Vulnerabilities > CVE-2011-3664 - NULL Pointer Dereference Denial Of Service vulnerability in Mozilla Firefox, Seamonkey and Thunderbird
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Mozilla Firefox before 9.0, Thunderbird before 9.0, and SeaMonkey before 2.6 on Mac OS X do not properly handle certain DOM frame deletions by plugins, which allows remote attackers to cause a denial of service (incorrect pointer dereference and application crash) or possibly have unspecified other impact via a crafted web site. Per: http://cwe.mitre.org/data/definitions/476.html 'CWE-476: NULL Pointer Dereference'
Vulnerable Configurations
Nessus
NASL family MacOS X Local Security Checks NASL id MACOSX_THUNDERBIRD_9_0.NASL description The installed version of Thunderbird 8.x is potentially affected by the following security issues : - An out-of-bounds memory access error exists in the last seen 2020-06-01 modified 2020-06-02 plugin id 57361 published 2011-12-21 reporter This script is Copyright (C) 2011-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/57361 title Thunderbird 8.x Multiple Vulnerabilities (Mac OS X) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(57361); script_version("1.20"); script_cvs_date("Date: 2018/07/16 12:48:31"); script_cve_id( "CVE-2011-3658", "CVE-2011-3660", "CVE-2011-3661", "CVE-2011-3663", "CVE-2011-3664", "CVE-2011-3665", "CVE-2011-3671" ); script_bugtraq_id(51133, 51134, 51135, 51136, 51137, 51138, 54080); script_name(english:"Thunderbird 8.x Multiple Vulnerabilities (Mac OS X)"); script_summary(english:"Checks version of Thunderbird"); script_set_attribute(attribute:"synopsis", value: "The remote Mac OS X host contains an email client that is potentially affected by several vulnerabilities."); script_set_attribute(attribute:"description", value: "The installed version of Thunderbird 8.x is potentially affected by the following security issues : - An out-of-bounds memory access error exists in the 'SVG' implementation and can be triggered when 'SVG' elements are removed during a 'DOMAttrModified' event handler. (CVE-2011-3658) - Various memory safety errors exist that can lead to memory corruption and possible code execution. (CVE-2011-3660) - An error exists in the 'YARR' regular expression library that can cause application crashes when handling certain JavaScript statements. (CVE-2011-3661) - It is possible to detect keystrokes using 'SVG' animation 'accesskey' events even when JavaScript is disabled. (CVE-2011-3663) - An error exists related to plugins that can allow a NULL pointer to be dereferenced when a plugin deletes its containing DOM frame during a call from that frame. It may be possible for a non-NULL pointer to be dereferenced thereby opening up the potential for further exploitation. (CVE-2011-3664) - It is possible to crash the application when 'OGG' 'video' elements are scaled to extreme sizes. (CVE-2011-3665) - A use-after-free error exists related to the function 'nsHTMLSelectElement' that can allow arbitrary code execution during operations such as removal of a parent node of an element. (CVE-2011-3671)"); script_set_attribute(attribute:"see_also", value:"http://www.zerodayinitiative.com/advisories/ZDI-12-128/"); script_set_attribute(attribute:"see_also", value:"http://www.securityfocus.com/archive/1/523754/30/0/threaded"); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2012-41/"); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2011-53/"); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2011-54/"); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2011-55/"); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2011-56/"); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2011-57/"); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2011-58/"); script_set_attribute(attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=739343"); script_set_attribute(attribute:"solution", value:"Upgrade to Thunderbird 9.0 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Firefox nsSVGValue Out-of-Bounds Access Vulnerability'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"vuln_publication_date", value:"2011/12/20"); script_set_attribute(attribute:"patch_publication_date", value:"2011/12/20"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/12/21"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:mozilla:thunderbird"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"MacOS X Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc."); script_dependencies("macosx_thunderbird_installed.nasl"); script_require_keys("MacOSX/Thunderbird/Installed"); exit(0); } include("global_settings.inc"); include("misc_func.inc"); kb_base = "MacOSX/Thunderbird"; get_kb_item_or_exit(kb_base+"/Installed"); version = get_kb_item_or_exit(kb_base+"/Version", exit_code:1); ver = split(version, sep:".", keep:FALSE); for (i=0; i<max_index(ver); i++) ver[i] = int(ver[i]); if (ver[0] == 8) { if (report_verbosity > 0) { info += '\n Installed version : ' + version + '\n Fixed version : 9.0' + '\n'; security_hole(port:0, extra:info); } else security_hole(0); exit(0); } else exit(0, "Thunderbird 8.x is not installed.");
