Orlando, FL
Shannon Francis
IT Security Compliance Analyst
JetBlue Airways
8265 Hanger Blvd
Orlando, FL 32827
Tel: 407.375.0405
-----Original Message-----
From: Dan Dascalescu [mailto:ddascalescu@gmail.com]
Sent: Thursday, January 14, 2010 8:17 PM
--------------------
Ratan Kumar Guha
School of Electrical Engineering and Computer Science,
University of Central Florida,
4000 Central Florida Blvd.,
Orlando, FL 32816, USA
Phone: +1 (407) 823 2956
Fax: +1 (407) 823 5419
Email: guha@eecs.ucf.edu
Luca Spalazzi
Several flaws were discovered in the browser engine of Firefox. If a user
were tricked into viewing a malicious website, a remote attacker could
cause a denial of service or possibly execute arbitrary code with the
privileges of the user invoking the program. (CVE-2010-0159)
Orlando Barrera II discovered a flaw in the Web Workers implementation of
Firefox. If a user were tricked into posting to a malicious website, an
attacker could cause a denial of service or possibly execute arbitrary code
with the privileges of the user invoking the program. (CVE-2010-0160)
Alin Rad Pop discovered that Firefox's HTML parser would incorrectly free
Several flaws were discovered in the browser engine of Firefox. If a user
were tricked into viewing a malicious website, a remote attacker could
cause a denial of service or possibly execute arbitrary code with the
privileges of the user invoking the program. (CVE-2010-0159)
Orlando Barrera II discovered a flaw in the Web Workers implementation of
Firefox. If a user were tricked into posting to a malicious website, an
attacker could cause a denial of service or possibly execute arbitrary code
with the privileges of the user invoking the program. (CVE-2010-0160)
Alin Rad Pop discovered that Firefox's HTML parser would incorrectly free
2007-09-14 - Vulnerability reported to vendor
2009-08-07 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by:
* Orlando Padilla and Peter Silberman
-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.
to theft. A malicious web page could synthesize events such as mouse
focus and key presses on behalf of the victim and trick the browser
into auto-filling the form fields with history entries and then
reading the entries (CVE-2009-3370).
Security researcher Orlando Berrera of Sec Theory reported that
recursive creation of JavaScript web-workers can be used to create a
set of objects whose memory could be freed prior to their use. These
conditions often result in a crash which could potentially be
used by an attacker to run arbitrary code on a victim's computer
(CVE-2009-3371).
2009-12-04 - Vulnerability reported to vendor
2010-04-02 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by:
* Orlando Barrera II, SecTheory
-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.
Wargers and Paul Nickerson reported crashes in layout engine,
which might allow the execution of arbitrary code.
CVE-2010-0160
Orlando Barrera II discovered that incorrect memory handling in the
implementation of the web worker API could lead to the execution
of arbitrary code.
CVE-2010-0162
CA20090806-01: Security Notice for Data Transport Services
Acknowledgement
CVE-2009-2026 - Orlando Padilla and Peter Silberman of Breakpoint
Security working with ZDI/TippingPoint
CA20090806-01: Security Notice for Data Transport Services
(line may wrap)
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=2140
Paul Stone discovered a flaw in the Firefox form history. If a user were
tricked into viewing a malicious website, a remote attacker could access this
data to steal confidential information. (CVE-2009-3370)
Orlando Berrera discovered that Firefox did not properly free memory when using
web-workers. If a user were tricked into viewing a malicious website, a remote
attacker could cause a denial of service or possibly execute arbitrary code
with the privileges of the user invoking the program. This issue only
affected Ubuntu 9.10. (CVE-2009-3371)
browser engine used in Firefox and other Mozilla-based products. Some
of these crashes showed evidence of memory corruption under certain
circumstances and we presume that with enough effort at least some
of these could be exploited to run arbitrary code (CVE-2010-0159).
Security researcher Orlando Barrera II reported via TippingPoint's Zero
Day Initiative that Mozilla's implementation of Web Workers contained
an error in its handling of array data types when processing posted
messages. This error could be used by an attacker to corrupt heap
memory and crash the browser, potentially running arbitrary code on
a victim's computer (CVE-2010-0160).
Paul Stone discovered a flaw in the Firefox form history. If a user were
tricked into viewing a malicious website, a remote attacker could access this
data to steal confidential information. (CVE-2009-3370)
Orlando Berrera discovered that Firefox did not properly free memory when using
web-workers. If a user were tricked into viewing a malicious website, a remote
attacker could cause a denial of service or possibly execute arbitrary code
with the privileges of the user invoking the program. This issue only
affected Ubuntu 9.10. (CVE-2009-3371)
|
