If you have licensed a Flexera product that has provided access to Secunia Advisories, all use of Secunia Advisories is subject to your license agreement with Flexera. If you have not licensed a Flexera product that provides access to Secunia Advisories:
a) All use of Secunia Advisories is for non-commercial use only.
b) For further information, see the End User License Agreement or contact us.

If you are an IT security professional, request a free trial of Software Vulnerability Manager.

 
Highly critical

Mozilla Firefox Multiple Vulnerabilities

-

Release Date:  2010-08-31    Last Update:  2010-10-20    Views:  26,416

Secunia Advisory SA41244

Where:

Log in with your Secunia community profile. If you are an IT security professional, request a trial of Vulnerability Intelligence Manager.

Impact:

Log in with your Secunia community profile. If you are an IT security professional, request a trial of Vulnerability Intelligence Manager.

Solution Status:

Log in with your Secunia community profile. If you are an IT security professional, request a trial of Vulnerability Intelligence Manager.

Software:

Log in with your Secunia community profile. If you are an IT security professional, request a trial of Vulnerability Intelligence Manager.

CVE Reference(s):

Log in with your Secunia community profile. If you are an IT security professional, request a trial of Vulnerability Intelligence Manager.

Description


Some vulnerabilities have been reported in Mozilla Firefox, which can be exploited by malicious, local users to gain escalated privileges and by malicious people to conduct spoofing attacks, bypass certain security restrictions, conduct cross-site scripting attacks, and potentially compromise a user's system


Log in with your Secunia community profile to view the full description of this Advisory. If you are an IT security professional, request a trial of Vulnerability Intelligence Manager.

If you are not a member of the Secunia community, you can sign up here for free.

Do you have additional information related to this advisory?

Please provide information about patches, mitigating factors, new versions, exploits, faulty patches, links, and other relevant data by posting comments to this Advisory. You can also send this information to vuln@secunia.com

Subject: Mozilla Firefox Multiple Vulnerabilities

User Message
[+]

mgroves

RE: Mozilla Firefox NSS Certificate IP Address Wildcard Matching Vulnerability
This reply has been minimised due to a negative Relevancy Score.

rheston

RE: Mozilla Firefox NSS Certificate IP Address Wildcard Matching Vulnerability
[+]
This reply has been minimised due to a negative Relevancy Score.
Anthony Wells RE: Mozilla Firefox NSS Certificate IP Address Wildcard Matching Vulnerability
Expert Contributor 26th Sep, 2010 12:20
Score: 2542
Posts: 3,402
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

This vulnerability is not patched by version 3.6.10 which was/is only a stability/bug fix for version 3.6.9 .

Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+7
-0

irishfeat

RE: Mozilla Firefox NSS Certificate IP Address Wildcard Matching Vulnerability
[+]
This reply has been minimised due to a negative Relevancy Score.
palisade RE: Mozilla Firefox NSS Certificate IP Address Wildcard Matching Vulnerability
Member 4th Oct, 2010 18:57
Score: 37
Posts: 16
User Since: 26th Feb 2010
System Score: N/A
Location: US
Last edited on 4th Oct, 2010 18:57
Confirmed that this was not fixed in 3.6.10, it only contained a blocklist update, and startup crash fix:

https://bugzilla.mozilla.org/buglist.cgi?quicksear...

---snip---

The Mozilla team has a fix for it already completed though:
https://bugzilla.mozilla.org/show_bug.cgi?id=59530...

Wan-Teh Chang 2010-09-10 12:53:15 PDT
mozilla-central is using NSS_3_12_8_BETA2. I'd like to
update to NSS_3_12_8_BETA3. I summarize the changes between
Beta 2 and Beta 3 below for Mozilla drivers.

Bug fixes of interest to Mozilla:
- Bug 578697: (CVE-2010-3170) Browser Wildcard Certificate Validation Issue
...[truncated the remaining bug fixes for readability]...

---snip---

I have confirmed with the developers via Mozilla's IRC server that 3.6.11 will contain a patch to solve this particular vulnerability.

Hope this helps someone.
Was this reply relevant?
+6
-0
flashbacknl RE: Mozilla Firefox NSS Certificate IP Address Wildcard Matching Vulnerability
Member 20th Oct, 2010 02:38
Score: 2
Posts: 1
User Since: 20th Oct 2010
System Score: N/A
Location: NL
Last edited on 20th Oct, 2010 02:38
firefox 3.6.11 got released advisory can be changed to patched
Was this reply relevant?
+2
-0
DHC-22 RE: Mozilla Firefox NSS Certificate IP Address Wildcard Matching Vulnerability
Member 21st Oct, 2010 18:21
Score: 9
Posts: 20
User Since: 10th Jun 2010
System Score: N/A
Location: US
The Firefox add-on, Verify Redirect: will this help combat the cross-scripting?
And having Java uninstalled? And Flash turned off?

- David
Was this reply relevant?
+0
-1

-

You must be logged in to post a comment.