MFSA 2005-45 Fixed in: Firefox 1.0.5 Mozilla Suite 1.7.9 impact=moderate,source=mozilla,public=20050712 In several places the browser UI did not correctly distinguish between true user events, such as mouse clicks or keystrokes, and synthetic events genenerated by web content. The problems ranged from minor annoyances like switching tabs or entering full-screen mode, to a variant on MFSA 2005-34 https://bugzilla.mozilla.org/show_bug.cgi?id=289940 MFSA 2005-46 Firefox 1.0.5 Thunderbird 1.0.5 Mozilla Suite 1.7.9 impact=low,source=mozilla,public=20050712 Scripts in XBL controls from web content continued to be run even when Javascript was disabled. By itself this causes no harm, but it could be combined with most script-based exploits to attack people running vulnerable versions who thought disabling javascript would protect them. https://bugzilla.mozilla.org/show_bug.cgi?id=292591 https://bugzilla.mozilla.org/show_bug.cgi?id=292589 MFSA 2005-48 Firefox 1.0.5 Mozilla Suite 1.7.9 impact=moderate,source=mozilla,public=20050712 The InstallTrigger.install() method for launching an install accepts a callback function that will be called with the final success or error status. By forcing a page navigation immediately after calling the install method this callback function can end up running in the context of the new page selected by the attacker. This is true even if the user cancels the unwanted install dialog: cancel is an error status. This callback script can steal data from the new page such as cookies or passwords, or perform actions on the user's behalf such as make a purchase if the user is already logged into the target site. https://bugzilla.mozilla.org/show_bug.cgi?id=293331 MFSA 2005-50 Firefox 1.0.5 Mozilla Suite 1.7.9 impact=moderate,source=mozilla,public=20050712 When InstallVersion.compareTo() is passed an object rather than a string it assumed the object was another InstallVersion without verifying it. When passed a different kind of object the browser would generally crash with an access violation. MFSA 2005-51 Firefox 1.0.5 Mozilla Suite 1.7.9 CAN-2005-1937 impact=important,source=mozilla,public=20050606 The original frame-injection spoofing bug was fixed in the Mozilla Suite 1.7 and Firefox 0.9 releases. This protection was accidentally disabled by one of the fixes in the Firefox 1.0.3 and Mozilla Suite 1.7.7 releases. http://secunia.com/advisories/15601/ https://bugzilla.mozilla.org/show_bug.cgi?id=296850 MFSA 2005-52 Firefox 1.0.5 Mozilla Suite 1.7.9 impact=moderate,source=mozilla,public=20050712 A child frame can call top.focus() even if the framing page comes from a different origin and has overridden the focus() routine. The call is made in the context of the child frame. The attacker would look for a target site with a framed page that makes this call but doesn't verify that its parent comes from the same site. By framing this page the attacker could steal cookies and passwords, or take actions on the site on behalf of a signed-in user. http://secunia.com/advisories/15549/ https://bugzilla.mozilla.org/show_bug.cgi?id=296830 MFSA 2005-53 Firefox 1.0.5 Mozilla Suite 1.7.9 impact=moderate,source=mozilla,public=20050712 Several media players, for example Flash and QuickTime, support scripted content with the ability to open URLs in the default browser. The default behavior for Firefox and the Mozilla Suite was to replace the currently open browser window's content with the externally opened content. If the external URL was a javascript: url it would run as if it came from the site that served the previous content, which could be used to steal sensitive information such as login cookies or passwords. If the media player content first caused a privileged chrome: url to load then the subsequent javascript: url could execute arbitrary code. https://bugzilla.mozilla.org/show_bug.cgi?id=298255 MFSA 2005-54 Firefox 1.0.5 Mozilla Suite 1.7.9 impact=low,source=mozilla,public=20050607 Alerts and prompts created by scripts in web pages are presented with the generic title [JavaScript Application] which sometimes makes it difficult to know which site created them. A malicious page could attempt to cause a prompt to appear in front of a trusted site in an attempt to extract information such as passwords from the user. https://secunia.com/advisories/15489/ https://bugzilla.mozilla.org/show_bug.cgi?id=298934 MFSA 2005-55 Firefox 1.0.5 Mozilla Suite 1.7.9 impact=moderate,source=mozilla,public=20050712 Parts of the browser UI relied too much on DOM node names without taking different namespaces into account and verifying that the node was really of the expected type. An XHTML document could be used, for example, to create fake <IMG> elements with content-defined properties that will be accessed as if they were the trusted built-in properties of the expected HTML elements. https://bugzilla.mozilla.org/show_bug.cgi?id=298892 MFSA 2005-56 Firefox 1.0.5 Mozilla Suite 1.7.9 impact=important,source=mozilla,public=20050712 Improper cloning of base objects allowed web content scripts to get to a privileged object by walking up the prototype chain. This could be used to execute code with enhanced privileges. https://bugzilla.mozilla.org/show_bug.cgi?id=294795 https://bugzilla.mozilla.org/show_bug.cgi?id=294799 https://bugzilla.mozilla.org/show_bug.cgi?id=295011 https://bugzilla.mozilla.org/show_bug.cgi?id=296397
These issues also affect RHEL2.1 and RHEL3
MFSA 2005-45 CAN-2005-2260 MFSA 2005-46 CAN-2005-2261 MFSA 2005-48 CAN-2005-2263 MFSA 2005-50 CAN-2005-2265 MFSA 2005-51 CAN-2005-1937 MFSA 2005-52 CAN-2005-2266 MFSA 2005-53 CAN-2005-2267 MFSA 2005-54 CAN-2005-2268 MFSA 2005-55 CAN-2005-2269 MFSA 2005-56 CAN-2005-2270
Lifting embargo, this is all public now.
RHSA-2005:587