jar: scheme ignores the content-disposition: header on the inner URI — Mozilla

Mozilla developer Daniel Veditz reported that when the jar: scheme is used to wrap a URI which serves the content with Content-Disposition: attachment, the HTTP header is ignored and the content is unpacked and displayed inline. A site may depend on this HTTP header to prevent potentially untrust...

UTF-8 URL stack buffer overflow — Mozilla

Justin Schuh and Tom Cross of the IBM X-Force and Peter Williams of IBM Watson Labs reported errors in Mozilla URL parsing routines. These errors could be exploited using a specially crafted UTF-8 URL in a hyperlink which could overflow a stack buffer and allow an attacker to execute arbitrary co...

Security Vulnerabilities fixed in Firefox ESR 102.9 — Mozilla

Sometimes, when invalidating JIT code while following an iterator, the newly generated code could be overwritten incorrectly. This could lead to a potentially exploitable crash. Dragging a URL from a cross-origin iframe that was removed during the drag could have led to user confusion and website...

Security Vulnerabilities fixed in Firefox ESR 102.4 — Mozilla

A same-origin policy violation could have allowed the theft of cross-origin URL entries, leaking the result of a redirect, via performance.getEntries. Certain types of allocations were missing annotations that, if the Garbage Collector was in a specific state, could have lead to memory corruption...

Security Vulnerabilities fixed in Firefox ESR 91.6 — Mozilla

A Time-of-Check Time-of-Use bug existed in the Maintenance Updater Service that could be abused to grant Users write access to an arbitrary directory. This could have been used to escalate to SYSTEM access.This bug only affects Firefox on Windows. Other operating systems are unaffected. If a user...

Security Vulnerabilities fixed in Firefox ESR 91.3 — Mozilla

The iframe sandbox rules were not correctly applied to XSLT stylesheets, allowing an iframe to bypass restrictions such as executing scripts or navigating the top-level frame. When interacting with an HTML input element's file picker dialog with webkitdirectory set, a use-after-free could have...

Security Vulnerabilities fixed in Thunderbird 78.5.1 — Mozilla

When reading SMTP server status codes, Thunderbird writes an integer value to a position on the stack that is intended to contain just one byte. Depending on processor architecture and stack layout, this leads to stack corruption that may be exploitable...

Security Vulnerabilities fixed in Firefox ESR 68.10 — Mozilla

Due to confusion about ValueTags on JavaScript Objects, an object may pass through the type barrier, resulting in memory corruption and a potentially exploitable crash.Note: this issue only affects Firefox on ARM64 platforms. Manipulating individual parts of a URL object could have caused an...

Security vulnerabilities fixed in Firefox ESR 60.5.1 — Mozilla

A use-after-free vulnerability in the Skia library can occur when creating a path, leading to a potentially exploitable crash. An integer overflow vulnerability in the Skia library can occur after specific transform operations, leading to a potentially exploitable crash. A buffer overflow...

Information disclosure and local file manipulation through drag and drop — Mozilla

Security researcher Rafael Gieschke reported that file URIs dragged from a web page in Firefox to other software do not have their contents properly filtered before being passed to other programs, such as the local file manager. This can allow for the theft or manipulation of arbitrary local file...

Use-after-free in SetBody — Mozilla

Security researcher lokihardt, working with HP's Zero Day Initiative, reported a use-after-free issue in the SetBody function of HTMLDocument. This results in a potentially exploitable crash...

Linux video memory DOS with Intel drivers — Mozilla

Security researcher Ucha Gobejishvili reported a denial of service DOS attack when doing certain WebGL operations in a canvas requiring an unusually large amount buffer to be allocated from video memory. This resulted in memory resource exhaustion with some Intel video cards, requiring the comput...

Use-after-free during processing of DER encoded keys in NSS — Mozilla

Mozilla developer Tim Taubert used the Address Sanitizer tool and software fuzzing to discover a use-after-free vulnerability while processing DER encoded keys in the Network Security Services NSS libraries. The vulnerability overwrites the freed memory with zeroes. This issue has been addressed ...

Miscellaneous memory safety hazards (rv:44.0 / rv:38.6) — Mozilla

Mozilla developers and community identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of the...

Linux file chooser crashes on malformed images due to flaws in Jasper library — Mozilla

Security researcher Gustavo Grieco reported that on Linux Gnome systems the dialog for choosing local files uses the operating system's gdk-pixbuf library to render thumbnails for image file types. This library supports various image decoders, and Grieco reported that the Jasper and TGA decoders...

