Rapid7 Vulnerability & Exploit Database

RHSA-2011:0310: firefox security and bug fix update

Back to Search

RHSA-2011:0310: firefox security and bug fix update

Severity
10
CVSS
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
Published
03/02/2011
Created
07/25/2018
Added
03/16/2011
Modified
07/04/2017

Description

Mozilla Firefox is an open source web browser. XULRunner provides the XULRuntime environment for Mozilla Firefox.A flaw was found in the way Firefox sanitized HTML content in extensions.If an extension loaded or rendered malicious content using theParanoidFragmentSink class, it could fail to safely display the content,causing Firefox to execute arbitrary JavaScript with the privileges of theuser running Firefox. (CVE-2010-1585)A flaw was found in the way Firefox handled dialog boxes. An attacker coulduse this flaw to create a malicious web page that would present a blankdialog box that has non-functioning buttons. If a user closes the dialogbox window, it could unexpectedly grant the malicious web page elevatedprivileges. (CVE-2011-0051)Several flaws were found in the processing of malformed web content. A webpage containing malicious content could cause Firefox to crash or,potentially, execute arbitrary code with the privileges of the user runningFirefox. (CVE-2011-0053, CVE-2011-0055, CVE-2011-0058, CVE-2011-0062)Several flaws were found in the way Firefox handled malformed JavaScript. Awebsite containing malicious JavaScript could cause Firefox to execute thatJavaScript with the privileges of the user running Firefox. (CVE-2011-0054,CVE-2011-0056, CVE-2011-0057)A flaw was found in the way Firefox handled malformed JPEG images. Awebsite containing a malicious JPEG image could cause Firefox to crash or,potentially, execute arbitrary code with the privileges of the user runningFirefox. (CVE-2011-0061)A flaw was found in the way Firefox handled plug-ins that perform HTTPrequests. If a plug-in performed an HTTP request, and the server sent a 307redirect response, the plug-in was not notified, and the HTTP request wasforwarded. The forwarded request could contain custom headers, which couldresult in a Cross Site Request Forgery attack. (CVE-2011-0059)For technical details regarding these flaws, refer to the Mozilla securityadvisories for Firefox 3.6.14. You can find a link to the Mozillaadvisories in the References section of this erratum.This update also fixes the following bug:libgnomevfs-WARNING **: Deprecated function. User modifications to theMIME database are no longer supported.This update disables the "setDefaultBrowser" option. Red Hat EnterpriseLinux 4 users wishing to set a default web browser can use Applications -> Preferences -> More Preferences -> Preferred Applications. Red HatEnterprise Linux 5 users can use System -> Preferences -> PreferredApplications. (BZ#463131, BZ#665031)All Firefox users should upgrade to these updated packages, which containFirefox version 3.6.14, which corrects these issues. After installing theupdate, Firefox must be restarted for the changes to take effect.

Solution(s)

  • redhat-upgrade-firefox
  • redhat-upgrade-firefox-debuginfo
  • redhat-upgrade-xulrunner
  • redhat-upgrade-xulrunner-debuginfo
  • redhat-upgrade-xulrunner-devel

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;