 'Web Workers' contains an error in its handling of array data types when processing posted messages. (MFSA 2010-02)

  - The HTML parser incorrectly frees used memory when insufficient space is available to process remaining input. (MFSA 2010-03)

  - A cross-site scripting issue due to 'window.dialogArguments' being readable cross-domain. (CVE-2010-04)

  - A cross-site scripting issue when using SVG documents and binary Content-Type. (MFSA 2010-05)

  - Multiple crashes can result in arbitrary code execution. (MFSA 2010-11)

  - A cross-site scripting issue when using 'addEventListener' and 'setTimeout' on a wrapped object. (MFSA 2010-12)

The remote host is running a version of Mozilla Firefox earlier than 3.0.18, 3.5.8, 3.6.  Such versions are potentially affected by multiple vulnerabilities : 

 - Several crashes can result in arbitrary code execution. (MFSA 2010-01)
 - The implementation of 'Web Workers' contains an error in its handling of array data types when processing posted messages. (MFSA 2010-02)
 - The HTML parser incorrectly frees used memory when insufficient space is available to process remaining input. (MFSA 2010-03)
 - A cross-site scripting issue due to 'window.dialogArguments' being readable cross-domain. (CVE-2010-04)
 - A cross-site scripting issue when using SVG documents and binary Content-Type. (MFSA 2010-05)
 - Multiple crashes can result in arbitrary code execution. (MFSA 2010-011)
 - A cross-site scripting issue when using 'addEventListener' and 'setTimeout' on a wrapped object. (MFSA 2010-12)
 - It is possible to corrupt a user's XUL cache. (MFSA 2010-14)

The installed version of SeaMonkey is earlier than 2.0.3.  Such versions are potentially affected by the following security issues :

  - Multiple crashes can result in arbitrary code execution.
    (MFSA 2010-01)

  - The implementation of 'Web Workers' contained an error     in its handling of array data types when processing     posted messages. (MFSA 2010-02)

  - The HTML parser incorrectly frees used memory when     insufficient space is available to process remaining     input. (MFSA 2010-03)

  - A cross-site scripting issue exists due to     'window.dialogArguments' being readable cross-domain.
    (MFSA 2010-04)

  - A cross-site scripting issue exists when using SVG     documents and binary Content-Type. (MFSA 2010-05)

  - Multiple crashes can result in arbitrary code execution.
    (MFSA 2010-11)

  - A cross-site scripting issue when using     'addEventListener' and 'setTimeout' on a wrapped object.
    (MFSA 2010-12)

  - It is possible to corrupt a user's XUL cache.     (MFSA 2010-14)     
  - The XMLHttpRequestSpy module in the Firebug add-on     exposes an underlying chrome privilege escalation     vulnerability. (MFSA 2010-21)

The installed version of Firefox is 3.5.x earlier than 3.5.8.  Such versions are potentially affected by the following security issues :

  - Multiple crashes can result in arbitrary code execution.
    (MFSA 2010-01)

  - The implementation of 'Web Workers' contained an error     in its handling of array data types when processing     posted messages. (MFSA 2010-02)

  - The HTML parser incorrectly frees used memory when     insufficient space is available to process remaining     input. (MFSA 2010-03)

  - A cross-site scripting issue exists due to     'window.dialogArguments' being readable cross-domain.
    (MFSA 2010-04)

  - A cross-site scripting issue exists when using SVG     documents and binary Content-Type. (MFSA 2010-05)     
  - Multiple crashes can result in arbitrary code execution.
    (MFSA 2010-11)

  - A cross-site scripting issue when using     'addEventListener' and 'setTimeout' on a wrapped object.
    (MFSA 2010-12)

  - It is possible to corrupt a user's XUL cache.     (MFSA 2010-14)

  - The XMLHttpRequestSpy module in the Firebug add-on     exposes an underlying chrome privilege escalation     vulnerability. (MFSA 2010-21)

The installed version of Firefox is earlier than 3.0.18.  Such versions are potentially affected by the following security issues :

  - Multiple crashes can result in arbitrary code execution.
    (MFSA 2010-01)

  - The implementation of 'Web Workers' contained an error     in its handling of array data types when processing     posted messages. (MFSA 2010-02)

  - The HTML parser incorrectly frees used memory when     insufficient space is available to process remaining     input. (MFSA 2010-03)

  - A cross-site scripting exists issue due to     'window.dialogArguments' being readable cross-domain.
    (MFSA 2010-04)

  - A cross-site scripting issue exists when using SVG     documents and binary Content-Type. (MFSA 2010-05)

  - Multiple crashes can result in arbitrary code execution.
    (MFSA 2010-11)

  - A cross-site scripting issue when using     'addEventListener' and 'setTimeout' on a wrapped object.
    (MFSA 2010-12)

  - It is possible to corrupt a user's XUL cache.     (MFSA 2010-14)

Updated SeaMonkey packages that fix several security issues are now available for Red Hat Enterprise Linux 3 and 4.

This update has been rated as having critical security impact by the Red Hat Security Response Team.

SeaMonkey is an open source Web browser, email and newsgroup client, IRC chat client, and HTML editor.

A use-after-free flaw was found in SeaMonkey. Under low memory conditions, visiting a web page containing malicious content could result in SeaMonkey executing arbitrary code with the privileges of the user running SeaMonkey. (CVE-2009-1571)

Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause SeaMonkey to crash or, potentially, execute arbitrary code with the privileges of the user running SeaMonkey. (CVE-2010-0159)

All SeaMonkey users should upgrade to these updated packages, which correct these issues. After installing the update, SeaMonkey must be restarted for the changes to take effect.

The remote Redhat Enterprise Linux 4 / 5 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2010:0112 advisory.

