Packages
Details
Several flaws were discovered in the browser and JavaScript engines of
Firefox. If a user were tricked into viewing a malicious website, a remote
attacker could cause a denial of service or possibly execute arbitrary code
with the privileges of the user invoking the program. (CVE-2009-1392,
CVE-2009-1832, CVE-2009-1833, CVE-2009-1837, CVE-2009-1838)
Pavel Cvrcek discovered that Firefox would sometimes display certain
invalid Unicode characters as whitespace. An attacker could exploit this to
spoof the location bar, such as in a phishing attack. (CVE-2009-1834)
Gregory Fleischer, Adam Barth and Collin Jackson discovered that Firefox
would allow access to local files from resources loaded via the file:
protocol....
Several flaws were discovered in the browser and JavaScript engines of
Firefox. If a user were tricked into viewing a malicious website, a remote
attacker could cause a denial of service or possibly execute arbitrary code
with the privileges of the user invoking the program. (CVE-2009-1392,
CVE-2009-1832, CVE-2009-1833, CVE-2009-1837, CVE-2009-1838)
Pavel Cvrcek discovered that Firefox would sometimes display certain
invalid Unicode characters as whitespace. An attacker could exploit this to
spoof the location bar, such as in a phishing attack. (CVE-2009-1834)
Gregory Fleischer, Adam Barth and Collin Jackson discovered that Firefox
would allow access to local files from resources loaded via the file:
protocol. If a user were tricked into downloading then opening a malicious
file, an attacker could steal potentially sensitive information.
(CVE-2009-1835, CVE-2009-1839)
Shuo Chen, Ziqing Mao, Yi-Min Wang, and Ming Zhang discovered that Firefox
did not properly handle error responses when connecting to a proxy server.
If a remote attacker were able to perform a machine-in-the-middle attack, this
flaw could be exploited to view sensitive information. (CVE-2009-1836)
Wladimir Palant discovered Firefox did not check content-loading policies
when loading external script files into XUL documents. As a result, Firefox
might load malicious content under certain circumstances. (CVE-2009-1840)
It was discovered that Firefox could be made to run scripts with elevated
privileges. If a user were tricked into viewing a malicious website, an
attacker could cause a chrome privileged object, such as the browser
sidebar, to run arbitrary code via interactions with the attacker
controlled website. (CVE-2009-1841)
Update instructions
After a standard system upgrade you need to restart Firefox and any applications that use xulrunner, such as Epiphany, to effect the necessary changes.
Learn more about how to get the fixes.The problem can be corrected by updating your system to the following package versions:
Reduce your security exposure
Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.
References
- CVE-2009-1841
- CVE-2009-1840
- CVE-2009-1839
- CVE-2009-1838
- CVE-2009-1837
- CVE-2009-1836
- CVE-2009-1835
- CVE-2009-1834
- CVE-2009-1833
- CVE-2009-1832
- CVE-2009-1841
- CVE-2009-1840
- CVE-2009-1839
- CVE-2009-1838
- CVE-2009-1837
- CVE-2009-1836
- CVE-2009-1835
- CVE-2009-1834
- CVE-2009-1833
- CVE-2009-1832
- CVE-2009-1392