Mozilla Firefox is a popular open source Web browser.
A number of vulnerabilities have been found in the way Firefox processes malformed Javascript code. If an attacker could trick a user into visiting a malicious web page, Firefox could potentially crash, and allow the attacker to execute arbitrary code as the user running Firefox. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2007-0775 and CVE-2007-0777 to these issues.
Three cross-site scripting (XSS) vulnerabilities have been identified in the way Firefox processes certain malformed web pages. If an attacker could trick a user into visiting a malicious web page, misleading information could be displayed which may result in a user giving up user names, passwords, or other sensitive information. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2006-6077, CVE-2007-0995 and CVE-2007-0996 to these issues.
An issue has been reported in the way Firefox caches web pages locally. An attacker could exploit this vulnerability to inject HTML into a reloaded session. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2007-0778 to this issue.
A vulnerability has been found in the way Firefox displays some web content. An attacker could cause misleading information to be displayed, making a user think that they are visiting a different web page. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2007-0779 to this issue.
Two vulnerabilities have been reported in the way Firefox displays blocked popup windows. A successful attack would require a user to accept a blocked popup, but would allow the attacker to browse files on the system, or conduct a cross-site scripting (XSS) attack. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2007-0780 and CVE-2007-0800 to these issues.
Two buffer overflow vulnerabilities have been reported in the Network Security Services (NSS) code for processing the SSLv2 protocol. An attacker that tricked a user into visiting a malicious web site could execute arbitrary code as the user running Firefox. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2007-0008 and CVE-2007-0009 to these issues.
A vulnerability has been reported in the way Firefox handles "location.hostname" during some browser domain checks. This flaw could allow a malicious web site to set domain cookies for an arbitrary site, or possibly perform an XSS attack. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2007-0981 to this issue.
More information about these vulnerabilities can be found in the security advisory issued by RedHat Linux:
| Product: | Affected Version(s): | Risk Level: | Actions: |
|---|---|---|---|
| Avaya Messaging Storage Server | MSS 3.1 and earlier | Low | Upgrade to MSS 4.0 or later. |
Recommended Actions:
For all system products which use
vulnerable versions of Firefox, Avaya recommends that customers
restrict local and network access to the server. This restriction
should be enforced through the use of physical security, firewalls,
ACLs, VPNs, and other generally-accepted networking practices until
the system can be upgraded.
Avaya software-only products operate on general-purpose operating systems. Occasionally vulnerabilities may be discovered in the underlying operating system or applications that come with the operating system. These vulnerabilities often do not impact the software-only product directly but may threaten the integrity of the underlying platform.
In the case of this advisory Avaya software-only products are not affected by the vulnerability directly but the underlying Linux platform may be. Customers should determine on which Linux operating system the product was installed and then follow that vendors guidance.
| Product: | Affected Version(s): | Risk Level: | Actions: |
|---|---|---|---|
| CVLAN | All | None | Depending on the Operating System provided by customers, the affected package may be installed on the underlying Operating System supporting the CVLAN application. The CVLAN application does not require the software described in this advisory. |
| Avaya Integrated Management Suite(IMS) | All | Low | See recommended actions below. |
Recommended Actions:
Avaya recommends that customers follow recommended actions
supplied by RedHat Linux or remove the affected package.
Additional information may also be available via the Avaya support website and through your Avaya account representative. Please contact your Avaya product support representative, or dial 1-800-242-2121, with any questions.
ALL INFORMATION IS BELIEVED TO BE CORRECT AT THE TIME OF PUBLICATION AND IS PROVIDED "AS IS". AVAYA INC., ON BEHALF ITSELF AND ITS SUBSIDIARIES AND AFFILIATES (HEREINAFTER COLLECTIVELY REFERRED TO AS "AVAYA"), DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND FURTHERMORE, AVAYA MAKES NO REPRESENTATIONS OR WARRANTIES THAT THE STEPS RECOMMENDED WILL ELIMINATE SECURITY OR VIRUS THREATS TO CUSTOMERS' SYSTEMS. IN NO EVENT SHALL AVAYA BE LIABLE FOR ANY DAMAGES WHATSOEVER ARISING OUT OF OR IN CONNECTION WITH THE INFORMATION OR RECOMMENDED ACTIONS PROVIDED HEREIN, INCLUDING DIRECT, INDIRECT, CONSEQUENTIAL DAMAGES, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF AVAYA HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
THE INFORMATION PROVIDED HERE DOES NOT AFFECT THE SUPPORT AGREEMENTS IN PLACE FOR AVAYA PRODUCTS. SUPPORT FOR AVAYA PRODUCTS CONTINUES TO BE EXECUTED AS PER EXISTING AGREEMENTS WITH AVAYA.
V 1.0 - March 19, 2007 - Initial Statement issued.
V 2.0 - January 14, 2009 - Changed the MSS affect versions and actions, and advisory status to final.
Send information regarding any discovered security problems with Avaya products to either the contact noted in the product's documentation or [email protected].
© 2007 Avaya Inc. All Rights Reserved. All trademarks identified by the ® or ™ are registered trademarks or trademarks, respectively, of Avaya Inc. All other trademarks are the property of their respective owners.