Further Privilege escalation through Mozilla Updater — Mozilla

Security researcher Ash reported an issue with the Mozilla Updater on Windows 7 and later versions of Windows. On vulnerable platforms, the Mozilla Updater can be made to load a specific malicious DLL file from the local system. This DLL file can run in a privileged context through the Mozilla...

Inaccessible updater can lead to local privilege escalation — Mozilla

Security researcher Seb Patane reported an issue with the Mozilla Maintenance Service on Windows. He discovered that when the Mozilla Updater executable was inaccessible, the Maintenance Service will behave incorrectly and can be made to use an updater at an arbitrary location. This updater will...

Mozilla Updater fails to update some Windows Registry entries — Mozilla

Security researcher Robert Kugler discovered that in some instances the Mozilla Maintenance Service on Windows will be vulnerable to some previously fixed privilege escalation attacks that allowed for local privilege escalation. This was caused by the Mozilla Updater not updating Windows Registry...

Use-after-free in HTML Editor — Mozilla

VUPEN Security, via TippingPoint's Zero Day Initiative, reported a use-after-free within the HTML editor when content script is run by the document.execCommand function while internal editor operations are occurring. This could allow for arbitrary code execution...

URL spoofing in addressbar during page loads — Mozilla

Security researcher Masato Kinugawa found a flaw in which the displayed URL values within the addressbar can be spoofed by a page during loading. This allows for phishing attacks where a malicious page can spoof the identify of another site...

AutoWrapperChanger fails to keep objects alive during garbage collection — Mozilla

Mozilla developer Olli Pettay discovered that the AutoWrapperChanger class fails to keep some javascript objects alive during garbage collection. This can lead to an exploitable crash allowing for arbitrary code execution...

Improper filtering of javascript in HTML feed-view — Mozilla

Security researcher Mario Heiderich reported that javascript could be executed in the HTML feed-view using tag within the RSS . This problem is due to tags not being filtered out during parsing and can lead to a potential cross-site scripting XSS attack. The flaw existed in a parser utility class...

window.fullScreen writeable by untrusted content — Mozilla

Mozilla developer Matt Brubeck reported that window.fullScreen is writeable by untrusted content now that the DOM fullscreen API is enabled. Because window.fullScreen does not include mozRequestFullscreen's security protections, it could be used for UI spoofing. This code change makes...

Key detection without JavaScript via SVG animation — Mozilla

Security researcher Mario Heiderich reported it was possible to use SVG animation accessKey events to detect key strokes even when JavaScript was disabled. Since web pages can normally detect key events through script and most users have scripting enabled this does not present a risk for most...

Memory corruption while profiling using Firebug — Mozilla

Marc Schoenefeld reported a crash when using Firebug to profile a JavaScript file with many functions. It may be possible to trigger this crash without the use of debugging APIs, and if so this could be exploitable...

XSS via plugins and shadowed window.location object — Mozilla

Mozilla developer Boris Zbarsky reported that a frame named "location" could shadow the window.location object unless a script in a page grabbed a reference to the true object before the frame was created. Because some plugins use the value of window.location to determine the page origin this cou...

Security issues addressed in SeaMonkey 2.3 — Mozilla

Miscellaneous memory safety hazards rv:4.0 Impact: Critical Description: Mozilla identified and fixed several memory safety bugs in the browser engine used in SeaMonkey 2.2 and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and w...

Integer overflow and arbitrary code execution in Array.reduceRight() — Mozilla

Security researchers Chris Rohlf and Yan Ivnitskiy of Matasano Security reported that when a JavaScript Array object had its length set to an extremely large value, the iteration of array elements that occurs when its reduceRight method was subsequently called could result in the execution of...

Miscellaneous memory safety hazards (rv:3.0/1.9.2.18) — Mozilla

Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be...

Recursive eval call causes confirm dialogs to evaluate to true — Mozilla

Security researcher Zach Hoffman reported that a recursive call to eval wrapped in a try/catch statement places the browser into a inconsistent state. Any dialog box opened in this state is displayed without text and with non-functioning buttons. Closing the window causes the dialog to evaluate t...

SJOW creates scope chains ending in outer object — Mozilla

Mozilla developer Blake Kaplan reported that the wrapper class XPCSafeJSObjectWrapper SJOW, a security wrapper that allows content-defined objects to be safely accessed by privileged code, creates scope chains ending in outer objects. Users of SJOWs which expect the scope chain to end on an inner...

Freed object reuse across plugin instances — Mozilla

Microsoft Vulnerability Research reported that two plugin instances could interact in a way in which one plugin gets a reference to an object owned by a second plugin and continues to hold that reference after the second plugin is unloaded and its object is destroyed. In these cases, the first...

