Bypass of tab-modal dialog origin disclosure — Mozilla

Security researcher shutdown reported a method for removing the origin indication on tab-modal dialog boxes in combination with browser navigation. This could allow an attacker's dialog to overlay a page and show another site's content. This can be used for phishing by allowing users to enter dat...

Privacy leak in JavaScript Workers — Mozilla

Mozilla security researcher Frederik Braun discovered that since Firefox 15 the file system location of the active browser profile was available to JavaScript workers. While not dangerous by itself, this could potentially be combined with other vulnerabilities to target the profile in an attack...

Use-after-free, out of bounds read, and buffer overflow issues found using Address Sanitizer — Mozilla

Security researcher Abhishek Arya Inferno of the Google Chrome Security Team used the Address Sanitizer tool to discover a series of use-after-free, out of bounds read, and buffer overflow problems rated as low to critical security issues in shipped software. Some of these issues are potentially...

NSS parsing errors with zero length items — Mozilla

Security researcher Kaspar Brand found a flaw in how the Network Security Services NSS ASN.1 decoder handles zero length items. Effects of this issue depend on the field. One known symptom is an unexploitable crash in handling OCSP responses. NSS also mishandles zero-length basic constraints,...

Miscellaneous memory safety hazards (rv:7.0 / rv:1.9.2.23) — Mozilla

Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be...

Miscellaneous memory safety hazards (rv:1.9.2.11/ 1.9.1.14) — Mozilla

Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be...

Security Vulnerabilities fixed in Firefox ESR 115.10 — Mozilla

GetBoundName could return the wrong version of an object when JIT optimizations were applied. In some code patterns the JIT incorrectly optimized switch statements and generated code with out-of-bounds-reads. The JIT created incorrect code for arguments in certain cases. This led to potential...

Security Vulnerabilities fixed in Firefox ESR 115.7 — Mozilla

An out of bounds write in ANGLE could have allowed an attacker to corrupt memory leading to a potentially exploitable crash. It was possible for certain browser prompts and dialogs to be activated or dismissed unintentionally by the user due to an incorrect timestamp used to prevent input after...

Security Vulnerabilities fixed in Firefox ESR 102.7 — Mozilla

An out of date library libusrsctp contained vulnerabilities that could potentially be exploited. Due to the Firefox GTK wrapper code's use of text/plain for drag data and GTK treating all text/plain MIMEs containing file URLs as being dragged a website could arbitrarily read a file via a call to...

Security Vulnerabilities fixed in Firefox ESR 91.4.0 — Mozilla

Under certain circumstances, asynchronous functions could have caused a navigation to fail but expose the target URL. An incorrect type conversion of sizes from 64bit to 32bit integers allowed an attacker to corrupt memory leading to a potentially exploitable crash. By misusing a race in our...

Security vulnerabilities fixed in Firefox 49 — Mozilla

A content security policy CSP containing a referrer directive with no values can cause a non-exploitable crash. An out-of-bounds write of a boolean value during text conversion with some unicode characters An out-of-bounds read during the processing of text runs in some pages using...

Information disclosure of disabled plugins through CSS pseudo-classes — Mozilla

Mozilla developer John Schoenick reported that CSS pseudo-classes can be used by web content to leak information on plugins that are installed but disabled. This can be used for information disclosure through a fingerprinting attack that lists all of the plugins installed by a user on a system,...

Out-of-bounds write with malicious font in Graphite 2 — Mozilla

Security researcher James Clawson used the Address Sanitizer tool to discover an out-of-bounds write in the Graphite 2 library when loading a crafted Graphite font file. This results in a potentially exploitable crash...

Miscellaneous memory safety hazards (rv:42.0 / rv:38.4) — Mozilla

Mozilla developers and community identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of the...

Dragging and dropping images exposes final URL after redirects — Mozilla

Security researcher Mario Gomes reported that when a previously loaded image on a page is drag and dropped into content after a redirect, the redirected URL is available to scripts. This is a violation of the Fetch specification's defined behavior for "Atomic HTTP redirect handling" which states...

Miscellaneous memory safety hazards (rv:39.0 / rv:31.8 / rv:38.1) — Mozilla

Mozilla developers and community identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of the...

Certificate verification bypass through the HTTP/2 Alt-Svc header — Mozilla

Security researcher Muneaki Nishimura discovered a flaw in the Mozilla's HTTP Alternative Services implementation. If an Alt-Svc header is specified in the HTTP/2 response, SSL certificate verification can be bypassed for the specified alternate server. As a result of this, warnings of invalid SS...

