Firefox < 3.0.2 Multiple Vulnerabilities

high Log Correlation Engine Plugin ID 800756

Synopsis

The remote Windows host contains a web browser that is affected by multiple vulnerabilities.

Description

The installed version of Firefox is affected by various security issues :

- An attacker can cause the content window to move while the mouse is being clicked, causing an item to be dragged rather than clicked-on (MFSA 2008-40).
- Privilege escalation is possible via 'XPCnativeWrapper' pollution (MFSA 2008-41).
- There are several stability bugs in the browser engine that may lead to crashes with evidence of memory corruption (MFSA 2008-42).
- Certain BOM characters and low surrogate characters, if HTML-escaped, are stripped from JavaScript code before it is executed, which could allow for cross-site scripting attacks (MFSA 2008-43).
- The 'resource: ' protocol allows directory traversal on Linux when using URL-encoded slashes, and it can by used to bypass restrictions on local HTML files (MFSA 2008-44).

Solution

Upgrade to version 3.0.2 or higher.

See Also

http://www.mozilla.org/security/announce/2008/mfsa2008-40.html

http://www.mozilla.org/security/announce/2008/mfsa2008-41.html

http://www.mozilla.org/security/announce/2008/mfsa2008-42.html

http://www.mozilla.org/security/announce/2008/mfsa2008-43.html

http://www.mozilla.org/security/announce/2008/mfsa2008-44.html

http://www.mozilla.org/security/announce/2008/mfsa2008-50.html

http://www.securityfocus.com/bid/31346