Overview
Mozilla products fail to properly validate references returned by JavaScript constructors. This vulnerability may allow a remote attacker to execute arbitrary code on a vulnerable system.
Description
According to Mozilla Foundation Security Advisory 2006-51: JavaScript functions have a parent object created using the standard Object() constructor (ECMA-specified behavior) and that this constructor can be redefined by script (also ECMA-specified behavior). If the Object() constructor is changed to return a reference to a privileged object with useful properties it is possible to have attacker-supplied script executed with elevated privileges by calling the function. This could be used to install malware or take other malicious actions. |
Impact
A remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system. The attacker could also cause the vulnerable application to crash. |
Solution
Apply an update This vulnerability is addressed in Firefox 1.5.0.5, Thunderbird 1.5.0.5, and SeaMonkey 1.0.3, according to the Mozilla Foundation Security Update 2006-51. |
|
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
Acknowledgements
This vulnerability was reported in Mozilla Foundation Security Advisory 2006-48. Mozilla credits moz_bug_r_a4 with reporting this vulnerability.
This document was written by Jeff Gennari.
Other Information
| CVE IDs: | CVE-2006-3807 |
| Severity Metric: | 16.03 |
| Date Public: | 2006-07-25 |
| Date First Published: | 2006-07-27 |
| Date Last Updated: | 2007-02-09 14:03 UTC |
| Document Revision: | 12 |