Use-after-free when using the Fluendo MP3 GStreamer plugin — Mozilla

Security researcher Aki Helin reported a use-after-free when playing certain MP3 format audio files on the web using the Fluendo MP3 plugin for GStreamer on Linux. This is due to a flaw in handling certain MP3 files by the plugin and its interaction with Mozilla code. This can lead to a potential...

Appended period to hostnames can bypass HPKP and HSTS protections — Mozilla

Security researcher Muneaki Nishimura reported that when certificate pinning is set to "strict" mode, a period '.' appended to a hostname in the address of a site allowed the bypass key pinning HPKP and HTTP Strict Transport Security HSTS. Sites with a period appended were treated as having a...

Privilege escalation through Mozilla Maintenance Service Installer — Mozilla

Security researcher Ash reported an issue affected the Mozilla Maintenance Service on Windows systems. The Mozilla Maintenance Service installer writes to a temporary directory created during the update process which is writable by users. If malicious DLL files are placed within this directory...

File: protocol links downloaded to SD card by default — Mozilla

Security researcher Roee Hay reported that a hyperlink using the file: protocol on Firefox for Android could link to a local file in the Firefox profile directory. If a user selected this link on their device, the linked file would be copied to the SD card without prompting. This SD card location...

Android Crash Reporter open to manipulation — Mozilla

Firefox for Android includes a Crash Reporter which sends crash data to Mozilla for analysis. Security researcher Roee Hay reported that third party Android applications could launch the crash reporter with their own arguments. Normally applications cannot read the private files of another...

Incorrect use of discarded images by RasterImage — Mozilla

Fredrik 'Flonka' Lönnqvist discovered an issue with image decoding in RasterImage caused by continued use of discarded images. This could allow for the writing to unowned memory and a potentially exploitable crash...

Miscellaneous use-after-free issues found through ASAN fuzzing — Mozilla

Security researcher Nils used the Address Sanitizer tool while fuzzing to discover missing strong references in browsing engine leading to use-after-frees. This can lead to a potentially exploitable crash...

Local Java applets may read contents of local file system — Mozilla

Security researcher Georgi Guninski reported an issue with Java applets where in some circumstances the applet could access files on the local system when loaded using the a file:/// URI and violate file origin policy due to interaction with the codebase parameter. This affects applets running on...

XrayWrappers can be bypassed to run user defined methods in a privileged context — Mozilla

Mozilla security researcher mozbugra4 reported that XrayWrappers can be bypassed to call content-defined toString and valueOf methods through DefaultValue. This can lead to unexpected behavior when privileged code acts on the incorrect values...

Memory corruption found using Address Sanitizer — Mozilla

Security researcher Abhishek Arya Inferno of the Google Chrome Security Team used the Address Sanitizer tool to discover a series of use-after-free, out of bounds read, and invalid write problems rated as moderate to critical as security issues in shipped software. Some of these issues are...

WebGL crash with Mesa graphics driver on Linux — Mozilla

Security researcher miaubiz used the Address Sanitizer tool to discover a crash in WebGL rendering when memory is freed that has not previously been allocated. This issue only affects Linux users who have Intel Mesa graphics drivers. The resulting crash could be potentially exploitable...

Privilege escalation through plugin objects — Mozilla

Security researcher Mariusz Mlynski reported that it is possible to open a chrome privileged web page through plugin objects through interaction with SVG elements. This could allow for arbitrary code execution...

Buffer Overflow in Canvas — Mozilla

Security researcher miaubiz used the Address Sanitizer tool to discover a buffer overflow in Canvas when specific bad height and width values were given through HTML. This could lead to a potentially exploitable crash...

Improper character decoding in HZ-GB-2312 charset — Mozilla

Security researcher Masato Kinugawa found when HZ-GB-2312 charset encoding is used for text, the "" character will destroy another character near the chunk delimiter. This can lead to a cross-site scripting XSS attack in pages encoded in HZ-GB-2312...

Spoofing and script injection through location.hash — Mozilla

Security researcher Mariusz Mlynski reported an issue with spoofing of the location property. In this issue, writes to location.hash can be used in concert with scripted history navigation to cause a specific website to be loaded into the history object. The baseURI can then be changed to this...

Heap memory corruption issues found using Address Sanitizer — Mozilla

Security researcher Atte Kettunen from OUSPG reported several heap memory corruption issues found using the Address Sanitizer tool. These issues are potentially exploitable, allowing for remote code execution...

