1574 matches found
Installer will launch incorrect executable following new installation — Mozilla
Security researcher Masato Kinugawa reported that if a crafted executable is placed in the root partition on a Windows file system, the Firefox and Thunderbird installer will launch this program after a standard installation instead of Firefox or Thunderbird, running this program with the user's...
Insecure use of __android_log_print — Mozilla
Mozilla developer Blake Kaplan reported that androidlogprint is called insecurely in places. If a malicious web page used a dump statement with a specially crafted string, it can trigger a potentially exploitable crash...
DOMParser loads linked resources in extensions when parsing text/html — Mozilla
Security researcher vsemozhetbyt reported that when the DOMParser is used to parse text/html data in a Firefox extension, linked resources within this HTML data will be loaded. If the data being parsed in the extension is untrusted, it could lead to information leakage and can potentially be...
Ambiguous IPv6 in Origin headers may bypass webserver access restrictions — Mozilla
Security researcher Simone Fabiano reported that if a cross-site XHR or WebSocket is opened on a web server on a non-standard port for web traffic while using an IPv6 address, the browser will send an ambiguous origin headers if the IPv6 address contains at least 2 consecutive 16-bit fields of...
HTTP Redirections and remote content can be read by javascript errors — Mozilla
Security researcher Daniel Divricean reported that a defect in the error handling of javascript errors can leak the file names and location of javascript files on a server, leading to inadvertent information disclosure and a vector for further attacks...
Miscellaneous memory safety hazards (rv:8.0) — Mozilla
Mozilla developers fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run...
Potentially exploitable crash in the YARR regular expression library — Mozilla
Security researcher Aki Helin reported a potentially exploitable crash in the YARR regular expression library used by JavaScript...
Security issues addressed in Thunderbird 6 — Mozilla
Many of the issues listed below are not exploitable through mail since JavaScript is disabled by default in Thunderbird. These particular issues may be triggered while viewing RSS feeds and displaying full remote content rather than the feed summary. Addons that expose browser functionality may...
Incomplete fix for CVE-2010-0179 — Mozilla
Mozilla security researcher mozbugra4 reported that the fix for CVE-2010-0179 could be circumvented permitting the execution of arbitrary JavaScript with chrome privileges...
Add support for OTS font sanitizer — Mozilla
Mozilla added the OTS font sanitizing library to prevent downloadable fonts from exposing vulnerabilities in the underlying OS font code. This library mitigates against several issues independently reported by Red Hat Security Response Team member Marc Schoenefeld and Mozilla security researcher...
Copy-and-paste or drag-and-drop into designMode document allows XSS — Mozilla
Security researcher Paul Stone reported that when an HTML selection containing JavaScript is copy-and-pasted or dropped onto a document with designMode enabled the JavaScript will be executed within the context of the site where the code was dropped. A malicious site could leverage this issue in ...
nsTreeSelection dangling pointer remote code execution vulnerability — Mozilla
Security researcher regenrecht reported via TippingPoint's Zero Day Initiative an integer overflow vulnerability in the implementation of the XUL element's selection attribute. When the size of a new selection is sufficiently large the integer used in calculating the length of the selection can...
Arbitrary code execution with Firebug XMLHttpRequestSpy — Mozilla
Mozilla security researcher mozbugra4 reported that the XMLHttpRequestSpy module in the Firebug add-on was exposing an underlying chrome privilege escalation vulnerability. When the XMLHttpRequestSpy object was created, it would attach various properties of itself to objects defined in web conten...
Deleted frame reuse in multipart/x-mixed-replace image — Mozilla
Security researcher regenrecht reported via TippingPoint's Zero Day Initiative a potential reuse of a deleted image frame in Firefox 3.6's handling of multipart/x-mixed-replace images. Although no exploit was shown, re-use of freed memory has led to exploitable vulnerabilities in the past...
Compromise of SSL-protected communication — Mozilla
IOActive security researcher Dan Kaminsky reported a mismatch in the treatment of domain names in SSL certificates between SSL clients and the Certificate Authorities CA which issue server certificates. In particular, if a malicious person requested a certificate for a host name with an invalid...
Same-origin violations when Adobe Flash loaded via view-source: scheme — Mozilla
Security researcher Gregory Fleischer reported that when an Adobe Flash file is loaded via the view-source: scheme, the Flash plugin misinterprets the origin of the content as localhost, leading to two specific vulnerabilities:...
Crash and remote code execution in block reflow — Mozilla
Security research firm Astabis reported a vulnerability in Firefox 2 submitted through the iSIGHT Partners GVP Program by Greg McManus, Primary GVP Researcher. The reported crash in Mozilla's block reflow code could be used by an attacker to crash the browser and run arbitrary code on the victim'...
