SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips
 

Vulnerability Note VU#428500

Mozilla LiveConnect vulnerable to crash finalizing JS objects

Overview

A vulnerability exists in the Mozilla LiveConnect that may allow a remote attacker to cause a denial of service.

I. Description

Mozilla LiveConnect, which allows communication between Java applets and web JavaScript, contains a vulnerability in the way freed objects are re-used that may result in a denial of service. According to the Mozilla Foundation Security Advisory 2006-71:

    The crash is due to re-use of an already-freed object and we presume this could be exploited with enough effort.

II. Impact

A remote, unathenticated attacker may be able to cause a denial of service.

III. Solution

Apply an update

According to the Mozilla Foundation Security Advisory 2006-71, this vulnerability is addressed in Firefox 2.0.0.1, Firefox 1.5.0.9, Thunderbird 1.5.0.9, and SeaMonkey 1.0.7.

Disable Java

For instructions on how to disable Java in Firefox, please refer to the Firefox section of the Securing Your Web Browser document.

Systems Affected

VendorStatusDate Updated
Debian GNU/LinuxVulnerable5-Apr-2007
Fedora ProjectVulnerable18-Jan-2007
Gentoo LinuxVulnerable18-Jan-2007
Mandriva, Inc.Vulnerable18-Jan-2007
MozillaVulnerable21-Dec-2006
Red Hat, Inc.Vulnerable18-Jan-2007
rPathVulnerable18-Jan-2007
Slackware Linux Inc.Vulnerable18-Jan-2007
SUSE LinuxVulnerable18-Jan-2007
UbuntuVulnerable18-Jan-2007

References


http://www.mozilla.org/security/announce/2006/mfsa2006-71.html
http://secunia.com/advisories/23591/
http://secunia.com/advisories/23598/
http://secunia.com/advisories/23439/
http://secunia.com/advisories/23514/
http://secunia.com/advisories/23545/
http://secunia.com/advisories/23601/
http://secunia.com/advisories/23614/
http://secunia.com/advisories/23618/
http://secunia.com/advisories/23692/
http://www.securityfocus.com/bid/21668
http://secunia.com/advisories/23988/
http://www.auscert.org.au/7372
http://secunia.com/advisories/24390/

Credit

This vulnerability was reported in Mozilla Foundation Security Advisory 2006-71. Mozilla credits Steven Michaud with providing information about this issue.

This document was written by Chris Taschner.

Other Information

Date Public12/19/2006
Date First Published01/18/2007 10:52:39 AM
Date Last Updated04/05/2007
CERT Advisory 
CVE NameCVE-2006-6502
US-CERT Technical Alerts 
Metric3.64
Document Revision25

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Produced 2007 by US-CERT, a government organization
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader