ISS X-Force Database: mozilla-xul-page-spoofing(37286): Mozilla Firefox and SeaMonkey XUL Web page spoofing

Mozilla Firefox and SeaMonkey XUL Web page spoofing

mozilla-xul-page-spoofing (37286)

Low Risk

Description:

Mozilla Firefox and SeaMonkey could provide weaker than expected security when rendering Web pages written in the XUL markup language. A remote attacker could exploit this vulnerability to more easily hide the title bar on a malicious Web page, which could be used to conduct Web spoofing and phishing attacks.

Platforms Affected:

Canonical, Ubuntu 6.06 LTS
Canonical, Ubuntu 6.10
Canonical, Ubuntu 7.04
Canonical, Ubuntu 7.10
Debian, Debian Linux 4.0
Gentoo, Linux
Mandriva, Corporate Server 3.0 X86_64
Mandriva, Corporate Server 3.0
Mandriva, Corporate Server 4.0
Mandriva, Corporate Server 4.0 X86_64
Mandriva, Linux 2007.1 X86_64
Mandriva, Linux 2007.1
Mandriva, Linux 2008.0
Mandriva, Linux 2008.0 X86_64
Mozilla, Firefox 2.0
Mozilla, Firefox 2.0 Beta1
Mozilla, Firefox 2.0 rc2
Mozilla, Firefox 2.0 rc3
Mozilla, Firefox 2.0 Beta2
Mozilla, Firefox 2.0 rc1
Mozilla, Firefox 2.0.0.1
Mozilla, Firefox 2.0.0.2
Mozilla, Firefox 2.0.0.3
Mozilla, Firefox 2.0.0.4
Mozilla, Firefox 2.0.0.5
Mozilla, Firefox 2.0.0.6
Mozilla, Firefox 2.0.0.7
Mozilla, SeaMonkey 1.1 Beta
Mozilla, SeaMonkey 1.1
Mozilla, SeaMonkey 1.1.0
Mozilla, SeaMonkey 1.1.1
Mozilla, SeaMonkey 1.1.2
Mozilla, SeaMonkey 1.1.3
Mozilla, SeaMonkey 1.1.4
Netscape, Navigator prior to 9.0.0.1
Novell, Linux Desktop 9
Novell, Linux POS 9
Novell, Open Enterprise Server
Novell, Open Enterprise Server
Novell, OpenSUSE 10.2
Novell, OpenSUSE 10.3
Novell, SUSE Linux Enterprise Desktop 10 SP1
Novell, SUSE Linux Enterprise Server 10
Novell, SUSE Linux Enterprise Server 10 SP1
Novell, UnitedLinux 1.0
RedHat, Enterprise Linux 2.1 AS
RedHat, Enterprise Linux 2.1 ES
RedHat, Enterprise Linux 2.1 WS
RedHat, Enterprise Linux 3 ES
RedHat, Enterprise Linux 3 Desktop
RedHat, Enterprise Linux 3 WS
RedHat, Enterprise Linux 3 AS
RedHat, Enterprise Linux 4 WS
RedHat, Enterprise Linux 4 AS
RedHat, Enterprise Linux 4 Desktop
RedHat, Enterprise Linux 4 ES
RedHat, Enterprise Linux 5 Client Workstation
RedHat, Enterprise Linux 5 Client
RedHat, Enterprise Linux 5
RedHat, Enterprise Linux Optional Productivity Applications 5 Server
RedHat, Linux Advanced Workstation 2.1 Itanium
SuSE, OpenSuSE 10.2
SuSE, OpenSuSE 10.3
SuSE, SuSE Linux 10.0
SuSE, SuSE Linux 10.1
SuSE, SuSE Linux Enterprise Server 8.0
SuSE, SuSE Linux OpenExchange Server 4
SuSE, SuSE Linux Retail Solution 8
SuSE, SuSE Linux School Server
SuSE, SuSE Linux Standard Server 8
SuSE, SuSE SLES 9
Turbolinux, Turbolinux 10 Server
Turbolinux, Turbolinux 10 Server x64 Ed
Turbolinux, Turbolinux FUJI
Warpzilla Enhanced Gecko, Warpzilla Enhanced Gecko prior to 1.8.1.8

Remedy:

Refer to MFSA 2007-33 for patch, upgrade, or suggested workaround information. See References.

For Netscape:
Upgrade to the latest version of Netscape (9.0.0.1 or later), available from the Netscape Web site. See References.

For Warpzilla Enhanced Gecko:
Upgrade to the latest version of Gecko (1.8.1.8 or later), available from SourceForge.net: Files. See References.

For other distributions:
Apply the appropriate update for your system. See References.

Consequences:

Bypass Security

References:

Bugzilla@Mozilla � Bug 391043, (CVE-2007-5334) � Content can hide the window's titlebar at https://bugzilla.mozilla.org/show_bug.cgi?id=391043.
Full-Disclosure Mailing List, Mon Oct 22 2007 - 15:14:34 CDT, Camino release 1.5.2 fixes several vulnerabilities at http://archives.neohapsis.com/archives/fulldisclosure/2007-10/0686.html.
MFSA 2007-33, XUL pages can hide the window titlebar at http://www.mozilla.org/security/announce/2007/mfsa2007-33.html.
SourceForge.net: Files, Warpzilla Enhanced - File Release Notes and Changelog - Release Name: Gecko 1.8.1.8 at http://sourceforge.net/project/shownotes.php?release_id=548270.
ASA-2007-447: Firefox security update (RHSA-2007-0979)
ASA-2007-459: seamonkey security update (RHSA-2007-0980)
ASA-2007-461: thunderbird security update (RHSA-2007-0981)
ASA-2008-008: Multiple Security Vulnerabilities in Firefox and Thunderbird for Solaris 10 May Allow Execution of Arbitrary Code and Access to Unauthorized Data (Sun 103177)
BID-26132: Mozilla Firefox 2.0.0.7 Multiple Remote Vulnerabilities
CVE-2007-5334: Mozilla Firefox before 2.0.0.8 and SeaMonkey before 1.1.5 can hide the window's titlebar when displaying XUL markup language documents, which makes it easier for remote attackers to conduct phishing and spoofing attacks by setting the hidechrome attribute.
DSA-1392: xulrunner -- several vulnerabilities
DSA-1396: iceweasel -- several vulnerabilities
DSA-1401: iceape -- several vulnerabilities
FrSIRT/ADV-2007-3544: Mozilla Firefox/SeaMonkey Code Execution and Information Disclosure
FrSIRT/ADV-2007-3587: Netscape Security Update Fixes Multiple Code Execution Vulnerabilities
FrSIRT/ADV-2008-0083: HP-UX Security Update Fixes Firefox Command Execution Vulnerabilities
GLSA-200711-14: Mozilla Firefox, SeaMonkey, XULRunner: Multiple vulnerabilities
MDKSA-2007:202: Updated Firefox packages fix multiple vulnerabilities
RHSA-2007-0979: Critical: firefox security update
RHSA-2007-0980: Critical: seamonkey security update
RHSA-2007-0981: Moderate: thunderbird security update
SA27311: Mozilla Firefox Multiple Vulnerabilities
SA27315: Mozilla SeaMonkey Multiple Vulnerabilities
SA27333: Warpzilla Enhanced Multiple Vulnerabilities
SA27360: Netscape Multiple Vulnerabilities
SECTRACK ID: 1018837: Mozilla Firefox May Discloses Files or Information to Remote Users
SUSE-SA:2007:057: Mozilla Security Update
US-CERT VU#349217: Mozilla XUL web applications may hide the titlebar
USN-535-1: Firefox vulnerabilities
USN-536-1: Thunderbird vulnerabilities

Reported:

Oct 18, 2007

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page