Security Vulnerability in Mozilla 1.7 May Allow Arbitrary JavaScript Commands to be Run |
|
| Category : | Security |
| Release Phase : | Resolved |
| Product : | Mozilla v1.7
|
| Bug Id : | 6499437
|
| Date of Workaround Release : | 24-JUL-2007
|
| Date of Resolved Release : | 08-OCT-2007
|
A remote code execution vulnerability in Mozilla 1.7 may allow a remote user who has created a web page visited by a local user using Mozilla, or who has sent a specially crafted e-mail read by a local user using Mozilla to execute arbitrary JavaScript commands with the privileges of that user.
This vulnerability is described in the following Mozilla advisory:
http://www.mozilla.org/security/announce/2006/mfsa2006-67.html
This issue is also described in the following documents:
CVE-2006-5463 at http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-5463
CERT VU#714496 at http://www.kb.cert.org/vuls/id/714496
CERT Technical Cyber Security Alert TA06-312A at http://www.us-cert.gov/cas/techalerts/TA06-312A.html
Contributing Factors
This issue can occur in the following releases:
SPARC Platform
- Mozilla 1.7 for Solaris 8 and 9 without patch 120671-07
- Mozilla 1.7 for Solaris 10 without patch 119115-31
x86 Platform
- Mozilla 1.7 for Solaris 8 and 9 without patch 120672-07
- Mozilla 1.7 for Solaris 10 without patch 119116-31
Note: Mozilla 1.4 may be vulnerable to this issue. Customers are advised to upgrade to Mozilla 1.7 to get the security fix once it is available.
To determine the version of Mozilla on a Solaris system, the following command can be run:
% /usr/sfw/bin/mozilla -version
Mozilla 1.7, (Sun Java Desktop System), build 2005031721
Symptoms
There are no predictable symptoms that would indicate the described issue has been exploited.
Workaround
To avoid this issue until patches can be applied, JavaScript may be disabled with the following steps:
- Open the "Preferences" dialog box from the "Edit" menu in the Mozilla browser
- Select the "Advanced" tree
- Select the "Scripts & Plug-ins" leaf
- Uncheck the "Navigator and Mail & Newsgroups" check boxes
- Click the OK button
Resolution
This issue is addressed in the following releases:
SPARC Platform
- Mozilla 1.7 for Solaris 8 and 9 with patch 120671-07 or later
- Mozilla 1.7 for Solaris 10 with patch 119115-31 or later
x86 Platform
- Mozilla 1.7 for Solaris 8 and 9 with patch 120672-07 or later
- Mozilla 1.7 for Solaris 10 with patch 119116-31 or later
A final resolution is pending completion.
Modification HistoryDate: 21-SEP-2007
- Updated Contributing Factors and Resolution sections
Date: 08-OCT-2007
- Updated Contributing Factors and Resolution sections
- State: Resolved
Date: 22-OCT-2007
- Updated Impact section for clarification
AttachmentsThis solution has no attachment
|
Subscribe |
Careers |
Contact Us |
Site Maps |
Legal Notices |
Terms of Use |
Your Privacy Rights |
Sun Contracted Content
Sun Contracted Feature
