-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Cyber Security Alert SA06-354A
Mozilla Addresses Multiple Vulnerabilities
Original release date: December 20, 2006
Last revised: --
Source: US-CERT
Systems Affected
* Mozilla Firefox
* Mozilla Thunderbird
* Mozilla SeaMonkey
* Netscape Browser
Other products based on Mozilla components may also be affected.
Overview
Mozilla Firefox, Thunderbird, and derived products contain
several vulnerabilities. By taking advantage of one or more of
these vulnerabilities, an attacker may be able to take control of
your computer.
Solution
Upgrade to the latest versions of Firefox, Thunderbird, and
SeaMonkey
Mozilla has released Firefox 1.5.0.9, Firefox 2.0.0.1,
Thunderbird 1.5.0.9 and SeaMonkey 1.0.7 to correct these
problems. Mozilla Firefox, Thunderbird, and SeaMonkey
automatically check for updates by default.
Security updates for Firefox 1.5 are scheduled to end in April
2007. According to Mozilla:
Firefox 1.5.0.x will be maintained with security and stability
updates until April 24, 2007. All users are strongly encouraged
to upgrade to Firefox 2.
Disable JavaScript and Java
These vulnerabilities can be mitigated by disabling JavaScript
and Java. For more information about configuring Firefox, please
see the "Securing Your Web Browser" document. Netscape users
should see the "Site Controls" document for details. Thunderbird
disables JavaScript and Java by default.
Description
Mozilla products, including the Firefox web browser and
Thunderbird email application, contain a number of
vulnerabilities. These vulnerabilities may allow an attacker to
access your computer, run programs that could cause your computer
to crash, or gain control of your computer. An attacker could
exploit these vulnerabilities by convincing you to visit a web
site or read an HTML formatted email message.
For more technical information, please see US-CERT Technical
Alert TA06-354A.
References
* US-CERT Technical Alert TA06-354A -
<http://www.us-cert.gov/cas/techalerts/TA06-354A.html>
* US-CERT Vulnerability Notes -
<http://www.kb.cert.org/vuls/byid?searchview&query=mozilla_2006121
9>
* Securing Your Web Browser -
<http://www.us-cert.gov/reading_room/securing_browser/browser_secu
rity.html#Mozilla_Firefox>
* Mozilla Foundation Security Advisories -
<http://www.mozilla.org/security/announce/>
* Firefox - Rediscover the Web - <http://www.mozilla.com/firefox/>
* Thunderbird - Reclaim your inbox -
<http://www.mozilla.com/thunderbird/>
* The SeaMonkey Project -
<http://www.mozilla.org/projects/seamonkey/>
* Mozilla Hall of Fame -
<http://www.mozilla.org/university/HOF.html>
* Site Controls -
<http://browser.netscape.com/ns8/help/options-site.jsp>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/alerts/SA06-354A.html>
____________________________________________________________________
Feedback can be directed to US-CERT. Please send email to
<cert@cert.org> with "SA06-354A Feedback VU#606260" in the subject.
____________________________________________________________________
Mailing list information:
<http://www.us-cert.gov/cas/>
____________________________________________________________________
Produced 2006 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
December 20, 2006: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRYn5XOxOF3G+ig+rAQJMUQf+OGcGlComGK40XdWdRvEbWjVycYPOpIYA
9Ffd98ji7981t0zJcZh+Il9xO1uoowl587wNSrEPzi5uc0kt1kTGaRB4QZmtW3U6
59ZwLgA4rig7ZHoxWBYcQQ1kvGZ9mf+t4nz/0NsBVdo/bXwg52pCwbKHLrpsX/lk
P+bl9OAm+hhM4p3BvpkyHIlO2gn/82TU8j4563RMO9WwVqOS9mHjB7R3ZaoC954v
eVG+hUofdPUdxOgGp3YdX+ajBEkUx7OSva3YmKKD9VQstx4zN5kmfNnCNh0fJzG1
6rZi4TG61soorGMDPKf2N3PvsRkURUxgudk/XU/YoP+dw2qZXRChCQ==
=t7p2
-----END PGP SIGNATURE-----