Security Vulnerabilities fixed in Thunderbird 78.4 — Mozilla

A use-after-free bug in the usersctp library was reported upstream. We assume this could have led to memory corruption and a potentially exploitable crash. Mozilla developers and community members Jason Kratzer, Simon Giesecke, Philipp, and Christian Holler reported memory safety bugs present in...

Security Vulnerabilities fixed in Firefox ESR 78.3 — Mozilla

By exploiting an Open Redirect vulnerability on a website, an attacker could have spoofed the site displayed in the download file dialog to show the original site the one suffering from the open redirect rather than the site the file was actually downloaded from. Firefox sometimes ran the onload...

Security vulnerabilities fixed in Firefox ESR 60.4 — Mozilla

A buffer overflow and out-of-bounds read can occur in TextureStorage11 within the ANGLE graphics library, used for WebGL content. This results in a potentially exploitable crash. A use-after-free vulnerability can occur after deleting a selection element due to a weak reference to the select...

Incorrect icon displayed on permissions notifications — Mozilla

Security researcher Tim McCormack reported that when a page requests a series of permissions in a short timespan, the resulting permission notifications can show the icon for the wrong permission request. This can lead to user confusion and inadvertent consent given when a user is prompted by web...

Integer overflow in MP4 playback in 64-bit versions — Mozilla

Security researcher Ronald Crane reported a vulnerability found through code inspection. This issue is an integer overflow while processing an MP4 format video file when an a erroneously-small buffer is allocated and then overrun, resulting in a potentially exploitable crash...

Integer underflow and buffer overflow processing MP4 metadata in libstagefright — Mozilla

Mozilla developer Gerald Squelart fixed an integer underflow in the libstagefright library initially reported by Joshua Drake to Google. The issues occurred in MP4 format video file while parsing cover metadata, leading to a buffer overflow. This results in a potentially exploitable crash and can...

Buffer overflows found through code inspection — Mozilla

Security researcher Ronald Crane reported three buffer overflows affecting released code that were found through code inspection. They do not all have clear mechanisms to be exploited through web content but are vulnerable if a mechanism can be found to trigger them...

NSS and NSPR memory corruption issues — Mozilla

Mozilla engineers Tyson Smith and David Keeler reported a use-after-poison and buffer overflow in the ASN.1 decoder in Network Security Services NSS. These issues were in octet string parsing and were found through fuzzing and code inspection. If these issues were triggered, they would lead to a...

Integer overflows in libstagefright while processing MP4 video metadata — Mozilla

Security researcher Joshua Drake reported potential integer overflows in the libstagefright library while processing video sample metadata in MPEG4 video files. This can lead to a potentially exploitable crash...

Mozilla Content Security Policy allows for asterisk wildcards in violation of CSP specification — Mozilla

Mozilla security engineer Christoph Kerschbaumer reported a discrepancy in Mozilla's implementation of Content Security Policy and the CSP specification. The specification states that blob:, data:, and filesystem: URLs should be excluded in case of a wildcard when matching source expressions but...

Out-of-bounds write with Updater and malicious MAR file — Mozilla

Security researcher Holger Fuhrmannek reported that if the Updater opens a MAR format file with a specially crafted name, an out-of-bounds write will occur. This can lead to a potentially exploitable crash but requires that the malicious MAR format file be present on the local system and the...

Use-after-free due to Media Decoder Thread creation during shutdown — Mozilla

Security researchers Tyson Smith and Jesse Schwartzentruber reported a use-after-free during the shutdown process. This was caused by a race condition when media decoder threads are created during the shutdown process in some circumstances. This leads to a potentially exploitable crash when...

PRNG weakness allows for DNS poisoning on Android — Mozilla

Mozilla developer Daniel Stenberg reported that the DNS resolver in Firefox for Android uses an insufficiently random algorithm when generating random numbers for the unique identifier. This was derived from an old version of the Bionic libc library and suffered from insufficient randomness in th...

XrayWrapper bypass through DOM objects — Mozilla

Mozilla developer Bobby Holley reported that Document Object Model DOM objects with some specific properties can bypass XrayWrappers. This can allow web content to confuse privileged code, potentially enabling privilege escalation...

Apple CoreGraphics framework on OS X 10.10 logging input data to /tmp directory — Mozilla

Security researcher Kent Howard reported an Apple issue present in OS X 10.10 Yosemite where log files are created by the CoreGraphics framework of OS X in the /tmp local directory. These log files contain a record of all inputs into Mozilla programs during their operation. In versions of OS X fr...

Use-after-free and out of bounds issues found using Address Sanitizer — Mozilla

Security researcher Abhishek Arya Inferno of the Google Chrome Security Team discovered a number of use-after-free and out of bounds read issues using the Address Sanitizer tool. These issues are potentially exploitable, allowing for remote code execution...

Miscellaneous memory safety hazards (rv:29.0 / rv:24.5) — Mozilla

Mozilla developers and community identified identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least...