Some DOMWindowUtils methods bypass security checks — Mozilla

Mozilla developer Johnny Stenback discovered that several methods of a feature used for testing DOMWindowUtils are not protected by existing security checks, allowing these methods to be called through script by web pages. This was addressed by adding the existing security checks to these methods...

Incorrect site SSL certificate data display — Mozilla

Security researcher Mark Poticha reported an issue where incorrect SSL certificate information can be displayed on the addressbar, showing the SSL data for a previous site while another has been loaded. This is caused by two onLocationChange events being fired out of the expected order, leading t...

Location object can be shadowed using Object.defineProperty — Mozilla

Security researcher Mariusz Mlynski reported that it is possible to shadow the location object using Object.defineProperty. This could be used to confuse the current location to plugins, allowing for possible cross-site scripting XSS attacks...

Clickjacking of certificate warning page — Mozilla

Security Researcher Matt McCutchen reported that a clickjacking attack using the certificate warning page. A man-in-the-middle MITM attacker can use an iframe to display its own certificate error warning page about:certerror with the "Add Exception" button of a real warning page from a malicious...

Multiple security flaws fixed in FreeType v2.4.9 — Mozilla

Mateusz Jurczyk of the Google Security Team used the Address Sanitizer tool to discover a series of memory safety bugs in the FreeType library, some of which could cause memory corruption and exploitable crashes with certain fonts and font parsing. Firefox Mobile has been upgraded to FreeType...

XSLT generate-id() function heap address leak — Mozilla

Chris Evans of the Chrome Security Team reported that the XSLT generate-id function returned a string that revealed a specific valid address of an object on the memory heap. It is possible that in some cases this address would be valuable information that could be used by an attacker while...

XSS in gopher parser when parsing hrefs — Mozilla

Google security researcher Robert Swiecki reported that functions used by the Gopher parser to convert text to HTML tags could be exploited to turn text into executable JavaScript. If an attacker could create a file or directory on a Gopher server with the encoded script as part of its name the...

Miscellaneous memory safety hazards (rv:1.9.2.7/ 1.9.1.11) — Mozilla

Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be...

Re-use of freed object due to scope confusion — Mozilla

A memory corruption flaw leading to code execution was reported by security researcher Nils of MWR InfoSecurity during the 2010 Pwn2Own contest sponsored by TippingPoint's Zero Day Initiative. By moving DOM nodes between documents Nils found a case where the moved node incorrectly retained its ol...

Crashes with evidence of memory corruption (rv:1.9.1.3/ 1.9.0.14) — Mozilla

Mozilla developers and community members identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some ...

Arbitrary code execution using event listeners attached to an element whose owner document is null — Mozilla

Mozilla security researcher mozbugra4 reported that the owner document of an element can become null after garbage collection. In such cases, event listeners may be executed within the wrong JavaScript context. An attacker could potentially use this vulnerability to have a malicious event handler...

Firefox allows Refresh header to redirect to javascript: URIs — Mozilla

Mozilla community member Michael reported that when a server responds with a Refresh header containing a javascript: URI, Firefox will redirect to the javascript: URI. If an attacker could inject a Refresh header into a server response, or could control the value that a site places in the Refresh...

XSS and JavaScript privilege escalation — Mozilla

Mozilla security researcher mozbugra4 reported that an XBL binding, when attached to an unloaded document, can be used to violate the same-origin policy and execute arbitrary JavaScript within the context of a different website...

BOM characters, low surrogates stripped from JavaScript before execution — Mozilla

Microsoft developer Dave Reed reported that certain BOM characters are stripped from JavaScript code before it is executed. This can lead to code, which would otherwise be treated as part of a quoted string, to be executed. The issue could potentially be used by an attacker to bypass or evade...

Security Vulnerabilities fixed in Firefox ESR 115.9 — Mozilla

An unchecked return value in TLS handshake code could have caused a potentially exploitable crash. An attacker could have leveraged the Windows Error Reporter to run arbitrary code on the system escaping the sandbox. Note: This issue only affected Windows operating systems. Other operating system...

Use-after-free when applying SVG effects — Mozilla

Security researcher Nils used the Address Sanitizer tool to discover a use-after-free vulnerability when applying effects to SVG elements. This results in a potentially exploitable crash...

File overwrite and privilege escalation through Mozilla Windows updater — Mozilla

Security researcher Frédéric Hoguin reported a mechanism where the Mozilla Windows updater could be used to overwrite arbitrary files. He found that files extracted by the updater from a MAR archive are not locked for writing and can be overwritten by other processes while the updater is running....