=====================================================================
                                    CERT-Renater

                         Note d'Information No. 2006/VULN579
_____________________________________________________________________

DATE                      : 21/12/2006

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Mozilla products.

======================================================================

                      National Cyber Alert System

                Technical Cyber Security Alert TA06-354A


Mozilla Addresses Multiple Vulnerabilities

    Original release date: December 20, 2006
    Last revised: --
    Source: US-CERT


Systems Affected

      * Mozilla Firefox
      * Mozilla Thunderbird
      * Mozilla SeaMonkey
      * Netscape Browser

    Other products based on Mozilla components may also be affected.


Overview

    The  Mozilla  web  browser  and derived  products  contain  several
    vulnerabilities,  the most  severe of  which could  allow  a remote
    attacker to execute arbitrary code on an affected system.


I. Description

    Mozilla  has released  new  versions of  Firefox, Thunderbird,  and
    SeaMonkey to address several vulnerabilities. Further details about
    these   vulnerabilities  are   available  from   Mozilla   and  the
    Vulnerability  Notes  Database.  An  attacker could  exploit  these
    vulnerabilities by  convincing a  user to view  a specially-crafted
    HTML document, such as a web page or HTML email message.


II. Impact

    While the impacts of  the individual vulnerabilities vary, the most
    severe could  allow a  remote, unauthenticated attacker  to execute
    arbitrary code on a vulnerable system. An attacker may also be able
    to cause a denial of service.


III. Solution

Upgrade

    These  vulnerabilities are  addressed in  Mozilla  Firefox 1.5.0.9,
    Mozilla Firefox 2.0.0.1, Mozilla Thunderbird 1.5.0.9, and SeaMonkey
    1.0.7. Mozilla  Firefox, Thunderbird,  and  SeaMonkey automatically
    check for updates by default.

    Support   for  Firefox   1.5   is  scheduled   to   end  in   April
    2007. According to Mozilla:

      Firefox 1.5.0.x  will be  maintained with security  and stability
      updates until  April 24, 2007. All users  are strongly encouraged
      to upgrade to Firefox 2.

Disable JavaScript and Java

    These vulnerabilities can be  mitigated by disabling JavaScript and
    Java. For  more information  about configuring Firefox,  please see
    the "Securing Your Web Browser" document. Netscape users should see
    the  "Site Controls"  document for  details.   Thunderbird disables
    JavaScript and Java by default.


IV. References

      * US-CERT Vulnerability Notes -
        <http://www.kb.cert.org/vuls/byid?searchview&query=mozilla_2006121
        9>

      * Securing Your Web Browser -
        <http://www.us-cert.gov/reading_room/securing_browser/browser_secu
        rity.html#Mozilla_Firefox>

      * Mozilla Foundation Security Advisories -
        <http://www.mozilla.org/security/announce/>

      * Known Vulnerabilities in Mozilla Products -
        <http://www.mozilla.org/projects/security/known-vulnerabilities.ht
        ml>

      * Mozilla Hall of Fame -
        <http://www.mozilla.org/university/HOF.html>

      * Site Controls -
        <http://browser.netscape.com/ns8/help/options-site.jsp>


  ____________________________________________________________________

    The most recent version of this document can be found at:

      <http://www.us-cert.gov/cas/techalerts/TA06-354A.html>
  ____________________________________________________________________

    Feedback can be directed to US-CERT Technical Staff. Please send
    email to <cert@cert.org> with "TA06-354A Feedback VU#606260" in the
    subject.
  ____________________________________________________________________

    For instructions on subscribing to or unsubscribing from this
    mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
  ____________________________________________________________________

    Produced 2006 by US-CERT, a government organization.

    Terms of use:

      <http://www.us-cert.gov/legal.html>
  ____________________________________________________________________


Revision History

    December 20, 2006: Initial release

======================================================================

           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================