Mozilla Firefox Multiple Vulnerabilities Fixed in versions 2.0.0.17 and 3.0.2
Description
The URL parsing implementation contains a stack-based buffer overflow that could allow remote attackers to execute arbitrary code via a specially crafted URL in a link. (CVE-2008-0016)
The nsXMLDocument::OnChannelRedirect function could allow remote attackers to bypass the same-origin policy and execute arbitrary JavaScript. (CVE-2008-3835)
Certain versions of Mozilla Firefox ship with a flawed version of feedWriter. This could allow remote attackers to execute scripts with chrome privileges via multiple vectors related to feed preview. (CVE-2008-3836)
Certain versions of Mozilla Firefox could allow remote attackers to possibly force a file-download or other drag-and-drop action via a crafted onmousedown action. (CVE-2008-3837)
The XPConnect component could allow remote attackers to execute arbitrary code with chrome privileges via multipel vectors. (CVE-2008-4058, CVE-2008-4059)
Vectors related to the documet.loadBindingDocument function and XSLT could allow remote attackers to execute arbitrary code with chrome privileges. (CVE-2008-4060)
The MathML component could allow remote attackers to cause a denial of service or execute arbitrary code.(CVE-2008-4061)
Multiple unspecified vulnerabilities could allow remote attackers to cause a denial of service or possibly execute arbitrary code via vectors related to the JavaScript engine. (CVE-2008-4062)
Multiple unspecified vulnerabilities could allow remote attackers to cause a denial of service or possibly execute arbitrary code via vectors related to the layout engine. (CVE-2008-4063)
Multiple unspecified vulnerabilities could allow remote attackers to cause a denial of service or possibly execute arbitrary code via vectors related to graphics rendering. (CVE-2008-4064)
Certain versions of Mozilla Firefox could allow remote attackers to bypass cross-site scripting protection mechanisms and conduct XSS attacks via the "Stripped BOM characters bug". (CVE-2008-4065)
Certain versions of Mozilla Firefox could allow remote attackers to bypass cross-site scripting protection mechanisms and conduct XSS attacks via the "HTML escaped low surrogates bug". (CVE-2008-4066)
A directory traversal vulnerability could allow remote attackers to read arbitrary files via a specially crafted URI. (CVE-2008-4067)
A directory traversal vulnerability could allow remote attackers to bypass restrictions imposed on local HTML files, and obtain sensitive information. (CVE-2008-4068)
The XBM decoder could allow remote attackers to read unitialized memory, and possibly obtain sensitive information. (CVE-2008-4069)
Solution(s)
- mozilla-firefox-upgrade-2_0_0_17
- mozilla-firefox-upgrade-3_0_2
- Lightweight Endpoint Agent
- Live Dashboards
- Real Risk Prioritization
- IT-Integrated Remediation Projects
- Cloud, Virtual, and Container Assessment
- Integrated Threat Feeds
- Easy-to-Use RESTful API
- Automation-Assisted Patching
- Automated Containment
With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.
– Scott Cheney, Manager of Information Security, Sierra View Medical Center