(Mozilla Issues Fix for Thunderbird) Mozilla Firefox __proto__ Object Tampering May Let Remote Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1021249 |
|
SecurityTracker URL: http://securitytracker.com/id/1021249
|
|
CVE Reference:
CVE-2008-5014
(Links to External Site)
|
Date: Nov 20 2008
|
Impact:
Denial of service via network, Execution of arbitrary code via network, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): prior to 2.0.0.18
|
Description:
A vulnerability was reported in Mozilla Firefox. A remote user may be able to cause arbitrary code to be executed on the target user's system. Mozilla Thunderbird is affected.
A remote user can create HTML that, when loaded by the target user, will modify a window.__proto__.__proto__ object to place a lock on a non-native object and crash the target user's browser. It may be possible to execute arbitrary code on the target system. However, code execution was not confirmed in the report.
SeaMonkey and Thunderbird are also affected.
Jesse Ruderman reported this vulnerability.
|
Impact:
A remote user can create HTML that, when loaded by the target user, will cause the target user's browser to crash or potentially execute arbitrary code.
|
Solution:
Mozilla has issued a fix for Thunderbird, which is affected by this vulnerability.
The Mozilla advisory is available at:
http://www.mozilla.org/security/announce/2008/mfsa2008-50.html
|
Vendor URL: www.mozilla.org/security/announce/2008/mfsa2008-50.html (Links to External Site)
|
Cause:
State error
|
Underlying OS:
Linux (Any), UNIX (Any), Windows (Any)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Wed, 19 Nov 2008 23:36:01 -0500
Subject: Mozilla Thunderbird 2.0.0.18
|
CVE-2008-5014
|
|