Firefox for Android addressbar suppression — Mozilla

Security researcher Juho Nurminen reported that on Firefox for Android, when the addressbar has been scrolled off screen, an attacker can prevent it from rendering again through the use of script interacting DOM events. This allows an attacker to present a fake addressbar to the user, possibly...

Content Security Policy for data: documents not preserved by session restore — Mozilla

Security researcher Nicolas Golubovic reported that the Content Security Policy CSP of data: documents was not saved as part of session restore. If an attacker convinced a victim to open a document from a data: URL injected onto a page, this can lead to a Cross-Site Scripting XSS attack. The targ...

XSLT stylesheets treated as styles in Content Security Policy — Mozilla

Mozilla security engineer Frederik Braun reported an issue where the implementation of Content Security Policy CSP is not in compliance with the specification. XSLT stylesheets must be subject to script-src directives but Mozilla's implementation of CSP treats them as styles. This could lead to...

Use-after-free in Animation Manager during stylesheet cloning — Mozilla

Security researcher Abhishek Arya Inferno of the Google Chrome Security Team used the Address Sanitizer tool to discover a use-after-free problem in the Animation Manager during the cloning of stylesheets. This can lead to a potentially exploitable crash...

Data in the body of XHR HEAD requests leads to CSRF attacks — Mozilla

Security researcher Johnathan Kuskos reported that Firefox is sending data in the body of XMLHttpRequest XHR HEAD requests, which goes against the XHR specification. This can potentially be used for Cross-Site Request Forgery CSRF attacks against sites which do not distinguish between HEAD and PO...

Sandbox restrictions not applied to nested frame elements — Mozilla

Mozilla community member Bob Owen reported that restrictions are not applied to a frame element contained within a sandboxed iframe. As a result, content hosted within a sandboxed iframe could use a frame element to bypass the restrictions that should be applied...

Out-of-bounds array read in CERT_DecodeCertPackage — Mozilla

Mozilla community member Ambroz Bizjak reported an out-of-bounds array read in the CERTDecodeCertPackage function of the Network Security Services NSS library when decoding a certificate. When this occurs, it will lead to memory corruption and a non-exploitable crash...

Crash due to handling of SSL on threads — Mozilla

Mozilla community member Jerry Baker reported a crashing issue found through Thunderbird when downloading messages over a Secure Sockets Layer SSL connection. This was caused by a bug in the networking code assuming that secure connections were entirely handled on the socket transport thread when...

top object and location property accessible by plugins — Mozilla

Security researcher Mariusz Mlynski reported that the location property can be accessed by binary plugins through top.location and top can be shadowed by Object.defineProperty as well. This can allow for possible cross-site scripting XSS attacks through plugins...

Crash with invalid cast when using instanceof operator — Mozilla

Mozilla community member Ms2ger reported a crash due to an invalid cast when using the instanceof operator on certain types of JavaScript objects. This can lead to a potentially exploitable crash...

Graphite 2 memory corruption — Mozilla

Using the Address Sanitizer tool, Mozilla security researcher Christoph Diehl discovered two memory corruption issues involving the Graphite 2 library used in Mozilla products. Both of these issues can cause a potentially exploitable crash. These problems were fixed in the Graphite 2 library, whi...

use-after-free in nsGlobalWindow::PageHidden — Mozilla

Security researcher Arthur Gerkis used the Address Sanitizer tool to find a use-after-free in nsGlobalWindow::PageHidden when mFocusedContent is released and oldFocusedContent is used afterwards. This use-after-free could possibly allow for remote code execution...

Security issues addressed in Firefox 6 — Mozilla

Miscellaneous memory safety hazards rv:4.0 Impact: Critical Description: Mozilla identified and fixed several memory safety bugs in the browser engine used in Firefox 4, Firefox 5 and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances...

Remote code execution using malformed PNG image — Mozilla

OUSPG researcher Aki Helin reported a buffer overflow in Mozilla graphics code which consumes image data processed by libpng. A malformed PNG file could be created which would cause libpng to incorrectly report the size of the image to downstream consumers. When the dimensions of such images are...

Content-Disposition: attachment ignored if Content-Type: multipart also present — Mozilla

Security researcher Ilja van Sprundel of IOActive reported that the Content-Disposition: attachment HTTP header was ignored when Content-Type: multipart was also present. This issue could potentially lead to XSS problems in sites that allow users to upload arbitrary files and specify a Content-Ty...

Insufficient warning for PKCS11 module installation and removal — Mozilla

Mozilla security researcher Jesse Ruderman reported that when security modules were added or removed via pkcs11.addmodule or pkcs11.deletemodule, the resulting dialog was not sufficiently informative. Without sufficient warning, an attacker could entice a victim to install a malicious PKCS11 modu...