Miscellaneous memory safety hazards (rv:8.0) — Mozilla

Mozilla developers fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run...

Potentially exploitable crash in the YARR regular expression library — Mozilla

Security researcher Aki Helin reported a potentially exploitable crash in the YARR regular expression library used by JavaScript...

Incomplete fix for CVE-2010-0179 — Mozilla

Mozilla security researcher mozbugra4 reported that the fix for CVE-2010-0179 could be circumvented permitting the execution of arbitrary JavaScript with chrome privileges...

Copy-and-paste or drag-and-drop into designMode document allows XSS — Mozilla

Security researcher Paul Stone reported that when an HTML selection containing JavaScript is copy-and-pasted or dropped onto a document with designMode enabled the JavaScript will be executed within the context of the site where the code was dropped. A malicious site could leverage this issue in ...

nsTreeSelection dangling pointer remote code execution vulnerability — Mozilla

Security researcher regenrecht reported via TippingPoint's Zero Day Initiative an integer overflow vulnerability in the implementation of the XUL element's selection attribute. When the size of a new selection is sufficiently large the integer used in calculating the length of the selection can...

Crashes with evidence of memory corruption (rv:1.9.2.2/ 1.9.1.9/ 1.9.0.19) — Mozilla

Mozilla developers identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be...

Arbitrary code execution with Firebug XMLHttpRequestSpy — Mozilla

Mozilla security researcher mozbugra4 reported that the XMLHttpRequestSpy module in the Firebug add-on was exposing an underlying chrome privilege escalation vulnerability. When the XMLHttpRequestSpy object was created, it would attach various properties of itself to objects defined in web conten...

Image src redirect to mailto: URL opens email editor — Mozilla

phpBB developer Henry Sudhof reported that when an image tag points to a resource that redirects to a mailto: URL, the external mail handler application is launched. This issue poses no security threat to users but could create an annoyance when browsing a site that allows users to post arbitrary...

Deleted frame reuse in multipart/x-mixed-replace image — Mozilla

Security researcher regenrecht reported via TippingPoint's Zero Day Initiative a potential reuse of a deleted image frame in Firefox 3.6's handling of multipart/x-mixed-replace images. Although no exploit was shown, re-use of freed memory has led to exploitable vulnerabilities in the past...

Local downloaded file tampering — Mozilla

Security researcher Jeremy Brown reported that the file naming scheme used for downloading a file which already exists in the downloads folder is predictable. If an attacker had local access to a victim's computer and knew the name of a file the victim intended to open through the Download Manage...

JavaScript chrome privilege escalation — Mozilla

Mozilla security researcher mozbugra4 reported a vulnerability which allows scripts from page content to run with elevated privileges. Using this vulnerability, an attacker could cause a chrome privileged object, such as the browser sidebar or the FeedWriter, to interact with web content in such ...

Crash and remote code execution in block reflow — Mozilla

Security research firm Astabis reported a vulnerability in Firefox 2 submitted through the iSIGHT Partners GVP Program by Greg McManus, Primary GVP Researcher. The reported crash in Mozilla's block reflow code could be used by an attacker to crash the browser and run arbitrary code on the victim'...

Security Vulnerabilities fixed in Firefox ESR 91.13 — Mozilla

An attacker could have abused XSLT error handling to associate attacker-controlled content with another origin which was displayed in the address bar. This could have been used to fool the user into submitting data intended for the spoofed origin. A cross-origin iframe referencing an XSLT documen...

Security Vulnerabilities fixed in Firefox ESR 91.9 — Mozilla

When reusing existing popups Firefox would have allowed them to cover the fullscreen notification UI, which could have enabled browser spoofing attacks. Documents in deeply-nested cross-origin browsing contexts could have obtained permissions granted to the top-level origin, bypassing the existin...

Security Vulnerabilities fixed in Thunderbird 68.10.0 — Mozilla

Due to confusion about ValueTags on JavaScript Objects, an object may pass through the type barrier, resulting in memory corruption and a potentially exploitable crash.Note: this issue only affects Firefox on ARM64 platforms. Manipulating individual parts of a URL object could have caused an...

Security vulnerabilities fixed in Firefox ESR 45.5 — Mozilla

A heap-buffer-overflow in Cairo when processing SVG content caused by compiler optimization, resulting in a potentially exploitable crash. When the Mozilla Updater is run, if the Updater's log file in the working directory points to a hardlink, data can be appended to an arbitrary local file. Thi...

Crash in incremental garbage collection in JavaScript — Mozilla

Security researcher Jukka Jylänki reported a use-after-free in JavaScript caused by how objects and pointers are handled during incremental garbage collection in some circumstances working with object groups. When triggered, this causes a potential exploitable crash but is mitigated by the...

