Mozilla Firefox, Thunderbird and SeaMonkey contain a flaw that may allow an attacker to gain access to unauthorized privileges. The issue is triggered when an attacker uses malicious JavaScript, hosted on a crafted website, to call code within a signed JAR file that was cached from a trusted site. The malicious JavaScript then inherits the privileges of the JAR file and an elevation of privileges occurs, allowing a remote attacker to inherit the trust of the site hosting the JAR file and gain privileges granted to it by the user.

Upgrade Firefox to version 6 or higher, Thunderbird to version 6 or higher, and SeaMonkey to version 2.3 or higher, as they have been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

• OVAL ID: 14055
• CVE ID: 2011-2993 (see also: NVD)
• Secunia Advisory ID: 45581 45667 45785 45802 45808 51766
• Related OSVDB ID: 74581 74582 74583 74584 74585 74586 74587 74588 74589 74590 74591 74592 74593 74594 74595
• Mail List Post: http://lists.opensuse.org/opensuse-security-announce/2011-08/msg00023.html
• Vendor Specific Advisory URL: http://lists.opensuse.org/opensuse-updates/2011-08/msg00039.html
  http://www.mozilla.org/security/announce/2011/mfsa2011-29.html
  http://www.mozilla.org/security/announce/2011/mfsa2011-31.html
  http://www.mozilla.org/security/announce/2011/mfsa2011-33.html
  http://www.suse.com/support/security/advisories/2011_37_firefox.html
• Vendor Specific News/Changelog Entry: http://lists.opensuse.org/opensuse-updates/2011-08/msg00043.html
  http://www.gentoo.org/security/en/glsa/glsa-201301-01.xml
  https://bugzilla.mozilla.org/show_bug.cgi?id=657267 [ Auth Req'd ]

• Rafael Gieschke