Mozilla Firefox/SeaMonkey/Thunderbird¶à¸öÔ¶³Ì°²È«Â©¶´

·¢²¼ÈÕÆÚ£º2007-02-23
¸üÐÂÈÕÆÚ£º2007-02-25

ÊÜÓ°Ïìϵͳ£º

Mozilla Firefox <= 2.0.0.1
Mozilla Firefox <= 1.5.0.9
Mozilla Thunderbird <= 1.5.0.9
Mozilla SeaMonkey <= 1.0.7

²»ÊÜÓ°Ïìϵͳ£º

Mozilla Firefox 2.0.0.2
Mozilla Firefox 1.5.0.10
Mozilla Thunderbird 1.5.0.10
Mozilla SeaMonkey 1.0.8

ÃèÊö£º

---

BUGTRAQ  ID: 22694
CVE(CAN) ID: CVE-2007-0775,CVE-2007-0776,CVE-2007-0777,CVE-2007-0995,CVE-2007-0778,CVE-2007-0779,CVE-2007-0780,CVE-2007-0008,CVE-2007-0009,CVE-2007-0996

Mozilla Firefox/SeaMonkey/Thunderbird¶¼ÊÇMozilla·¢²¼µÄWEBä¯ÀÀÆ÷ºÍÓʼþÐÂÎÅ×é¿Í»§¶Ë²úÆ·¡£

ÉÏÊö²úÆ·ÖдæÔÚ¶à¸ö°²È«Â©¶´£¬¾ßÌåÈçÏ£º

1) ´¦Àílocations.hostname DOMÊôÐÔʱµÄ©¶´¿ÉÄܵ¼ÖÂÈƹýijЩ°²È«ÏÞÖÆ¡£

2) ÍøÂ簲ȫ·þÎñ£¨NSS£©´úÂëÔÚ´¦ÀíSSLv2·þÎñÆ÷ÏûϢʱ´æÔÚÕûÊýÏÂÒç´íÎó¡£Èç¹ûÖ¤ÊéµÄ¹«Ô¿¹ýСÎÞ·¨¼ÓÃÜMaster SecretµÄ»°£¬ÔòÓû§Ê¹ÓÃÁ˸ÃÖ¤Êé¾Í»á´¥·¢¶ÑÒç³ö£¬µ¼ÖÂÖ´ÐÐÈÎÒâ´úÂë¡£

×¢Ò⣺Firefox 2.xÖÐĬÈϽûÓÃSSLv2£¬½öÔÚÓû§ÐÞ¸ÄÁËÒþ²ØµÄÄÚ²¿NSSÉèÖÃÖØÐÂÆôÓÃSSLv2Ö§³ÖµÄÇé¿öϲŻá³öÏÖÕâ¸ö©¶´¡£

3) Èç¹ûÕ¾µã°üº¬µÄ֡ʹÓÃ"data:" URI×öΪÀ´Ô´µÄ»°£¬Ôò¹¥»÷Õß¿ÉÒÔ¶ÔÕâÑùµÄÕ¾µãÖ´ÐпçÕ¾½Å±¾¹¥»÷¡£

4) Èç¹û°üº¬ÓжñÒâ½Å±¾´úÂëµÄ±¾µØ±£´æÎļþµÄÍêÕû·¾¶ÊÇÒÑÖªµÄ»°£¬¾Í¿ÉÄÜ´ò¿ª°üº¬Óб¾µØÎļþµÄ´°¿Ú£¬ÇÔÈ¡ÄÚÈÝ¡£¹¥»÷Õß¿ÉÒÔ½áºÏαËæ»úÊýÉú³ÉÆ÷ÖÖ×ÓÖеÄȱÏÝÀûÓÃÕâ¸ö©¶´£¬µ¼Ö½«ÏÂÔØÎļþ±£´æµ½ÓпÉÔ¤²âÃû³ÆµÄÁÙʱÎļþÖС£

5) ¹¥»÷Õß¿ÉÒÔʹÓÃÌØÖƵÄ×Ô¶¨Òå¹â±ê£¬Í¨¹ý¿ØÖÆCSS3ÈȵãÊôÐÔÆÛÆ­ä¯ÀÀÆ÷UIÔªËØ£¬ÈçÖ÷»úÃû»ò°²È«±êʶ·û¡£