Use-after-free in service workers with nested sync events — Mozilla

Security researcher Looben Yang discovered a use-after-free vulnerability when working with nested sync event loops in Service Workers. He discovered a mechanism where scripts can close their own worker, which will then trigger a synchronization XMLHttpRequest on this now closed and released...

Buffer overflow parsing HTML5 fragments — Mozilla

Security researcher firehack reported a buffer overflow when parsing HTML5 fragments in a foreign context such as under an node. This results in a potentially exploitable crash when inserting an HTML fragment into an existing document...

CSP not applied to pages sent with multipart/x-mixed-replace — Mozilla

Security researcher Muneaki Nishimura nishimunea of Recruit Technologies Co., Ltd. reported that Content Security Policy CSP is not applied correctly to web content sent with the multipart/x-mixed-replace MIME type. This allows for script to run in instances where CSP should block it, leading to ...

Buffer overflow in libstagefright with CENC offsets — Mozilla

Using Address Sanitizer, security researcher Sascha Just reported a buffer overflow in the libstagefright library due to issues with the handling of CENC offsets and the sizes table. This results in a potentially exploitable crash triggerable through web content...

Memory leak in libstagefright when deleting an array during MP4 processing — Mozilla

Security researchers Jose Martinez and Romina Santillan reported a memory leak in the libstagefright library when array destruction occurs during MPEG4 video file processing...

Use-after-free in workers while using XMLHttpRequest — Mozilla

Security researcher Looben Yang used the Address Sanitizer tool to discover two related use-after-free vulnerabilities that occur when using XMLHttpRequest in concert with either shared or dedicated workers. These errors occur when the XMLHttpRequest object is attached to a worker but that object...

Out of bounds read in QCMS library — Mozilla

Security researcher Felix Gröbert of Google used the Address Sanitizer tool to discover an out of bounds read in the QCMS color management library while transforming images with certain parameters. This could lead to information disclosure...

Add-on lightweight theme installation approval bypassed through MITM attack — Mozilla

Security researcher Armin Ebert discovered that a man-in-the-middle MITM attacker spoofing a Mozilla sub-domain could bypass user approval messages to install a Firefox lightweight theme. This was possible because add-on installations of the lightweight themes do not require the use of HTTP over...

Read of uninitialized memory in Web Audio — Mozilla

Security researcher Holger Fuhrmannek used the used the Address Sanitizer tool to discover a crash in Web Audio while manipulating timelines. This allowed for the a small block of memory with an uninitialized pointer to be read. The crash it not exploitable...

Bad casting from the BasicThebesLayer to BasicContainerLayer — Mozilla

Security researchers Byoungyoung Lee, Chengyu Song, and Taesoo Kim at the Georgia Tech Information Security Center GTISC reported a bad casting from the BasicThebesLayer to BasicContainerLayer, resulting in undefined behavior. This behavior is potentially exploitable with some compilers but no...

Web Audio memory corruption issues with custom waveforms — Mozilla

Security researcher Holger Fuhrmannek used the used the Address Sanitizer tool to discover an out-of-bounds read issue with Web Audio when interacting with custom waveforms with invalid values. This results in a crash and could allow for the reading of random memory which may contain sensitive...

Use-after-free in the Text Track Manager for HTML video — Mozilla

Using the Address Sanitizer tool, security researcher Abhishek Arya Inferno of the Google Chrome Security Team found a use-after-free in the Text Track Manager while processing HTML video. This was caused by inconsistent garbage collection of Text Track Manager variables and results in a...

Web Audio memory corruption issues — Mozilla

Security researcher Ash reported an out of bounds read issue with Web Audio. This issue could allow for web content to trigger crashes that are potentially exploitable...

onbeforeunload and Javascript navigation DOS — Mozilla

Security researchers Tim Philipp Schäfers and Sebastian Neef, the team of Internetwache.org, reported a mechanism using JavaScript onbeforeunload events with page navigation to prevent users from closing a malicious page's tab and causing the browser to become unresponsive. This allows for a deni...

Use-after-free in TypeObject — Mozilla

Security research firm VUPEN, via TippingPoint's Pwn2Own contest, reported that memory pressure during Garbage Collection could lead to memory corruption of TypeObjects in the JS engine, resulting in an exploitable use-after-free condition...

Firefox OS DeviceStorageFile object vulnerable to relative path escape — Mozilla

Mozlla developer Ben Turner discovered that the protection against Directory Traversal through the DeviceStorage API was implemented in the wrong process on Firefox OS. If a Firefox OS application with any device-storage permissions were compromised an attacker could escape the media sandbox and...

Security bypass of PDF.js checks using iframes — Mozilla

Security researcher Cody Crews discovered a method to append an iframe into an embedded PDF object rendered with the chrome privileged PDF.js. This can used to bypass security restrictions to load local or chrome privileged files and objects within the embedded PDF object. This can lead to...

