Note: This is an archival copy of Security Sun Alert 201386 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1001059.1.
Article ID : 1001059.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2007-04-12
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Security Vulnerabilities in Mozilla 1.7 for Solaris 8, 9 and 10



Category
Security

Release Phase
Resolved

Product
Mozilla v1.7
Solaris 9 Operating System
Solaris 10 Operating System
Solaris 8 Operating System

Bug Id
6447022, 6508400

Date of Workaround Release
12-FEB-2007

Date of Resolved Release
10-APR-2007

Impact

Security vulnerabilities are present in the mail client and the browser components of Mozilla 1.7 (for Solaris 8, 9 and 10). (Mozilla can be used as a web browser and editor, an IRC client, an email client and a news client)

These vulnerabilities may allow a remote unprivileged user who either controls a website that is visited by a local user using the Mozilla browser or sends an email that is read by a local user using Mozilla to execute arbitrary code with the privileges of the user running Mozilla.

BugID 6447022 - For Mozilla 1.7:

This issue is described in the following documents:

BugID 6508400 - For Mozilla 1.7:

This issue is described in the following documents:


Contributing Factors

These issues can occur in the following releases:

SPARC Platform

  • Mozilla 1.7 (for Solaris 8 and 9) without patch 120671-05
  • Mozilla 1.7 (for Solaris 10) without patch 119115-23

x86 Platform

  • Mozilla 1.7 (for Solaris 8 and 9) without patch 120672-04
  • Mozilla 1.7 (for Solaris 10) without patch 119116-23

Note: Mozilla 1.4 may be vulnerable to one or more of these security issues. Customers are advised to upgrade to Mozilla 1.7 to get these security fixes.

To determine the version of Mozilla on a Solaris system, the following command can be run:

    % /usr/sfw/bin/mozilla -version
Mozilla 1.7, (Sun Java Desktop System), build 2005031721

 


Symptoms

There are no predictable symptoms that would indicate the described issues have been exploited.


Workaround

BugID 6508400:

There is no workaround for this issue.

BugID 6447022:

To work around this issue, disable Javascript in Mozilla mail by doing the following:

  1. Open the Preferences dialog from the Edit menu
  2. Select the Advanced tree
  3. Select the Scripts & Plug-ins leaf
  4. Uncheck the Navigator and Mail & Newsgroups check boxes
  5. Click the OK button

Resolution

These issues are addressed in the following releases:

SPARC Platform

  • Mozilla 1.7 (for Solaris 8 and 9) with patch 120671-05 or later
  • Mozilla 1.7 (for Solaris 10) with patch 119115-23 or later

x86 Platform

  • Mozilla 1.7 (for Solaris 8 and 9) with patch 120672-04 or later
  • Mozilla 1.7 (for Solaris 10) with patch 119116-23 or later


Modification History
Date: 23-FEB-2007
  • Updated Contributing Factors and Relief/Workaround sections

Date: 10-APR-2007
  • State: Resolved
  • Updated Contributing Factors and Resolution sections

Date: 13-APR-2007
  • Updated Contributing Factors and Resolution sections


References

119116-23
119115-23
120671-05
120672-04




Attachments
This solution has no attachment