Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Firefox and Seamonkey Vulnerabilities - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Firefox and Seamonkey Vulnerabilities

In addition to the "pwn2own" vulnerability used at CanSecWest last week in order to compromise a system with the Firefox web browser, a new vunerability has been published which involves XSL Transforms.  This vulnerability impacts both the latest Firefox 3.0.7 and Seamonkey 1.1.15 browsers.

Mozilla is working on updates for both packages and they expect the updated versions to be released by April 1 (and no, this is not an early April Fools joke).

A proof-of-concept exploit for the XSL Transform vulnerability has been released.  If the attack succeeds, arbitrary code can be run in the context of the browser.  If the attack fails, a DoS condition is likely for the browser.

For more information about the XSL Transform issue, see:

  BugTraq
  Secunia Advisory
  VUPEN Advisory

  Bugzilla Entry
  Mozilla Security Blog
 

David

78 Posts

Sign Up for Free or Log In to start participating in the conversation!