Security Vulnerability in APOP Authentication — Mozilla
Gaëtan Leurent informed us of a weakness in APOP authentication that could allow an attacker to recover the first part of your mail password if the attacker could interpose a malicious mail server on your network masquerading as your legitimate mail server. With normal settings it could take...
Security Vulnerabilities fixed in Firefox 136 — Mozilla
On Windows, a compromised content process could use bad StreamData sent over AudioIPC to trigger a use-after-free in the Browser process. This could have led to a sandbox escape. Android apps can load web pages using the Custom Tabs feature. This feature supports a transition animation that could...
Security Vulnerabilities fixed in Firefox 129 — Mozilla
Select options could obscure the fullscreen notification dialog. This could be used by a malicious site to perform a spoofing attack. Insufficient checks when processing graphics shared memory could have led to memory corruption. This could be leveraged by an attacker to perform a sandbox escape....
Security Vulnerabilities fixed in Firefox ESR 78.13 — Mozilla
A suspected race condition when calling getaddrinfo led to memory corruption and a potentially exploitable crash. Note: This issue only affected Linux operating systems. Other operating systems are unaffected. Firefox incorrectly treated an inline list-item element as a block element, resulting i...
Security Vulnerabilities fixed in Thunderbird 78.5.1 — Mozilla
When reading SMTP server status codes, Thunderbird writes an integer value to a position on the stack that is intended to contain just one byte. Depending on processor architecture and stack layout, this leads to stack corruption that may be exploitable...
Security Vulnerabilities fixed in Firefox ESR 68.10 — Mozilla
Due to confusion about ValueTags on JavaScript Objects, an object may pass through the type barrier, resulting in memory corruption and a potentially exploitable crash.Note: this issue only affects Firefox on ARM64 platforms. Manipulating individual parts of a URL object could have caused an...
Security Vulnerabilities fixed in Thunderbird 68.6 — Mozilla
When removing data about an origin whose tab was recently closed, a use-after-free could occur in the Quota manager, resulting in a potentially exploitable crash. By carefully crafting promise resolutions, it was possible to cause an out-of-bounds read off the end of an array resized during scrip...
Security vulnerabilities fixed in Firefox ESR 60.5.1 — Mozilla
A use-after-free vulnerability in the Skia library can occur when creating a path, leading to a potentially exploitable crash. An integer overflow vulnerability in the Skia library can occur after specific transform operations, leading to a potentially exploitable crash. A buffer overflow...
Security vulnerabilities fixed in Firefox ESR 45.5 — Mozilla
A heap-buffer-overflow in Cairo when processing SVG content caused by compiler optimization, resulting in a potentially exploitable crash. When the Mozilla Updater is run, if the Updater's log file in the working directory points to a hardlink, data can be appended to an arbitrary local file. Thi...
Location bar spoofing via data URLs with malformed/invalid mediatypes — Mozilla
Security researcher Firas Salem reported that decoding url-encoded values in data: urls for display leads to potential spoofing in the Location bar by using non-ASCII and emoji characters in a data: url's mediatype. This issue could result in the wrong URL being displayed as a location, which can...
Integer overflow in WebSockets during data buffering — Mozilla
Security researcher Samuel Groß reported an integer overflow error in WebSockets during data buffering on incoming packets when an allocated buffer is resized incorrectly. This results in the buffer array holding the data being shrunk, instead of grown, resulting in attacker controlled data being...
Use-after-free in service workers with nested sync events — Mozilla
Security researcher Looben Yang discovered a use-after-free vulnerability when working with nested sync event loops in Service Workers. He discovered a mechanism where scripts can close their own worker, which will then trigger a synchronization XMLHttpRequest on this now closed and released...
Crash in incremental garbage collection in JavaScript — Mozilla
Security researcher Jukka Jylänki reported a use-after-free in JavaScript caused by how objects and pointers are handled during incremental garbage collection in some circumstances working with object groups. When triggered, this causes a potential exploitable crash but is mitigated by the...
Buffer overflow parsing HTML5 fragments — Mozilla
Security researcher firehack reported a buffer overflow when parsing HTML5 fragments in a foreign context such as under an node. This results in a potentially exploitable crash when inserting an HTML fragment into an existing document...
Miscellaneous memory safety hazards (rv:47.0 / rv:45.2) — Mozilla
Mozilla developers and community members reported several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these...
Buffer overflow in libstagefright with CENC offsets — Mozilla
Using Address Sanitizer, security researcher Sascha Just reported a buffer overflow in the libstagefright library due to issues with the handling of CENC offsets and the sizes table. This results in a potentially exploitable crash triggerable through web content...
Firefox allows for control characters to be set in cookie names — Mozilla
Security researcher musicDespiteEverything previously reported an issue where illegal control characters were stored in as cookie values in violation of RFC6265. While fixing this issue, Mozilla developer Nicholas Hurley realized that the same issue applied to the names of cookies. These characte...
