Vulnerability Note VU#815432

Mozilla XML.prototype.hasOwnProperty() method memory corruption vulnerability

Overview

Mozilla products fail to properly handle the XML.prototype.hasOwnProperty() method. This vulnerability may allow a remote attacker execute arbitrary code.

I. Description

The ECMAScript for XML (E4X) Specification defines the XML.prototype.hasOwnProperty() as a JavaScript method used to determine if an object contains a specific property. Mozilla products fail to properly handle the XML.prototype.hasOwnProperty() method, which can lead to memory corruption.

For more information refer to Mozilla Foundation Security Advisory 2006-65.

II. Impact

A remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system. The attacker could also cause the vulnerable application to crash.

III. Solution

Apply an update

According to the Mozilla Foundation Security Update 2006-65, this vulnerability is addressed in Firefox 1.5.0.8, Thunderbird 1.5.0.8, and SeaMonkey 1.0.6.

Note that according to Mozilla:

Firefox 1.5.0.x will be maintained with security and stability updates until April 24, 2007. All users are strongly encouraged to upgrade to

Firefox 2

Disable JavaScript

This vulnerability can be mitigated by disabling JavaScript.

Systems Affected

Vendor	Status	Date Updated
Mozilla	Vulnerable	8-Nov-2006

References

Credit

This vulnerability was reported in Mozilla Foundation Security Advisory 2006-65. Mozilla credits shutdown for providing information concerning this issue.

This document was written by Jeff Gennari.

Other Information

Date Public	11/08/2006
Date First Published	11/08/2006 09:51:02 AM
Date Last Updated	12/21/2006
CERT Advisory
CVE Name	CVE-2006-5747
US-CERT Technical Alerts
Metric	14.45
Document Revision	36

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Produced 2006 by US-CERT, a government organization
Disclaimers and copyright information

Get Adobe Reader