Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: InfoSec Handlers Diary Blog - Firefox and Seamonkey Vulnerabilities InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Firefox and Seamonkey Vulnerabilities

Published: 2009-03-27
Last Updated: 2009-03-27 13:38:31 UTC
by David Goldsmith (Version: 1)
0 comment(s)

In addition to the "pwn2own" vulnerability used at CanSecWest last week in order to compromise a system with the Firefox web browser, a new vunerability has been published which involves XSL Transforms.  This vulnerability impacts both the latest Firefox 3.0.7 and Seamonkey 1.1.15 browsers.

Mozilla is working on updates for both packages and they expect the updated versions to be released by April 1 (and no, this is not an early April Fools joke).

A proof-of-concept exploit for the XSL Transform vulnerability has been released.  If the attack succeeds, arbitrary code can be run in the context of the browser.  If the attack fails, a DoS condition is likely for the browser.

For more information about the XSL Transform issue, see:

  BugTraq
  Secunia Advisory
  VUPEN Advisory

  Bugzilla Entry
  Mozilla Security Blog
 

Keywords:
0 comment(s)
Diary Archives