NASL family MacOS X Local Security Checks NASL id MACOSX_FIREFOX_9_0.NASL description The installed version of Firefox 8.x is potentially affected by the following security issues : - An out-of-bounds memory access error exists in the last seen 2020-06-01 modified 2020-06-02 plugin id 57359 published 2011-12-21 reporter This script is Copyright (C) 2011-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/57359 title Firefox 8.x Multiple Vulnerabilities (Mac OS X) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(57359); script_version("1.21"); script_cvs_date("Date: 2018/07/16 12:48:31"); script_cve_id( "CVE-2011-3658", "CVE-2011-3660", "CVE-2011-3661", "CVE-2011-3663", "CVE-2011-3664", "CVE-2011-3665", "CVE-2011-3671" ); script_bugtraq_id(51133, 51134, 51135, 51136, 51137, 51138, 54080); script_name(english:"Firefox 8.x Multiple Vulnerabilities (Mac OS X)"); script_summary(english:"Checks version of Firefox"); script_set_attribute(attribute:"synopsis", value: "The remote Mac OS X host contains a web browser that is potentially affected by several vulnerabilities."); script_set_attribute(attribute:"description", value: "The installed version of Firefox 8.x is potentially affected by the following security issues : - An out-of-bounds memory access error exists in the 'SVG' implementation and can be triggered when 'SVG' elements are removed during a 'DOMAttrModified' event handler. (CVE-2011-3658) - Various memory safety errors exist that can lead to memory corruption and possible code execution. (CVE-2011-3660) - An error exists in the 'YARR' regular expression library that can cause application crashes when handling certain JavaScript statements. (CVE-2011-3661) - It is possible to detect keystrokes using 'SVG' animation 'accesskey' events even when JavaScript is disabled. (CVE-2011-3663) - An error exists related to plugins that can allow a NULL pointer to be dereferenced when a plugin deletes its containing DOM frame during a call from that frame. It may be possible for a non-NULL pointer to be dereferenced thereby opening up the potential for further exploitation. (CVE-2011-3664) - It is possible to crash the application when 'OGG' 'video' elements are scaled to extreme sizes. (CVE-2011-3665) - A use-after-free error exists related to the function 'nsHTMLSelectElement' that can allow arbitrary code execution during operations such as removal of a parent node of an element. (CVE-2011-3671)"); script_set_attribute(attribute:"see_also", value:"http://www.zerodayinitiative.com/advisories/ZDI-12-128/"); script_set_attribute(attribute:"see_also", value:"http://www.securityfocus.com/archive/1/523754/30/0/threaded"); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2012-41/"); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2011-53/"); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2011-54/"); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2011-55/"); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2011-56/"); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2011-57/"); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2011-58/"); script_set_attribute(attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=739343"); script_set_attribute(attribute:"solution", value:"Upgrade to Firefox 9.0 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Firefox nsSVGValue Out-of-Bounds Access Vulnerability'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"vuln_publication_date", value:"2011/12/20"); script_set_attribute(attribute:"patch_publication_date", value:"2011/12/20"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/12/21"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:mozilla:firefox"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"MacOS X Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc."); script_dependencies("macosx_firefox_installed.nasl"); script_require_keys("MacOSX/Firefox/Installed"); exit(0); } include("mozilla_version.inc"); kb_base = "MacOSX/Firefox"; get_kb_item_or_exit(kb_base+"/Installed"); version = get_kb_item_or_exit(kb_base+"/Version", exit_code:1); path = get_kb_item_or_exit(kb_base+"/Path", exit_code:1); mozilla_check_version(product:'firefox', version:version, path:path, esr:FALSE, fix:'9.0', skippat:'^3\\.6\\.', severity:SECURITY_HOLE);
Oval
accepted | 2012-02-13T04:00:16.630-05:00 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
class | vulnerability | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
contributors |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
definition_extensions |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
description | Mozilla Firefox before 9.0, Thunderbird before 9.0, and SeaMonkey before 2.6 on Mac OS X do not properly handle certain DOM frame deletions by plugins, which allows remote attackers to cause a denial of service (incorrect pointer dereference and application crash) or possibly have unspecified other impact via a crafted web site. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
family | windows | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
id | oval:org.mitre.oval:def:14574 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
status | deprecated | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
submitted | 2011-12-30T14:36:20.000-05:00 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
title | DEPRECATED: Mozilla Firefox before 9.0, Thunderbird before 9.0, and SeaMonkey before 2.6 on Mac OS X do not properly handle certain DOM frame deletions by plugins, which allows remote attackers to cause a denial of service (incorrect pointer dereference and application crash) or possibly have unspecified other impact via a crafted web site. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
version | 31 |
References
- http://secunia.com/advisories/47302
- http://secunia.com/advisories/47334
- http://www.mozilla.org/security/announce/2011/mfsa2011-57.html
- http://www.securitytracker.com/id?1026445
- http://www.securitytracker.com/id?1026446
- http://www.securitytracker.com/id?1026447
- https://bugzilla.mozilla.org/show_bug.cgi?id=649079
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14574