6) Á½¸öwebÒ³ÃæÔÚ´ÅÅÌ»º³åÖпÉÄܳåÍ»£¬µ¼Ö½«Ò»¸öÎĵµµÄÒ»²¿·Ö¸½¼Óµ½ÁíÒ»¸öÎĵµÉÏ£¬ÕâÑùÓû§¾Í¿ÉÄÜ´ÓÕ¾µã»ñµÃÃô¸ÐÐÅÏ¢¡£

7) ÔÚ´¦ÀíHTML±êÇ©ÊôÐÔÃûÖÐÎÞЧÍÏβ×Ö·ûʱ£¬»òÕßÈç¹û×ÓÖ¡¼Ì³ÐÁËÆ丸´°¿ÚµÄ×Ö·û¼¯µÄÇé¿öÏ´¦ÀíUTF-7ÄÚÈÝʱ£¬Mozilla½âÎöÆ÷Öеĸ÷ÖÖ´íÎó¿ÉÄܵ¼Ö¿çÕ¾½Å±¾¹¥»÷¡£

8) ¿ÚÁî¹ÜÀíÆ÷ÖеÄ©¶´¿ÉÄܵ¼ÖµöÓã¹¥»÷¡£

9) ²¼¾ÖÒýÇæ¡¢JavaScriptÒýÇæºÍSVGÖдæÔÚ¶à¸öÄÚ´æÆÆ»µ´íÎó£¬ÆäÖÐһЩ¿ÉÄܵ¼ÖÂÔÚÓû§ÏµÍ³ÉÏÖ´ÐÐÈÎÒâ´úÂë¡£

<*À´Ô´£ºJesse Ruderman £¨jruderman@gmail.com£©
        Martijn Wargers
        Olli Pettay
        Tom Ferris £¨tommy@security-protocols.com£©
        Brian Crowder
        Igor Bukanov
        Johnny Stenback
        moz_bug_r_a4 £¨moz_bug_r_a4@yahoo.com£©
        shutdown £¨shutdown@flashmail.com£©
        Aad
        David Eckel
  
  Á´½Ó£ºhttp://www.mozilla.org/security/announce/2007/mfsa2007-06.html
        http://www.mozilla.org/security/announce/2007/mfsa2007-05.html
        http://www.mozilla.org/security/announce/2007/mfsa2007-04.html
        http://www.mozilla.org/security/announce/2007/mfsa2007-03.html
        http://www.mozilla.org/security/announce/2007/mfsa2007-02.html
        http://www.mozilla.org/security/announce/2007/mfsa2007-01.html
        http://secunia.com/advisories/24205/
        http://secunia.com/advisories/24253/
        http://secunia.com/advisories/24252/
        http://secunia.com/advisories/24238/
        http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=483
        http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=482
*>

½¨Ò飺

---

ÁÙʱ½â¾ö·½·¨£º

* ½ûÓÃJavaScript
* ÔÚ¡°Æ«ºÃ¡±ÖÐÁÙʱ½«´ÅÅÌ»º´æ´óСÉèÖÃΪ0
* ×Ô¶¨Òåä¯ÀÀÆ÷µÄÍâ¹Û
* ²»Òª´ò¿ªµ¯³ö´°¿Ú
* ½ûÓÃSSLv2ЭÒé

³§É̲¹¶¡£º

Mozilla
-------
Ä¿Ç°³§ÉÌÒѾ­·¢²¼ÁËÉý¼¶²¹¶¡ÒÔÐÞ¸´Õâ¸ö°²È«ÎÊÌ⣬Çëµ½³§É̵ÄÖ÷Ò³ÏÂÔØ£º

http://www.mozilla.com/products/download.html?product=firefox-1.5.0.10&os=win&lang=en-US
http://www.mozilla.com/products/download.html?product=firefox-2.0.0.2&os=linux&lang=en-US
http://www.mozilla.com/products/download.html?product=thunderbird-1.5.0.10&os=linux&lang=en-US