Trailing whitespace in IP address hostnames can bypass same-origin policy — Mozilla
Security researcher Michał Bentkowski reported that adding white-space characters to hostnames that are IP addresses can bypass same-origin policy. This flaw was caused by trailing whitespaces being evaluated differently when parsing IP addresses instead of alphanumeric hostnames. This could lead...
Out-of-bound read while computing an oscillator rendering range in Web Audio — Mozilla
Security researcher Holger Fuhrmannek used the Address Sanitizer tool to discover an out-of-bound read while computing an oscillator rendering range in Web Audio. This could allow an attacker to infer the contents of four bytes of memory...
Use-after-free during text processing with vertical text enabled — Mozilla
Security researcher Scott Bell used the Address Sanitizer tool to discover a use-after-free error during the processing of text when vertical text is enabled. This leads to a potentially exploitable crash...
Privilege escalation through SVG navigation — Mozilla
Security researcher Mariusz Mlynski reported, through HP Zero Day Initiative's Pwn2Own contest, a method to run arbitrary scripts in a privileged context. This bypassed the same-origin policy protections by using a flaw in the processing of SVG format content navigation...
Miscellaneous memory safety hazards (rv:36.0 / rv:31.5) — Mozilla
Mozilla developers and community identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of the...
TLS TURN and STUN connections silently fail to simple TCP connections — Mozilla
Security researcher Alexander Kolesnik reported while the Mozilla platform does not yet support TLS connections to TURN and STUN servers, the WebRTC implementation would accept turns: and stuns: URIs and then attempt plaintext connections to the servers when these were used. This can lead to...
Bad casting from the BasicThebesLayer to BasicContainerLayer — Mozilla
Security researchers Byoungyoung Lee, Chengyu Song, and Taesoo Kim at the Georgia Tech Information Security Center GTISC reported a bad casting from the BasicThebesLayer to BasicContainerLayer, resulting in undefined behavior. This behavior is potentially exploitable with some compilers but no...
Web Audio memory corruption issues with custom waveforms — Mozilla
Security researcher Holger Fuhrmannek used the used the Address Sanitizer tool to discover an out-of-bounds read issue with Web Audio when interacting with custom waveforms with invalid values. This results in a crash and could allow for the reading of random memory which may contain sensitive...
Web Audio memory corruption issues — Mozilla
Security researcher Ash reported an out of bounds read issue with Web Audio. This issue could allow for web content to trigger crashes that are potentially exploitable...
Use-after-free in the Text Track Manager for HTML video — Mozilla
Using the Address Sanitizer tool, security researcher Abhishek Arya Inferno of the Google Chrome Security Team found a use-after-free in the Text Track Manager while processing HTML video. This was caused by inconsistent garbage collection of Text Track Manager variables and results in a...
Firefox OS DeviceStorageFile object vulnerable to relative path escape — Mozilla
Mozlla developer Ben Turner discovered that the protection against Directory Traversal through the DeviceStorage API was implemented in the wrong process on Firefox OS. If a Firefox OS application with any device-storage permissions were compromised an attacker could escape the media sandbox and...
Security bypass of PDF.js checks using iframes — Mozilla
Security researcher Cody Crews discovered a method to append an iframe into an embedded PDF object rendered with the chrome privileged PDF.js. This can used to bypass security restrictions to load local or chrome privileged files and objects within the embedded PDF object. This can lead to...
User-defined properties on DOM proxies get the wrong "this" object — Mozilla
Mozilla developer Boris Zbarsky reported that user-defined getters on DOM proxies would incorrectly get the expando object as this. It is unlikely that this is directly exploitable but could lead to JavaScript client or add-on code making incorrect security sensitive decisions based on hacker...
Buffer overflow in Mozilla Maintenance Service and Mozilla Updater — Mozilla
Security researcher Seb Patane reported stack buffer overflows in both the Maintenance Service and the Mozilla Updater when unexpectedly long paths were encountered. A local attacker could pass these as command-line arguments to the Maintenance Service to crash either program and potentially lead...
Firefox full and stub installer DLL hijacking — Mozilla
Security researcher Robert Kugler reported in 2012 that when a specifically named DLL file on a Windows computer is placed in the default downloads directory with the Firefox installer, the Firefox installer will load this DLL file when it is launched. Mozilla developers Brian Bondy and Robert...
Homograph domain spoofing in .com, .net and .name — Mozilla
Security researcher 3ric Johanson reported in discussions with Richard Newman and Holt Sorenson that Verisign's prevention measures for homograph attacks using Internationalized Domain Names IDN were insufficiently rigorous, and this led to a limited possibility for domain spoofing in Firefox...