  - Mozilla incorrectly frees used memory (MFSA 2010-03) (CVE-2009-1571)

  - Mozilla violation of same-origin policy due to properties set on objects passed to showModalDialog (MFSA     2010-04) (CVE-2009-3988)

  - Mozilla crashes with evidence of memory corruption (MFSA 2010-01) (CVE-2010-0159)

  - Mozilla implementation of Web Workers can lead to crash with evidence of memory corruption (MFSA 2010-02)     (CVE-2010-0160)

  - Mozilla bypass of same-origin policy due to improper SVG document processing (MFSA 2010-05)     (CVE-2010-0162)

  - firefox/thunderbird/seamonkey: crashes with evidence of memory corruption (MFSA 2010-11) (CVE-2010-0167)

  - firefox/thunderbird/seamonkey: browser chrome defacement via cached XUL stylesheets (MFSA 2010-14)     (CVE-2010-0169)

  - firefox/thunderbird/seamonkey: XSS using addEventListener and setTimeout on a wrapped object (MFSA     2010-12) (CVE-2010-0171)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Updated firefox packages that fix several security issues are now available for Red Hat Enterprise Linux 4 and 5.

This update has been rated as having critical security impact by the Red Hat Security Response Team.

Mozilla Firefox is an open source Web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox.

A use-after-free flaw was found in Firefox. Under low memory conditions, visiting a web page containing malicious content could result in Firefox executing arbitrary code with the privileges of the user running Firefox. (CVE-2009-1571)

Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2010-0159, CVE-2010-0160)

Two flaws were found in the way certain content was processed. An attacker could use these flaws to create a malicious web page that could bypass the same-origin policy, or possibly run untrusted JavaScript. (CVE-2009-3988, CVE-2010-0162)

For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 3.0.18. You can find a link to the Mozilla advisories in the References section of this errata.

All Firefox users should upgrade to these updated packages, which contain Firefox version 3.0.18, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect.

ID	Name	Product	Family	Severity
68015	Oracle Linux 4 : thunderbird (ELSA-2010-0154)	Nessus	Oracle Linux Local Security Checks	critical
68000	Oracle Linux 3 / 4 : seamonkey (ELSA-2010-0113)	Nessus	Oracle Linux Local Security Checks	critical
67999	Oracle Linux 4 / 5 : firefox (ELSA-2010-0112)	Nessus	Oracle Linux Local Security Checks	critical
63923	RHEL 5 : thunderbird (RHSA-2010:0153)	Nessus	Red Hat Local Security Checks	critical
63402	GLSA-201301-01 : Mozilla Products: Multiple vulnerabilities (BEAST)	Nessus	Gentoo Local Security Checks	critical
46271	RHEL 4 : thunderbird (RHSA-2010:0154)	Nessus	Red Hat Local Security Checks	medium
45521	Mandriva Linux Security Advisory : mozilla-thunderbird (MDVSA-2010:071)	Nessus	Mandriva Local Security Checks	critical
45361	CentOS 5 : thunderbird (CESA-2010:0153)	Nessus	CentOS Local Security Checks	critical
5485	Mozilla Firefox 3.6.x < 3.6.2 Multiple Vulnerabilities	Nessus Network Monitor	Web Clients	medium
45133	Firefox 3.6.x < 3.6.2 Multiple Vulnerabilities	Nessus	Windows	high
45093	CentOS 4 : thunderbird (CESA-2010:0154)	Nessus	CentOS Local Security Checks	critical
801210	Mozilla Thunderbird < 3.0.2 Multiple Vulnerabilities	Log Correlation Engine	SMTP Clients	high
5355	Mozilla Thunderbird < 3.0.2 Multiple Vulnerabilities	Nessus Network Monitor	SMTP Clients	medium
44961	Mozilla Thunderbird < 3.0.2 Multiple Vulnerabilities	Nessus	Windows	high
44672	Mandriva Linux Security Advisory : firefox (MDVSA-2010:042)	Nessus	Mandriva Local Security Checks	critical
801279	Mozilla Firefox < 3.0.18 / 3.5.8 / 3.6 Multiple Vulnerabilities	Log Correlation Engine	Web Clients	high
801219	Mozilla SeaMonkey < 2.0.3 Multiple Vulnerabilities	Log Correlation Engine	Web Clients	high
5343	SeaMonkey < 2.0.3 Multiple Vulnerabilities	Nessus Network Monitor	Web Clients	medium
5342	Mozilla Firefox < 3.0.18 / 3.5.8 / 3.6 Multiple Vulnerabilities	Nessus Network Monitor	Web Clients	medium
44660	SeaMonkey < 2.0.3 Multiple Vulnerabilities	Nessus	Windows	high
44659	Firefox 3.5 < 3.5.8 Multiple Vulnerabilities	Nessus	Windows	high
44658	Firefox < 3.0.18 Multiple Vulnerabilities	Nessus	Windows	high
44652	RHEL 3 / 4 : seamonkey (RHSA-2010:0113)	Nessus	Red Hat Local Security Checks	critical
44651	RHEL 4 / 5 : firefox (RHSA-2010:0112)	Nessus	Red Hat Local Security Checks	medium
44649	CentOS 3 / 4 : seamonkey (CESA-2010:0113)	Nessus	CentOS Local Security Checks	critical
44648	CentOS 4 / 5 : firefox (CESA-2010:0112)	Nessus	CentOS Local Security Checks	critical

Detections

Analytics

CVE-2010-0169

medium

Tenable Plugins

critical

critical

critical

critical

critical

medium

critical

critical

medium

high

critical

high

medium

high

critical

high

high

medium

medium

high

high

high

critical

medium

critical

critical