-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: CERT-EU Security Advisory 2012-0038 Title: Mozilla Firefox/Thunderbird/Seamonkey are prone to a Memory Corruption Vulnerability [1] Version history: 16.03.2012 Initial publication Summary ======= Successful exploits may allow an attacker to execute arbitrary code in the context of the user running the affected application. Failed exploit attempts will result in a denial-of-service condition. Multiple unspecified vulnerabilities in the browser engine allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. [2] CVE-2012-0461 CVSS v2 Base Score:7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P [4] Vulnerable systems ================== Mozilla Firefox before 3.6.28 and 4.x through 10.0 Firefox ESR 10.x before 10.0.3 Thunderbird before 3.1.20 and 5.0 through 10.0 Thunderbird ESR 10.x before 10.0.3 SeaMonkey before 2.8 Original Details ================ Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. In general these flaws cannot be exploited through email in the Thunderbird and SeaMonkey products because scripting is disabled, but are potentially a risk in browser or browser-like contexts in those products. [3] What can you do? ================ Updates are available from the vendor [3] What to tell your users? ======================== N/A More information ================ [1]http://www.securityfocus.com/bid/52464/discuss [2]http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0461 [3]http://www.mozilla.org/security/announce/2012/mfsa2012-19.html [4] Information about CVSS: http://www.first.org/cvss/cvss-guide.html Best regards, CERT-EU CERT-EU Pre-configuration Team (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 (DISCLAIMER: CERT-EU, the CERT for the EU institutions, is currently in its setup phase, until May 2012. Services are provided in a pilot fashion, and are not yet fully functional. Announcements, alerts and warnings are sent out in best effort manner, and to contact information currently known to us. We apologise if you are not the correct recipient, or if you had already been warned about this issue from another source . Format, content and way of alerting are subject to change in the future. Contact information or even the team name may change as well.) -----BEGIN PGP SIGNATURE----- Version: BCPG v1.39 iQJXBAEBAgBBBQJPYyi3OhxDRVJUIGZvciB0aGUgRXVyb3BlYW4gSW5zdGl0dXRp b25zIDxjZXJ0LWV1QGVjLmV1cm9wYS5ldT4ACgkQJ6QGykasQ4NvahAAi1QYtbPt Tc9FSxPQQ+H/W00h2thsrUsoeCh5h+k7KHCXg+ppOYpFmcr19Bx8p7NcVk3zwXD6 GJfzE7sxG4vbL/dxSb5QYqnz1eEofR16h6I7YatYShixuCbm7EIvQYnB2HfUMJAw kA2I1n7m8fn6aKnO7rK3eEYpzPGEoVZFUnRhN/S6GDq3wwkZ7eNKn1b+SV7BvY4G sz5YEqp7lrChWKXmdGI1jLEL89KWbhg3XgzICBccit6K1iGMntE5RoWv5CXiaT7t pOO+d7R6ucrQaBd7R0D9XKbfkMddICF4xlzwVolId1AYkyAmOgvdKjhUfp1inhVo KLppPYDfxLQ6Z8JCJKmMEslAwJvuwcAf6xfbZCWhu2X0uOwAc+UGqIKVKn8r02jT a+UrXoEzPJfkK5XXYITU8h547xfquRMSHkWYXRRNqK7iWQ7FhpjzSnSuO2dTA5lX vI1tKT0ExPq9y4MJ7X8pw/2hFIszsgxHei1lnTaY6xZ+kNp5KB3wG4dyp4G6xZtu 4VTqDmuUEQ5w8yLyBMX2VueoSmeansTCLiMHKllvsUQu0TodP2gAzvu65wya+t+7 3rNQrMTuq+mVIUsonHGZ7LiUFJlsIwbUZbvLoJoUhozoRdkjjuSmaW+rn7zrxkUz M14KNBmQwduzQI6oBXi0StCDQNmDZ18l3R4= =kNJ0 -----END PGP SIGNATURE-----