-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: CERT-EU Security Advisory 2011-0029 Title: Mozilla Firefox/Thunderbird/SeaMonkey information disclosure vulnerability Version history: 13.12.2011 Initial publication Summary ======= Mozilla Firefox before 4.0, Thunderbird before 3.3, and SeaMonkey before 2.1 are prone to an information disclosure vulnerability, exploitable by a remote attacker to obtain information from the browser history.[1] Updated versions are available.[3] CVE-2002-2437[2] Remote Yes Credibility Vendor Confirmed Ease Exploit Available CVSS[4] Base Score 1.9 CVSS[4] v2 Base Score:5.0 (MEDIUM) (AV:N/AC:L/Au:N/C:P/I:N/A:N) Technical description ===================== The JavaScript implementation in Mozilla Firefox before 4.0, Thunderbird before 3.3, and SeaMonkey before 2.1 does not properly restrict the set of values contained in the object returned by the getComputedStyle method, which allows remote attackers to obtain sensitive information about visited web pages by calling this method.[2] Vulnerable systems ================== Mozilla Firefox before version 4 Mozilla Thunderbird before version 3.3 Mozilla SeaMonkey before version 2.1 What can you do? ================ Update vulnerable software What to tell your users? ======================== Normal security best practices apply. Especially, inform your Web users to be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Users are to be aware not to click on the link in suspicious emails; to immediately forward the suspicious email to the respective IT security officer / contact in your institution. More information ================ [1] NVD http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-2437 [2] CVE http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2437 [3] Vendor www.mozilla.org/ https://bugzilla.mozilla.org/show_bug.cgi?id=147777 [4] Information about CVSS: http://www.first.org/cvss/cvss-guide.html -----BEGIN PGP SIGNATURE----- Version: BCPG v1.39 iQJXBAEBAgBBBQJO5yFDOhxDRVJUIGZvciB0aGUgRXVyb3BlYW4gSW5zdGl0dXRp b25zIDxjZXJ0LWV1QGVjLmV1cm9wYS5ldT4ACgkQJ6QGykasQ4MYUhAAorromY3q wMa4knghVkJOITr/J4mWJf+fo1kNZTB6EuQ4hBamX/rvzweVYtYXyJIrOU+KjwdC DoNgH7uNwXN86ZN6/sgZzUOMOvfZnO2gyiiiVDCdIR6OjAGmGJVTqI8o6ypScVFg bOZpGPhjnuHAn/IfTMbxr0t8WlvltzmFtdPcxfu7oQbijWQJ1YggsF6TnQc1aOIw CF8NEMH+XWV6bMTnw1hQtTlGJ5+YSe/z7/b1Op1xfYtwXs+5g6wJwQSykuw/IUFw eStTL154B9pUyrT+WTGNLkS1X0C6+9MO3q3l2Mmj82Rb8VB6UmoxFl5yb+JyexW4 695SK1bgB7+2HAeQRqhDI37xCClx2V5worsxnfGhfCK/LV/ZhEGjjJWJMZtY/kH9 SaP4DFcQB/FZm+BNtmodyoenXXLpzURq7HXzALSObB3iuJHd//2+m8jLFS+8p1BD B6+PEr9fYQrVsX6D/TYjl4xhBrUbdQhpVuX1N9rAmpB3SkeTcs5kwK8m8L1Nb1HH czccUecCGqE9UAQ3ndcpsM/sPsm1Mwh+1aS4t8SGH4a9jew+fTagMlYH4OdVjwMs aQcgA/mBAFw4Lz4mkYs+hCf7upeQmc64kOMmwQwZ/Jrk6ao0Lc6oDTFaHispHg0U lWxjjZilKIzKBzYfwRybwBUqZqaCK2QGalI= =/b+4 -----END PGP SIGNATURE-----