User-defined properties on DOM proxies get the wrong "this" object — Mozilla

Mozilla developer Boris Zbarsky reported that user-defined getters on DOM proxies would incorrectly get the expando object as this. It is unlikely that this is directly exploitable but could lead to JavaScript client or add-on code making incorrect security sensitive decisions based on hacker...

Firefox full and stub installer DLL hijacking — Mozilla

Security researcher Robert Kugler reported in 2012 that when a specifically named DLL file on a Windows computer is placed in the default downloads directory with the Firefox installer, the Firefox installer will load this DLL file when it is launched. Mozilla developers Brian Bondy and Robert...

Buffer overflow in Mozilla Maintenance Service and Mozilla Updater — Mozilla

Security researcher Seb Patane reported stack buffer overflows in both the Maintenance Service and the Mozilla Updater when unexpectedly long paths were encountered. A local attacker could pass these as command-line arguments to the Maintenance Service to crash either program and potentially lead...

Homograph domain spoofing in .com, .net and .name — Mozilla

Security researcher 3ric Johanson reported in discussions with Richard Newman and Holt Sorenson that Verisign's prevention measures for homograph attacks using Internationalized Domain Names IDN were insufficiently rigorous, and this led to a limited possibility for domain spoofing in Firefox...

Address space layout leaked in XBL objects — Mozilla

Mozilla security researcher Jesse Ruderman discovered that using the toString function of XBL objects can lead to inappropriate information leakage by revealing the address space layout instead of just the ID of the object. This layout information could potentially be used to bypass ASLR and othe...

Use-after-free in the IME State Manager — Mozilla

Security researcher miaubiz used the Address Sanitizer tool to discover a use-after-free in the IME State Manager code. This could lead to a potentially exploitable crash...

Escalation of privilege with Javascript: URL as home page — Mozilla

Security researcher Mariusz Mlynski reported that an attacker able to convince a potential victim to set a new home page by dragging a link to the "home" button can set that user's home page to a javascript: URL. Once this is done the attacker's page can cause repeated crashes of the browser,...

Security issues addressed in Thunderbird 6 — Mozilla

Many of the issues listed below are not exploitable through mail since JavaScript is disabled by default in Thunderbird. These particular issues may be triggered while viewing RSS feeds and displaying full remote content rather than the feed summary. Addons that expose browser functionality may...

Add support for OTS font sanitizer — Mozilla

Mozilla added the OTS font sanitizing library to prevent downloadable fonts from exposing vulnerabilities in the underlying OS font code. This library mitigates against several issues independently reported by Red Hat Security Response Team member Marc Schoenefeld and Mozilla security researcher...

Download filename spoofing with RTL override — Mozilla

Mozilla security researchers Jesse Ruderman and Sid Stamm reported that when downloading a file containing a right-to-left override character RTL in the filename, the name displayed in the dialog title bar conflicts with the name of the file shown in the dialog body. An attacker could use this...

Compromise of SSL-protected communication — Mozilla

IOActive security researcher Dan Kaminsky reported a mismatch in the treatment of domain names in SSL certificates between SSL clients and the Certificate Authorities CA which issue server certificates. In particular, if a malicious person requested a certificate for a host name with an invalid...

Same-origin violations when Adobe Flash loaded via view-source: scheme — Mozilla

Security researcher Gregory Fleischer reported that when an Adobe Flash file is loaded via the view-source: scheme, the Flash plugin misinterprets the origin of the content as localhost, leading to two specific vulnerabilities:...

Security Vulnerability in APOP Authentication — Mozilla

Gaëtan Leurent informed us of a weakness in APOP authentication that could allow an attacker to recover the first part of your mail password if the attacker could interpose a malicious mail server on your network masquerading as your legitimate mail server. With normal settings it could take...

Security Vulnerabilities fixed in Firefox 136 — Mozilla

On Windows, a compromised content process could use bad StreamData sent over AudioIPC to trigger a use-after-free in the Browser process. This could have led to a sandbox escape. Android apps can load web pages using the Custom Tabs feature. This feature supports a transition animation that could...

Security Vulnerabilities fixed in Firefox 129 — Mozilla

Select options could obscure the fullscreen notification dialog. This could be used by a malicious site to perform a spoofing attack. Insufficient checks when processing graphics shared memory could have led to memory corruption. This could be leveraged by an attacker to perform a sandbox escape....

Security Vulnerabilities fixed in Firefox for Android 110.1.0 — Mozilla

A potential use-after-free in libaudio was fixed by disabling the AAudio backend when running on Android API below version 30.This bug only affects Firefox for Android. Other versions of Firefox are unaffected...