Advisory Details

April 17th, 2006

Mozilla Firefox CSS Letter-Spacing Heap Overflow Vulnerability

ZDI-06-010
ZDI-CAN-015

CVE ID CVE-2006-1730
CVSS SCORE
AFFECTED VENDORS Mozilla Firefox
AFFECTED PRODUCTS 1.5.x
TREND MICRO CUSTOMER PROTECTION Trend Micro TippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID ['4097']. For further product information on the TippingPoint IPS: http://www.tippingpoint.com
VULNERABILITY DETAILS

This vulnerability allows attackers to execute arbitrary code on vulnerable installations of the Mozilla/Firefox web browser and Thunderbird e-mail client. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious e-mail.

The specific flaw is due to incorrect handling of the CSS "letter-spacing" element. By specifying a large number, an attacker can overflow an integer used during memory allocation. The under-allocated buffer is later used to store user-supplied data leading to an exploitable heap overflow.

ADDITIONAL DETAILS Mozilla Firefox has issued an update to correct this vulnerability. More details can be found at:
http://www.mozilla.org/security/announce/2006/mfsa2006-22.html
DISCLOSURE TIMELINE
  • 2006-01-31 - Vulnerability reported to vendor
  • 2006-04-17 - Coordinated public release of advisory
CREDIT Anonymous
BACK TO ADVISORIES