int(1522)

Vulnerability Bulletins


Vulnerabilidad en el manejo de popups con URL javascript: bloqueados en Firefox

Vulnerability classification

Property Value
Confidence level Oficial
Impact Obtener acceso
Dificulty Experto
Required attacker level Acceso remoto sin cuenta a un servicio estandar

System information

Property Value
Affected manufacturer GNU/Linux
Affected software Firefox <1.0.3
Mozilla Suite <1.7.7

Description

Se ha descubierto una vulnerabilidad en las versiones anteriores a la 1.0.3 de Mozilla Firefox y en las versiones anteriores a la 1.7.7 de Mozilla Suite.

La vulnerabilidad reside en la propiedad "Mostrar javascript…" del icono de bloqueo de popups situada en la barra de estado que ejecuta el código javascript de una URL javascript: con privilegios elevados.

La explotación de esta vulnerabilidad podría permitir a un atacante remoto instalar software malicioso mediante una página Web especialmente diseñada.

Solution



Actualización de software

Mozilla
Firefox 1.0.3
http://www.mozilla.org/products/firefox/all.html
Mozilla Suite 1.7.7
http://www.mozilla.org/releases/#1.7.7

Red Hat Linux (Firefox, Mozilla)
Red Hat Desktop (v. 4)
Red Hat Enterprise Linux AS (v. 4)
Red Hat Enterprise Linux ES (v. 4)
Red Hat Enterprise Linux WS (v. 4)
https://rhn.redhat.com/

SUSE Linux

SUSE Linux 9.3
x86
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/MozillaFirefox-1.0.3-1.1.i586.rpm
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/MozillaFirefox-translations-1.0.3-1.1.i586.rpm
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/mozilla-1.7.5-17.2.i586.rpm
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/mozilla-calendar-1.7.5-17.2.i586.rpm
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/mozilla-devel-1.7.5-17.2.i586.rpm
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/mozilla-dom-inspector-1.7.5-17.2.i586.rpm
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/mozilla-irc-1.7.5-17.2.i586.rpm
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/mozilla-mail-1.7.5-17.2.i586.rpm
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/mozilla-spellchecker-1.7.5-17.2.i586.rpm
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/mozilla-venkman-1.7.5-17.2.i586.rpm
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/mozilla-32bit-9.3-7.1.x86_64.rpm
x86-64
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/mozilla-1.7.5-17.2.x86_64.rpm
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/mozilla-calendar-1.7.5-17.2.x86_64.rpm
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/mozilla-devel-1.7.5-17.2.x86_64.rpm
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/mozilla-dom-inspector-1.7.5-17.2.x86_64.rpm
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/mozilla-irc-1.7.5-17.2.x86_64.rpm
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/mozilla-mail-1.7.5-17.2.x86_64.rpm
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/mozilla-spellchecker-1.7.5-17.2.x86_64.rpm
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/mozilla-venkman-1.7.5-17.2.x86_64.rpm
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/mozilla-1.7.5-17.2.src.rpm

SUSE Linux 9.2
x86
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/MozillaFirefox-1.0.3-1.1.i586.rpm
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/mozilla-1.7.2-17.9.i586.rpm
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/mozilla-calendar-1.7.2-17.9.i586.rpm
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/mozilla-devel-1.7.2-17.9.i586.rpm
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/mozilla-dom-inspector-1.7.2-17.9.i586.rpm
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/mozilla-irc-1.7.2-17.9.i586.rpm
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/mozilla-mail-1.7.2-17.9.i586.rpm
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/mozilla-spellchecker-1.7.2-17.9.i586.rpm
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/mozilla-venkman-1.7.2-17.9.i586.rpm
x86-64
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/MozillaFirefox-1.0.3-1.1.x86_64.rpm
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/mozilla-1.7.2-17.9.x86_64.rpm
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/mozilla-calendar-1.7.2-17.9.x86_64.rpm
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/mozilla-devel-1.7.2-17.9.x86_64.rpm
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/mozilla-dom-inspector-1.7.2-17.9.x86_64.rpm
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/mozilla-irc-1.7.2-17.9.x86_64.rpm
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/mozilla-mail-1.7.2-17.9.x86_64.rpm
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/mozilla-spellchecker-1.7.2-17.9.x86_64.rpm
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/mozilla-venkman-1.7.2-17.9.x86_64.rpm
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/MozillaFirefox-1.0.3-1.1.src.rpm
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/mozilla-1.7.2-17.9.src.rpm

SUSE Linux 9.1
x86
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/MozillaFirefox-1.0.3-0.5.i586.rpm
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/MozillaFirefox-1.0.3-0.5.src.rpm
x86-64
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/MozillaFirefox-1.0.3-0.5.x86_64.rpm
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/MozillaFirefox-1.0.3-0.5.src.rpm

SUSE Linux 9.0
x86
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/MozillaFirebird-1.0.3-3.i586.rpm
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/MozillaFirebird-1.0.3-3.src.rpm
x86-64
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/MozillaFirebird-1.0.3-3.x86_64.rpm
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/src/MozillaFirebird-1.0.3-3.src.rpm

Red Hat Linux (Mozilla)
Red Hat Desktop (v. 3)
Red Hat Enterprise Linux AS (v. 2.1)
Red Hat Enterprise Linux AS (v. 3)
Red Hat Enterprise Linux ES (v. 2.1)
Red Hat Enterprise Linux ES (v. 3)
Red Hat Enterprise Linux WS (v. 2.1)
Red Hat Enterprise Linux WS (v. 3)
Red Hat Linux Advanced Workstation 2.1 Itanium Processor
https://rhn.redhat.com/

SCO
UnixWare 7.1.4
ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.29/mozilla.image
OpenServer 5.0.7
ftp://ftp.sco.com/pub/openserver5/507/mp/osr507mp4/osr507mp4_vol.tar

Standar resources

Property Value
CVE CAN-2005-1153
BID

Other resources

Mozilla Foundation Security Advisory 2005-35
http://www.mozilla.org/security/announce/mfsa2005-35.html

Red Hat Security Advisory RHSA-2005:383-07
https://rhn.redhat.com/errata/RHSA-2005-383.html

Red Hat Security Advisory RHSA-2005:386-08
https://rhn.redhat.com/errata/RHSA-2005-386.html

SUSE Security Announcement SUSE-SA:2005:028
http://www.novell.com/linux/security/advisories/2005_28_mozilla_firefox.html

Red Hat Security Advisory RHSA-2005:384-11
https://rhn.redhat.com/errata/RHSA-2005-384.html

SCO Security Advisory SCOSA-2005.29
ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.29/SCOSA-2005.29.txt

SCO Security Advisory (SCOSA-2005.49)
ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2005.49/SCOSA-2005.49.txt

Version history

Version Comments Date
1.0 Aviso emitido 2005-04-18
1.1 Aviso emitido por Red Hat (RHSA-2005:383-07). CAN añadido. 2005-04-22
1.2 Aviso emitido por Red Hat (RHSA-2005:386-08) 2005-04-27
1.3 Aviso emitido por SUSE (SUSE-SA:2005:028) 2005-04-28
1.4 Aviso emitido por Red Hat (RHSA-2005-384-11) 2005-04-29
1.5 Aviso emitido por SCO (SCOSA-2005.29) 2005-07-04
1.6 Aviso emitido por SCO (SCOSA-2005.49) 2005-11-28
Ministerio de Defensa
CNI
CCN
CCN-CERT