National Cyber Alert #TA07-151A was issued today, covering multiple vulnerabilities in Mozilla software. The applications affected:

  • Mozilla Firefox
    See:

    • MFSA #2007-12 (CRITICAL), crashes with memory corruption leading to possible execution of malicious code

    • MFSA #2007-13, denial-of-service through form autocompletion

    • MFSA #2007-14, browser cookie validity checks

    • MFSA #2007-16 (HIGH), injection script to access or modify private or valuable information

    • MFSA #2007-17, pop-up spoofing

  • Mozilla Thunderbird
    See:

    • MFSA #2007-12 (CRITICAL), crashes with memory corruption leading to possible execution of malicious code

    • MFSA #2007-15, email password harvesting

  • Mozilla SeaMonkey
    See:

  • Netscape Browser

More more information, check Known Vulnerabilities in Mozilla Products. For a list of products that depend on Mozilla applications, check Mozilla Hall of Fame.

In other browser-security-related news, Ryan Paul at Ars Technica reports on a wi-fi-related browser plug-in security concern:

Indiana University researcher Christopher Soghoian has discovered an unusual vulnerability that affects several widely-used Firefox extensions including the Google Toolbar, Facebook Toolbar, and Anti-Phishing Toolbar. According to Soghoian, a man-in-the-middle attack can be used on a public wireless network to trick browser extensions into downloading malicious code instead of legitimate updates. The solution to this problem, says Soghoian, is to use SSL to deploy extension updates. Since the official addons.mozilla.org server uses SSL, extensions that update from that location aren’t affected.

[cehwiedel also writes at cehwiedel.com]

Be Sociable, Share!