Trailing whitespace in IP address hostnames can bypass same-origin policy — Mozilla

Security researcher Michał Bentkowski reported that adding white-space characters to hostnames that are IP addresses can bypass same-origin policy. This flaw was caused by trailing whitespaces being evaluated differently when parsing IP addresses instead of alphanumeric hostnames. This could lead...

Miscellaneous memory safety hazards (rv:41.0 / rv:38.3) — Mozilla

Mozilla developers and community identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of the...

Privilege escalation through SVG navigation — Mozilla

Security researcher Mariusz Mlynski reported, through HP Zero Day Initiative's Pwn2Own contest, a method to run arbitrary scripts in a privileged context. This bypassed the same-origin policy protections by using a flaw in the processing of SVG format content navigation...

Out-of-bounds read and write while rendering SVG content — Mozilla

Security researcher Abhishek Arya Inferno of the Google Chrome Security Team used the Address Sanitizer tool to report an out-of-bounds read and an out-of-bounds write when rendering an improperly formatted SVG graphic. This could potentially allow the attacker to read uninitialized memory...

Use-after-free in Developer Console date with OpenType Sanitiser — Mozilla

Using the Address Sanitizer tool, security researcher Atte Kettunen found a problem with OpenType Sanitiser OTS that resulted in a use-after-free while expanding macros in some circumstances. This use-after-free was only used for information displayed in the developer console and was not...

XBL bindings accessible via improper CSS declarations — Mozilla

Security researcher Cody Crews reported a method to trigger chrome level XML Binding Language XBL bindings through web content. This was possible because some chrome accessible CSS stylesheets had their primary namespace improperly declared. When this occurred, it was possible to use these...

Key pinning bypasses — Mozilla

Mozilla developer Patrick McManus reported a method to use SPDY or HTTP/2 connection coalescing to bypass key pinning on different sites that resolve to the same IP address.This could allow the use of a fraudulent certificate when a saved pin for that subdomain should have prevented the connectio...

Use-after-free setting text directionality — Mozilla

Security researcher regenrecht reported, via TippingPoint's Zero Day Initiative, a use-after-free during text layout when interacting with the setting of text direction. This results in a use-after-free which can lead to arbitrary code execution...

Use-after-free with FireOnStateChange event — Mozilla

Security researcher Jethro Beekman of the University of California, Berkeley reported a crash when the FireOnStateChange event is triggered in some circumstances. This leads to a use-after-free and a potentially exploitable crash when it occurs...

Crash in Skia library when scaling high quality images — Mozilla

Mozilla community member John reported a crash in the Skia library when scaling high quality images if the scaling operation takes too long. This is caused by the image data being discarded while still in use by the scaling operation. This crash is potentially exploitable on some systems...

Buffer overflow when using non-XBL object as XBL — Mozilla

Security researcher Abhishek Arya Inferno of the Google Chrome Security Team used the Address Sanitizer tool to discover a buffer overflow when a script uses a non-XBL object as an XBL object because the XBL status of the object is not properly validated. The resulting memory corruption is...

Privilege escalation through Web Notification API — Mozilla

Security researcher Mariusz Mlynski discovered an issue where sites that have been given notification permissions by a user can bypass security checks on source components for the Web Notification API. This allows for script to be run in a privileged context through notifications, leading to...

Use-after-free in nsHostResolver — Mozilla

Security researchers Tyson Smith and Jesse Schwartzentruber of the BlackBerry Security Automated Analysis Team used the Address Sanitizer tool while fuzzing to discover a use-after-free during host resolution in some circumstances. This leads to a potentially exploitable crash...

Crash when using web workers with asm.js — Mozilla

Soeren Balko reported a crash when terminating a web worker running asm.js code after passing an object between threads. This crash is potentially exploitable...

Potential overflow in JavaScript binary search algorithms — Mozilla

Compiler Engineer Dan Gohman of Google reported that binary search algorithms in the SpiderMonkey JavaScript engine were prone to overflow in several places, leading to potential out-of-bounds array access. While none of these are known to be directly exploitable, they are unsafe in theory and ha...

Character encoding cross-origin XSS attack — Mozilla

Security researcher Masato Kinugawa discovered that if a web page is missing character set encoding information it can inherit character encodings across navigations into another domain from an earlier site. Only same-origin inheritance is allowed according to the HTML5 specification. This issue...

Buffer overflow with multi-column, lists, and floats — Mozilla

Security researcher Aki Helin reported that combining lists, floats, and multiple columns could trigger a potentially exploitable buffer overflow...

Privileged access for content level constructor — Mozilla

Security researcher Cody Crews reported a method to call a content level constructor that allows for this constructor to have chrome privileged access. This affects chrome object wrappers COW and allows for write actions on objects when only read actions should be allowed. This can lead to...

