SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#755513

Mozilla products vulnerable to memory corruption in the JavaScript engine

Overview

A number of vulnerabilities in the Mozilla JavaScript engine may allow the execution of arbitrary code or denial of service.

I. Description

The Mozilla JavaScript engine contains several vulnerabilities that may result in memory corruption. The impact of this memory corruption in specific cases is unclear. According to Mozilla Foundation Security Advisory MFSA 2007-29:

    As part of the Firefox 2.0.0.8 update releases Mozilla developers fixed many bugs to improve the stability of the product. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code.

Information about the individual flaws causing the vulnerabilities addressed in this update can be found in the references section of this document.
Note that the Thunderbird email client also uses the Mozilla JavaScript engine and could be affected by these vulnerabilities if JavaScript is enabled (it is disabled by default).

II. Impact

Potential impacts of these vulnerabilities include remote execution of arbitrary code and denial of service.

III. Solution

Upgrade

These vulnerabilities are addressed in Firefox 2.0.0.8, Thunderbird 2.0.0.8, and SeaMonkey 1.1.5.

Users that are unable to update should consider the following workaround:

Disable JavaScript

For instructions on how to disable JavaScript in Firefox, please refer to the Firefox section of the Securing Your Web Browser document.

Systems Affected

VendorStatusDate NotifiedDate Updated
MozillaVulnerable19-Oct-2007

References


http://www.mozilla.org/security/announce/2007/mfsa2007-29.html
https://bugzilla.mozilla.org/buglist.cgi?bug_id=372309
https://bugzilla.mozilla.org/buglist.cgi?bug_id=387955
https://bugzilla.mozilla.org/buglist.cgi?bug_id=390078
https://bugzilla.mozilla.org/buglist.cgi?bug_id=393537

Credit

Thanks to Mozilla for reporting this vulnerability. Mozilla credits Igor Bukanov, Eli Friedman, and Jesse Ruderman with reporting these issues to them.

This document was written by Chad R Dougherty.

Other Information

Date Public:2007-10-19
Date First Published:2007-10-19
Date Last Updated:2007-10-19
CERT Advisory: 
CVE-ID(s):CVE-2007-5340
NVD-ID(s):CVE-2007-5340
US-CERT Technical Alerts: 
Metric:10.13
Document Revision:9

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Produced 2007 by US-CERT, a government organization
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader