__________________________________________________________
	
						   The U.S. Department of Energy
					   Computer Incident Advisory Capability
							   ___  __ __    _     ___
							  /       |     /_\   /
							  \___  __|__  /   \  \___
				 __________________________________________________________
	
								 INFORMATION BULLETIN
	
				   Mozilla Crashes with Evidence of Memory Corruption
					 [Mozilla Foundation Security Advisory 2007-01]
	
	February 26, 2007 18:00 GMT                                       Number R-163
	______________________________________________________________________________
	PROBLEM:       The Mozilla JavaScript engine contains multiple memory 
				   corruption vulnerabilities. 
	PLATFORM:      Firefox 2.0.0, 1.5.0.9 
				   Thunderbird 1.5.0.9 
				   SeaMonkey 1.0.7 
	DAMAGE:        Memory corruption and could run arbitrary code. 
	SOLUTION:      Upgrade to the appropriate version. 
	______________________________________________________________________________
	VULNERABILITY  The risk is MEDIUM. Memory corruption and could run arbitrary 
	ASSESSMENT:    code. 
	______________________________________________________________________________
	LINKS: 
	 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/r-163.shtml 
	 ORIGINAL BULLETIN:  http://www.mozilla.org/security/announce/2007/mfsa2007-01
								   .html 
	 CVE:                http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= 
						 CVE-2007-0775 
	______________________________________________________________________________
	[***** Start Mozilla Foundation Security Advisory 2007-01 *****]
	
	Mozilla Foundation Security Advisory 2007-01
	Title: Crashes with evidence of memory corruption (rv:1.8.0.10/1.8.1.2)
	Impact: Critical
	Announced: February 23, 2007
	Reporter: Mozilla developers and community
	Products: Firefox, Thunderbird, SeaMonkey
	
	Fixed in: Firefox 2.0.0.2
	  Firefox 1.5.0.10
	  Thunderbird 1.5.0.10
	  SeaMonkey 1.0.8
	
	Description
	As part of the Firefox 2.0.0.2 and 1.5.0.10 update releases we fixed several 
	bugs to improve the stability of the product. Some of these were crashes that 
	showed evidence of memory corruption and we presume that with enough effort 
	at least some of these could be exploited to run arbitrary code. 
	
	Note: Thunderbird shares the browser engine with Firefox and could be 
	vulnerable if JavaScript were to be enabled in mail. This is not the default 
	setting and we strongly discourage users from running JavaScript in mail. 
	Without further investigation we cannot rule out the possibility that for some 
	of these an attacker might be able to prepare memory for exploitation through 
	some means other than JavaScript, such as large images. 
	
	Workaround
	Upgrade to the fixed versions. Do not enable JavaScript in Thunderbird or the 
	mail portions of SeaMonkey. 
	
	References
	Jesse Ruderman, Martijn Wargers and Olli Pettay reported crashes in the layout 
	engine 
	
	CVE-2007-0775
	https://bugzilla.mozilla.org/show_bug.cgi?id=326864
	https://bugzilla.mozilla.org/show_bug.cgi?id=344228
	https://bugzilla.mozilla.org/show_bug.cgi?id=359371
	https://bugzilla.mozilla.org/show_bug.cgi?id=367243
	https://bugzilla.mozilla.org/show_bug.cgi?id=369413
	https://bugzilla.mozilla.org/show_bug.cgi?id=337716
	https://bugzilla.mozilla.org/show_bug.cgi?id=343293
	https://bugzilla.mozilla.org/show_bug.cgi?id=362724
	https://bugzilla.mozilla.org/show_bug.cgi?id=363813
	
	
	Tom Ferris reported a heap buffer overflow in SVG involving wide stroke widths. 
	This flaw was introduced in Firefox 2 and does not affect earlier releases. 
	
	CVE-2007-0776
	https://bugzilla.mozilla.org/show_bug.cgi?id=360645
	
	
	Brian Crowder, Igor Bukanov, Johnny Stenback, moz_bug_r_a4 and shutdown reported 
	potential memory corruption in the JavaScript engine 
	
	CVE-2007-0777
	https://bugzilla.mozilla.org/show_bug.cgi?id=368534
	https://bugzilla.mozilla.org/show_bug.cgi?id=362909
	https://bugzilla.mozilla.org/show_bug.cgi?id=365527
	https://bugzilla.mozilla.org/show_bug.cgi?id=365692
	https://bugzilla.mozilla.org/show_bug.cgi?id=366601
	https://bugzilla.mozilla.org/show_bug.cgi?id=364657
	https://bugzilla.mozilla.org/show_bug.cgi?id=367118
	https://bugzilla.mozilla.org/show_bug.cgi?id=367119
	https://bugzilla.mozilla.org/show_bug.cgi?id=367120
	https://bugzilla.mozilla.org/show_bug.cgi?id=367501
	https://bugzilla.mozilla.org/show_bug.cgi?id=362872
	https://bugzilla.mozilla.org/show_bug.cgi?id=364023
	https://bugzilla.mozilla.org/show_bug.cgi?id=366122
	https://bugzilla.mozilla.org/show_bug.cgi?id=366123
	
	
	--------------------------------------------------------------------------------
	
	
	[***** End Mozilla Foundation Security Advisory 2007-01 *****]
	_______________________________________________________________________________
	
	CIAC wishes to acknowledge the contributions of Mozilla for the 
	information contained in this bulletin.
	_______________________________________________________________________________
	
	
	CIAC, the Computer Incident Advisory Capability, is the computer
	security incident response team for the U.S. Department of Energy
	(DOE) and the emergency backup response team for the National
	Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
	National Laboratory in Livermore, California. CIAC is also a founding
	member of FIRST, the Forum of Incident Response and Security Teams, a
	global organization established to foster cooperation and coordination
	among computer security teams worldwide.
	
	CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
	can be contacted at:
		Voice:    +1 925-422-8193 (7x24)
		FAX:      +1 925-423-8002
		STU-III:  +1 925-423-2604
		E-mail:   ciac@ciac.org
	
	Previous CIAC notices, anti-virus software, and other information are
	available from the CIAC Computer Security Archive.
	
	   World Wide Web:      http://www.ciac.org/
	   Anonymous FTP:       ftp.ciac.org
	
	PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
	communities receive CIAC bulletins.  If you are not part of these
	communities, please contact your agency's response team to report
	incidents. Your agency's team will coordinate with CIAC. The Forum of
	Incident Response and Security Teams (FIRST) is a world-wide
	organization. A list of FIRST member organizations and their
	constituencies can be obtained via WWW at http://www.first.org/.
	
	This document was prepared as an account of work sponsored by an
	agency of the United States Government. Neither the United States
	Government nor the University of California nor any of their
	employees, makes any warranty, express or implied, or assumes any
	legal liability or responsibility for the accuracy, completeness, or
	usefulness of any information, apparatus, product, or process
	disclosed, or represents that its use would not infringe privately
	owned rights. Reference herein to any specific commercial products,
	process, or service by trade name, trademark, manufacturer, or
	otherwise, does not necessarily constitute or imply its endorsement,
	recommendation or favoring by the United States Government or the
	University of California. The views and opinions of authors expressed
	herein do not necessarily state or reflect those of the United States
	Government or the University of California, and shall not be used for
	advertising or product endorsement purposes.
	
	LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)
	
	R-152: KOffice Security Update
	R-153: Cisco Unified IP Conference Station and IP Phone Vulnerabilities
	R-154: Multiple Vulnerabilities in 802.1X Supplicant
	R-156: Buffer Overflow in ServerProtect
	R-157: Macrovision FLEXnet Connect / InstallShield Update Service Agent
	R-158: VeriSign Managed PKI Configuration Checker
	R-159: Macrovision / InstallShield InstallFromTheWeb
	R-160: McAfee Virex Vulnerability
	R-161: Stack Overflow in Third-Party ActiveX Controls
	R-162: Mozilla Firefox has a Memory Corruption