The GeckoActiveXObject function in Mozilla Firefox before 3.0.16 and 3.5.x before 3.5.6, and SeaMonkey before 2.0.1, generates different exception messages depending on whether the referenced COM object is listed in the registry, which allows remote attackers to obtain potentially sensitive information about installed software by making multiple calls that specify the ProgID values of different COM objects.
secunia.com/advisories/37699
secunia.com/advisories/37785
securitytracker.com/id?1023346
securitytracker.com/id?1023347
www.mozilla.org/security/announce/2009/mfsa2009-71.html
www.securityfocus.com/bid/37349
www.securityfocus.com/bid/37360
www.vupen.com/english/advisories/2009/3547
bugzilla.mozilla.org/show_bug.cgi?id=503451
bugzilla.redhat.com/show_bug.cgi?id=546729
exchange.xforce.ibmcloud.com/vulnerabilities/54798
oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7958