Mozilla Firefox contentWindow.focus() designMode code execution
| firefox-iframe-contentwindowfocus-bo (25994) |  High Risk |
Description:
Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by a memory corruption vulnerability that can occur when "designMode" is set to "on". A remote attacker could exploit this vulnerability to execute arbitrary code or cause a victim's browser to crash by creating a malicious Web page that uses the contentWindows.focus() JavaScript control to reference a deleted object.
Consequences:
Gain Access
Remedy:
Upgrade to the latest version of Firefox (1.5.0.3 or later), as listed in Mozilla Foundation Security Advisory 2006-30. See References.
For Debian GNU/Linux (Mozilla):
Refer to DSA-1053-1 for patch, upgrade, or suggested workaround information. See References.
For Debian GNU/Linux (Firefox):
Refer to DSA-1055-1 for patch, upgrade, or suggested workaround information. See References.
For HP Tru64 UNIX:
Refer to Hewlett-Packard Company Security Bulletin HPSBTU02118 SSRT061145 for patch, upgrade, or suggested workaround information. See References.
References:
- Browser Fun Blog Monday, July 03, 2006: MoBB #4: Mozilla Firefox DesignMode.
- BugTraq Mailing List, Fri May 19 2006 - 08:05:21 CDT: [security bulletin] HPSBTU02118 SSRT061145 rev.1 - HP Tru64 UNIX Running Firefox or Mozilla Application Suite, Remote Execution of Arbitrary Code or Denial of Service (DoS).
- BugTraq Mailing List, Sun Apr 23 2006 - 20:26:37 CDT: Firefox Remote Code Execution and DoS 1.5.0.2.
- Hewlett-Packard Company Security Bulletin HPSBTU02118 SSRT061145: HP Tru64 UNIX Running Firefox or Mozilla Application Suite, Remote Execution of Arbitrary Code or Denial of Service (DoS).
- MFSA 2006-30: Deleted object reference when designMode="on".
- ASA-2006-259: HP-UX Firefox Vulnerabilities
- ASA-2007-097: HP-UX Running Firefox Remote Unauthorized Access or Elevation of Privileges or Denial of Service (DoS) (HPSBUX02153)
- BID-17671: Mozilla Firefox iframe.contentWindow.focus Deleted Object Reference Vulnerability
- CVE-2006-1993: Mozilla Firefox 1.5.0.2, when designMode is enabled, allows remote attackers to cause a denial of service and possibly execute arbitrary code via certain Javascript that is not properly handled by the contentWindow.focus method in an iframe, which causes a reference to a deleted controller context object. NOTE: this was originally claimed to be a buffer overflow in (1) js320.dll and (2) xpcom_core.dll, but the vendor disputes this claim.
- DSA-1053: mozilla -- programming error
- DSA-1055: mozilla-firefox -- programming error
- GLSA-200605-06: Mozilla Firefox: Potential remote code execution
- SA19802: Firefox "contentWindow.focus()" Deleted Object Reference Vulnerability
- SA20214: HP Tru64 UNIX Firefox/Mozilla Application Suite Vulnerability
- SECTRACK ID: 1015981: Firefox IFRAME Initialization Function Lets Remote Users Execute Arbitrary Code
- US-CERT VU#866300: Mozilla Firefox designMode deleted object reference
- VUPEN/ADV-2006-1614: Mozilla Firefox Deleted Object Reference Remote Code Execution Vulnerability
- VUPEN/ADV-2006-1922: HP Tru64 UNIX Security Update Fixes Mozilla Code Execution Vulnerability
- VUPEN/ADV-2006-3748: HP-UX Security Update Fixes Mozilla Firefox Command Execution Vulnerabilities
- VUPEN/ADV-2008-0083: HP-UX Security Update Fixes Firefox Command Execution Vulnerabilities
Platforms Affected:
- Debian Debian Linux 3.1
- Gentoo Linux
- Mozilla Firefox 1.5.0.2
Reported:
Apr 23, 2006
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net