<em style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2011-2986" target="_blank">CVE</a>)</em> : Mozilla Firefox 4.x through 5, Thunderbird before 6, SeaMonkey 2.x before 2.3, and possibly other products, when the Direct2D (aka D2D) API is used on Windows, allows remote attackers to bypass the Same Origin Policy, and obtain sensitive image data from a different domain, by inserting this data into a canvas.

Upgrade Firefox to version 6 or higher, Thunderbird to version 6 or higher, and SeaMonkey to version 2.3 or higher, as they have been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

• OVAL ID: 14497
• CVE ID: 2011-2986 (see also: NVD)
• Secunia Advisory ID: 45581 45667 45785 45802 45808 49055 51766
• Related OSVDB ID: 74581 74582 74583 74584 74585 74586 74587 74588 74590 74591 74592 74593 74594 74595 74596
• Mail List Post: http://lists.opensuse.org/opensuse-security-announce/2011-08/msg00023.html
• Vendor Specific Advisory URL: http://lists.opensuse.org/opensuse-updates/2011-08/msg00039.html
  http://www.mozilla.org/security/announce/2011/mfsa2011-29.html
  http://www.mozilla.org/security/announce/2011/mfsa2011-31.html
  http://www.mozilla.org/security/announce/2011/mfsa2011-33.html
  http://www.suse.com/support/security/advisories/2011_37_firefox.html
• Vendor Specific News/Changelog Entry: http://lists.opensuse.org/opensuse-updates/2011-08/msg00043.html
  http://lists.opensuse.org/opensuse-updates/2012-04/msg00066.html
  http://www.gentoo.org/security/en/glsa/glsa-201301-01.xml
  https://bugzilla.mozilla.org/show_bug.cgi?id=655836 [ Auth Req'd ]

• nasalislarvatus3000