Rapid7 Vulnerability & Exploit Database

RHSA-2012:1210: firefox security update

Back to Search

RHSA-2012:1210: firefox security update

Severity
10
CVSS
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
Published
08/29/2012
Created
07/25/2018
Added
08/30/2012
Modified
07/04/2017

Description

Mozilla Firefox is an open source web browser. XULRunner provides the XULRuntime environment for Mozilla Firefox.A web page containing malicious content could cause Firefox to crash or,potentially, execute arbitrary code with the privileges of the user runningFirefox. (CVE-2012-1970, CVE-2012-1972, CVE-2012-1973, CVE-2012-1974,CVE-2012-1975, CVE-2012-1976, CVE-2012-3956, CVE-2012-3957, CVE-2012-3958,CVE-2012-3959, CVE-2012-3960, CVE-2012-3961, CVE-2012-3962, CVE-2012-3963,CVE-2012-3964)A web page containing a malicious Scalable Vector Graphics (SVG) image filecould cause Firefox to crash or, potentially, execute arbitrary code withthe privileges of the user running Firefox. (CVE-2012-3969, CVE-2012-3970)Two flaws were found in the way Firefox rendered certain images usingWebGL. A web page containing malicious content could cause Firefox to crashor, under certain conditions, possibly execute arbitrary code with theprivileges of the user running Firefox. (CVE-2012-3967, CVE-2012-3968)A flaw was found in the way Firefox decoded embedded bitmap images in IconFormat (ICO) files. A web page containing a malicious ICO file could causeFirefox to crash or, under certain conditions, possibly execute arbitrarycode with the privileges of the user running Firefox. (CVE-2012-3966)A flaw was found in the way the "eval" command was handled by the FirefoxWeb Console. Running "eval" in the Web Console while viewing a web pagecontaining malicious content could possibly cause Firefox to executearbitrary code with the privileges of the user running Firefox.(CVE-2012-3980)An out-of-bounds memory read flaw was found in the way Firefox used theformat-number feature of XSLT (Extensible Stylesheet LanguageTransformations). A web page containing malicious content could possiblycause an information leak, or cause Firefox to crash. (CVE-2012-3972)It was found that the SSL certificate information for a previously visitedsite could be displayed in the address bar while the main window displayeda new page. This could lead to phishing attacks as attackers could use thisflaw to trick users into believing they are viewing a trusted site.(CVE-2012-3976)A flaw was found in the location object implementation in Firefox.Malicious content could use this flaw to possibly allow restricted contentto be loaded. (CVE-2012-3978)For technical details regarding these flaws, refer to the Mozilla securityadvisories for Firefox 10.0.7 ESR. You can find a link to the Mozillaadvisories in the References section of this erratum.Red Hat would like to thank the Mozilla project for reporting these issues.Upstream acknowledges Gary Kwong, Christian Holler, Jesse Ruderman, JohnSchoenick, Vladimir Vukicevic, Daniel Holbert, Abhishek Arya, FrédéricHoguin, miaubiz, Arthur Gerkis, Nicolas Grégoire, Mark Poticha,moz_bug_r_a4, and Colby Russell as the original reporters of these issues.All Firefox users should upgrade to these updated packages, which containFirefox version 10.0.7 ESR, which corrects these issues. After installingthe update, Firefox must be restarted for the changes to take effect.

Solution(s)

  • redhat-upgrade-firefox
  • redhat-upgrade-firefox-debuginfo
  • redhat-upgrade-xulrunner
  • redhat-upgrade-xulrunner-debuginfo
  • redhat-upgrade-xulrunner-devel

References

  • redhat-upgrade-firefox
  • redhat-upgrade-firefox-debuginfo
  • redhat-upgrade-xulrunner
  • redhat-upgrade-xulrunner-debuginfo
  • redhat-upgrade-xulrunner-devel

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;