tcnj logo

Budget

Planning

Procedures

Security

IT Administration

Enterprise Applications

Networking & Technical Services

User Support Services

  Computer Service Center

  Help Desk

  Instructional Technology

  Media & Technology

  Residential Computing

  Telecommunications

  Web Development Group
textsizemediumlargelarger

Multiple Vulnerabilities in Mozilla Products - June 6, 2012

Multiple vulnerabilities have been discovered in Mozilla Firefox, Thunderbird, and SeaMonkey applications, which could allow remote code execution. Successful exploitation of these vulnerabilities could result in either an attacker gaining the same privileges as the logged on user, or gaining session authentication credentials. Depending on the privileges associated with the user, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights.

Version 13 of Firefox and Thunderbird and version 2.10 of SeaMonkey have been released in the last 24 hours.  While there are no reports of exploitation at this time, please upgrade ASAP.

http://www.mozilla.org/security/announce/2012/mfsa2012-40.html

Heap Buffer Overflow Vulnerability

A heap based buffer overflow vulnerability has been discovered which can be triggered when converting from Unicode to native character sets using the function 'utf16_to_osilatin1'. Successful exploitation could result in remote code execution. Failed attacks may result in a denial of service condition. (CVE-2012-1947)

Heap Buffer Overflow Vulnerability

A heap based buffer overflow vulnerability has been discovered in 'nsHTMLReflowState::CalculateHypotheticalBox' which occurs when a window is resized on a page with nested columns.  Successful exploitation could result in remote code execution. Failed attacks may result in a denial of service condition. (CVE-2012-1941)

These vulnerabilities may be exploited if a user visits a maliciously crafted web page. The page will consist of excessive data, memory addresses, machine code, and possibly NOP instructions. Successful exploitation could result in an attacker executing arbitrary code in the context of the user running the affected application. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

RECOMMENDATIONS:

We recommend the following actions be taken:

  • Upgrade vulnerable Mozilla products immediately after appropriate testing.
  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
  • Do not open email attachments or click on URLs from unknown or untrusted sources.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.

 

 

it home photo

Information Technology

Green Hall

The College of New Jersey

2000 Pennington Road

P. O. Box 7718

Ewing, NJ 08628

Staff Directory

Support Specialists
IT Home | IT Administration | Enterprise Applications | Networking & Technical Services | User Support Services
tcnj logo © All Rights Reserved.  WWW Disclaimer