Wrapped WebIDL objects can be wrapped again — Mozilla

Mozilla developer Boris Zbarsky reported that in some circumstances a wrapped WebIDL object can be wrapped multiple times, overwriting the existing wrapped state. This could lead to an exploitable condition in rare cases...

Out-of-bounds read in image rendering — Mozilla

Using the Address Sanitizer tool, security researcher Atte Kettunen from OUSPG found an out-of-bounds read while rendering GIF format images. This could cause a non-exploitable crash and could also attempt to render normally inaccessible data as part of the image...

evalInSanbox location context incorrectly applied — Mozilla

Mozilla security researcher mozbugra4 reported that if code executed by the evalInSandbox function sets location.href, it can get the wrong subject principal for the URL check, ignoring the sandbox's Javascript context and gaining the context of evalInSandbox object. This can lead to malicious we...

Insecure use of __android_log_print — Mozilla

Mozilla developer Blake Kaplan reported that androidlogprint is called insecurely in places. If a malicious web page used a dump statement with a specially crafted string, it can trigger a potentially exploitable crash...

DOMParser loads linked resources in extensions when parsing text/html — Mozilla

Security researcher vsemozhetbyt reported that when the DOMParser is used to parse text/html data in a Firefox extension, linked resources within this HTML data will be loaded. If the data being parsed in the extension is untrusted, it could lead to information leakage and can potentially be...

Installer will launch incorrect executable following new installation — Mozilla

Security researcher Masato Kinugawa reported that if a crafted executable is placed in the root partition on a Windows file system, the Firefox and Thunderbird installer will launch this program after a standard installation instead of Firefox or Thunderbird, running this program with the user's...

Ambiguous IPv6 in Origin headers may bypass webserver access restrictions — Mozilla

Security researcher Simone Fabiano reported that if a cross-site XHR or WebSocket is opened on a web server on a non-standard port for web traffic while using an IPv6 address, the browser will send an ambiguous origin headers if the IPv6 address contains at least 2 consecutive 16-bit fields of...

HTTP Redirections and remote content can be read by javascript errors — Mozilla

Security researcher Daniel Divricean reported that a defect in the error handling of javascript errors can leak the file names and location of javascript files on a server, leading to inadvertent information disclosure and a vector for further attacks...

use-after-free in IDBKeyRange — Mozilla

Using the Address Sanitizer tool, security researcher Aki Helin from OUSPG found that IDBKeyRange of indexedDB remains in the XPConnect hashtable instead of being unlinked before being destroyed. When it is destroyed, this causes a use-after-free, which is potentially exploitable...

Miscellaneous memory safety hazards (rv:8.0) — Mozilla

Mozilla developers fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run...

Potentially exploitable crash in the YARR regular expression library — Mozilla

Security researcher Aki Helin reported a potentially exploitable crash in the YARR regular expression library used by JavaScript...

Incomplete fix for CVE-2010-0179 — Mozilla

Mozilla security researcher mozbugra4 reported that the fix for CVE-2010-0179 could be circumvented permitting the execution of arbitrary JavaScript with chrome privileges...

Copy-and-paste or drag-and-drop into designMode document allows XSS — Mozilla

Security researcher Paul Stone reported that when an HTML selection containing JavaScript is copy-and-pasted or dropped onto a document with designMode enabled the JavaScript will be executed within the context of the site where the code was dropped. A malicious site could leverage this issue in ...

nsTreeSelection dangling pointer remote code execution vulnerability — Mozilla

Security researcher regenrecht reported via TippingPoint's Zero Day Initiative an integer overflow vulnerability in the implementation of the XUL element's selection attribute. When the size of a new selection is sufficiently large the integer used in calculating the length of the selection can...

Crashes with evidence of memory corruption (rv:1.9.2.2/ 1.9.1.9/ 1.9.0.19) — Mozilla

Mozilla developers identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be...

Arbitrary code execution with Firebug XMLHttpRequestSpy — Mozilla

Mozilla security researcher mozbugra4 reported that the XMLHttpRequestSpy module in the Firebug add-on was exposing an underlying chrome privilege escalation vulnerability. When the XMLHttpRequestSpy object was created, it would attach various properties of itself to objects defined in web conten...

Deleted frame reuse in multipart/x-mixed-replace image — Mozilla

Security researcher regenrecht reported via TippingPoint's Zero Day Initiative a potential reuse of a deleted image frame in Firefox 3.6's handling of multipart/x-mixed-replace images. Although no exploit was shown, re-use of freed memory has led to exploitable vulnerabilities in the past...