Note: This is an archival copy of Security Sun Alert 256408 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1020330.1.
Solaris 10 Operating System
Date of Resolved Release
Multiple Security Vulnerabilities in Firefox Versions Before 184.108.40.206 May Allow Execution of Arbitrary Code or Access to Unauthorized Data
Multiple security vulnerabilities in firefox(1) versions prior to 220.127.116.11 shipped with Solaris 10 may allow an unprivileged remote user to execute arbitrary code on the system where firefox(1) is being run, gain unauthorized access to sensitive data, perform Cross-Site Scripting (XSS) attacks to bypass access controls, read or modify data in other web sites, or inject code into web pages to obtain sensitive data from the user or information stored in cookies
Certain vulnerabilities may also allow a user to crash the firefox(1) application which is a type of Denial of Service (DoS).
The following URL provides additional details about the vulnerabilities addressed in Firefox versions prior to 18.104.22.168:
The following CVEs correspond to the Mozilla Foundation Security Advisories referenced in the above URL for Firefox versions 22.214.171.124 through 126.96.36.199:
CVE-2008-2800 CVE-2008-2801 CVE-2008-2802 CVE-2008-2803 CVE-2008-2805
CVE-2008-2807 CVE-2008-2808 CVE-2008-2809 CVE-2008-2811 CVE-2008-2785
CVE-2008-2933 CVE-2008-2934 CVE-2008-0016 CVE-2008-3835 CVE-2008-3836
CVE-2008-3837 CVE-2008-4058 CVE-2008-4059 CVE-2008-4060 CVE-2008-4061
CVE-2008-4062 CVE-2008-4063 CVE-2008-4064 CVE-2008-4065 CVE-2008-4066
CVE-2008-4067 CVE-2008-4068 CVE-2008-4069 CVE-2008-4070 CVE-2008-4582
CVE-2008-5012 CVE-2008-5013 CVE-2008-5014 CVE-2008-5015 CVE-2008-5016
CVE-2008-5017 CVE-2008-5018 CVE-2008-5019 CVE-2008-0017 CVE-2008-5021
CVE-2008-5022 CVE-2008-5023 CVE-2008-5024 CVE-2008-5500 CVE-2008-5501
CVE-2008-5502 CVE-2008-5503 CVE-2008-5504 CVE-2008-5505 CVE-2008-5506
CVE-2008-5507 CVE-2008-5508 CVE-2008-5510 CVE-2008-5511 CVE-2008-5512
2. Contributing Factors
These issues can occur in the following releases:
1. Solaris 8 and Solaris 9 do not ship Firefox and therefore are not affected by these issues.
2. Firefox 2.x is no longer shipped with OpenSolaris starting with snv_95 which includes Firefox 3.x.
There are no predictable symptoms that would indicate the described issues have been exploited.
For the following Mozilla Foundation Security Advisories there is a workaround of disabling Java Script:
MFSA 2008-22 MFSA 2008-24 MFSA 2008-25 MFSA 2008-27 MFSA 2008-33
MFSA 2008-34 MFSA 2008-38 MFSA 2008-39 MFSA 2008-41 MFSA 2008-42
MFSA 2008-43 MFSA 2008-47 MFSA 2008-49 MFSA 2008-50 MFSA 2008-52
MFSA 2008-53 MFSA 2008-55 MFSA 2008-56 MFSA 2008-57 MFSA 2008-59
MFSA 2008-60 MFSA 2008-61 MFSA 2008-62 MFSA 2008-64 MFSA 2008-65
MFSA 2008-68 MFSA 2008-69
For Mozilla Foundation Security Advisory MFSA 2008-35, the following is a workaround:
This attack only works if the user is using another internet-connected application with Firefox not running. Using Firefox, or making sure it is at least running, prevents this attack.
For Mozilla Foundation Security Advisory MFSA 2008-40, the following is a workaround:
1. Open Options/Preferences dialog
2. Go to the "Content" tab
4. UN-check the "Move or resize existing windows" box.
These issues are addressed in the following releases:
Copyright 2000-2009 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved.
This solution has no attachment