Multiple Mozilla products js_ValueToFunctionObject() security bypass

mozilla-valuetofunctionobject-sec-bypass (25825) The risk level is classified as HighHigh Risk

Description:

Multiple Mozilla products, including Firefox, Thunderbird and SeaMonkey, could allow a remote attacker to bypass security restrictions in js_ValueToFunctionObject(), caused by an unspecified vulnerability related to the setTimeout() and ForEach functions. An attacker could exploit this vulnerability using a malicious Web site to execute arbitrary code on a victim's system.

Platforms Affected:

  • Debian, Debian Linux 3.1
  • Mozilla, Firefox 1.0
  • Mozilla, Firefox 1.0.1
  • Mozilla, Firefox 1.0.2
  • Mozilla, Firefox 1.0.3
  • Mozilla, Firefox 1.0.4
  • Mozilla, Firefox 1.0.5
  • Mozilla, Firefox 1.0.6
  • Mozilla, Firefox 1.0.7
  • Mozilla, Firefox 1.5 Beta1
  • Mozilla, Firefox 1.5
  • Mozilla, Firefox 1.5 Beta2
  • Mozilla, Firefox 1.5.0.1
  • Mozilla, SeaMonkey 1.0 Alpha
  • Mozilla, SeaMonkey 1.0 Beta
  • Mozilla, Thunderbird 1.0
  • Mozilla, Thunderbird 1.0.1
  • Mozilla, Thunderbird 1.0.2
  • Mozilla, Thunderbird 1.0.3
  • Mozilla, Thunderbird 1.0.4
  • Mozilla, Thunderbird 1.0.5
  • Mozilla, Thunderbird 1.0.5 Beta
  • Mozilla, Thunderbird 1.0.6
  • Mozilla, Thunderbird 1.0.7
  • Mozilla, Thunderbird 1.5 Beta2
  • Mozilla, Thunderbird 1.5

Remedy:

Refer to Mozilla Foundation Security Advisory 2006-28 for upgrade or suggested workaround information. See References.

Consequences:

Gain Access

References:

  • MFSA 2006-28, Security check of js_ValueToFunctionObject() can be circumvented at http://www.mozilla.org/security/announce/2006/mfsa2006-28.html.
  • Mozilla Web site, The SeaMonkey Project at http://www.mozilla.org/projects/seamonkey/.
  • Mozilla Web site, Thunderbird at http://www.mozilla.com/thunderbird/.
  • Mozilla Web site, Firefox - Rediscover the Web at http://www.mozilla.com/firefox/.
  • ASA-2006-259: HP-UX Firefox Vulnerabilities
  • ASA-2007-097: HP-UX Running Firefox Remote Unauthorized Access or Elevation of Privileges or Denial of Service (DoS) (HPSBUX02153)
  • ASA-2007-135: HP-UX Running Thunderbird Remote Unauthorized Access or Elevation of Privileges or Denial of Service (HPSBUX02156)
  • BID-17516: Mozilla Suite, Firefox, SeaMonkey, and Thunderbird Multiple Remote Vulnerabilities
  • CVE-2006-1726: Unspecified vulnerability in Firefox and Thunderbird 1.5 before 1.5.0.2, and SeaMonkey before 1.0.1, allows remote attackers to bypass the js_ValueToFunctionObject check and execute arbitrary code via unknown vectors involving setTimeout and Firefox' ForEach method.
  • DSA-1046: mozilla -- several vulnerabilities
  • FrSIRT/ADV-2006-1356: Mozilla Products Memory Corruption and Information Disclosure Vulnerabilities
  • FrSIRT/ADV-2006-3748: HP-UX Security Update Fixes Mozilla Firefox Command Execution Vulnerabilities
  • FrSIRT/ADV-2006-3749: HP-UX Security Update Fixes Mozilla Thunderbird Code Execution Vulnerabilities
  • FrSIRT/ADV-2008-0083: HP-UX Security Update Fixes Firefox Command Execution Vulnerabilities
  • SA19631: Firefox Multiple Vulnerabilities
  • SA19649: Mozilla SeaMonkey Multiple Vulnerabilities
  • SECTRACK ID: 1015931: Mozilla Seamonkey js_ValueToFunctionObject() Security Check Can Be Bypassed by Remote Users to Execute Arbitrary Code
  • SECTRACK ID: 1015932: Mozilla Thunderbird js_ValueToFunctionObject() Security Check Can Be Bypassed by Remote Users to Execute Arbitrary Code
  • SECTRACK ID: 1015933: Mozilla Firefox js_ValueToFunctionObject() Security Check Can Be Bypassed by Remote Users to Execute Arbitrary Code
  • US-CERT VU#968814: Mozilla JavaScript security bypass vulnerability

Reported:

Apr 13, 2006

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page