Malicious WebGL content crash when writing strings — Mozilla

Security researcher Daniele Di Proietto discovered that when WebGL content crafted in a specific manner wrote strings, it would cause a crash when this content was run...

Read of uninitialized memory in Web Audio — Mozilla

Security researcher Holger Fuhrmannek used the used the Address Sanitizer tool to discover a crash in Web Audio while manipulating timelines. This allowed for the a small block of memory with an uninitialized pointer to be read. The crash it not exploitable...

CSP leaks redirect data via violation reports — Mozilla

Security researcher Muneaki Nishimura discovered that Content Security Policy CSP violation reports triggered by a redirect did not remove path information as required by the CSP specification. This potentially reveals information about the redirect that would not otherwise be known to the origin...

Web Audio memory corruption issues with custom waveforms — Mozilla

Security researcher Holger Fuhrmannek used the used the Address Sanitizer tool to discover an out-of-bounds read issue with Web Audio when interacting with custom waveforms with invalid values. This results in a crash and could allow for the reading of random memory which may contain sensitive...

Use-after-free in imgLoader while resizing images — Mozilla

Security researcher Nils discovered a use-after-free error in which the imgLoader object is freed while an image is being resized. This results in a potentially exploitable crash...

onbeforeunload and Javascript navigation DOS — Mozilla

Security researchers Tim Philipp Schäfers and Sebastian Neef, the team of Internetwache.org, reported a mechanism using JavaScript onbeforeunload events with page navigation to prevent users from closing a malicious page's tab and causing the browser to become unresponsive. This allows for a deni...

Spoofing addressbar though SELECT element — Mozilla

Security researcher Jordi Chancel discovered a method to put arbitrary HTML content within elements and place it in arbitrary locations. This can be used to spoof the displayed addressbar, leading to clickjacking and other spoofing attacks...

Security bypass of PDF.js checks using iframes — Mozilla

Security researcher Cody Crews discovered a method to append an iframe into an embedded PDF object rendered with the chrome privileged PDF.js. This can used to bypass security restrictions to load local or chrome privileged files and objects within the embedded PDF object. This can lead to...

Uninitialized functions in DOMSVGZoomEvent — Mozilla

Mozilla community member Ms2ger discovered that some DOMSVGZoomEvent functions are used without being properly initialized, causing uninitialized memory to be used when they are called by web content. This could lead to a information leakage to sites depending on the contents of this uninitialize...

Out-of-bounds write in Cairo library — Mozilla

Security researcher Abhishek Arya Inferno of the Google Chrome Security Team used the Address Sanitizer tool to discover an out-of-bounds write in Cairo graphics library. When certain values are passed to it during rendering, Cairo attempts to use negative boundaries or sizes for boxes, leading t...

Memory corruption in XBL with XML bindings containing SVG — Mozilla

Security researcher Sviatoslav Chagaev reported that when using an XBL file containing multiple XML bindings with SVG content, a memory corruption can occur. In concern with remote XUL, this can lead to an exploitable crash...

CSS and HTML injection through Style Inspector — Mozilla

Security researcher Mariusz Mlynski reported that when a maliciously crafted stylesheet is inspected in the Style Inspector, HTML and CSS can run in a chrome privileged context without being properly sanitized first. This can lead to arbitrary code execution...

Frames can shadow top.location — Mozilla

Security researcher Mariusz Mlynski reported that the location property can be accessed by binary plugins through top.location with a frame whose name attribute's value is set to "top". This can allow for possible cross-site scripting XSS attacks through plugins...

Use-after-free, buffer overflow, and memory corruption issues found using Address Sanitizer — Mozilla

Security researcher miaubiz used the Address Sanitizer tool to discover a series critically rated of use-after-free, buffer overflow, and memory corruption issues in shipped software. These issues are potentially exploitable, allowing for remote code execution. We would also like to thank miaubiz...

Improper security filtering for cross-origin wrappers — Mozilla

Mozilla developer Bobby Holley reported that security wrappers filter at the time of property access, but once a function is returned, the caller can use this function without further security checks. This affects cross-origin wrappers, allowing for write actions on objects when only read actions...

Miscellaneous memory safety hazards (rv:12.0/ rv:10.0.4) — Mozilla

Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be...

Crash when accessing keyframe cssText after dynamic modification — Mozilla

Mozilla community member Daniel Glazman of Disruptive Innovations reported a crash when accessing a keyframe's cssText after dynamic modification. This crash may be potentially exploitable...

.jar not treated as executable in Firefox 3.6 on Mac — Mozilla

Part of the fix for MFSA 2011-40, reported by Mariusz Mlynski, was to treat .jar files as executables. This is necessary because Java treats downloaded .jar files as fully-featured "Applications" rather than restricting them to the limited privileges of in-browser "Applets". The fix taken in...

Crash when plugin removes itself on Mac OS X — Mozilla

FireBreath developer Richard Bateman reported a crash on Mac OS X that occurred when a plugin deletes its containing DOM frame during a call from that frame. The observed symptom is a null dereference but we cannot rule out the possibility that content from a scriptable plugin such as Flash could...

Security issues addressed in Thunderbird 6 — Mozilla

Many of the issues listed below are not exploitable through mail since JavaScript is disabled by default in Thunderbird. These particular issues may be triggered while viewing RSS feeds and displaying full remote content rather than the feed summary. Addons that expose browser functionality may...

Multiple dangling pointer vulnerabilities — Mozilla

Security researcher regenrecht reported via TippingPoint's Zero Day Initiative two instances of code which modifies SVG element lists failed to account for changes made to the list by user-supplied callbacks before accessing list elements. If a user-supplied callback deleted such an object, the...

XSS hazard in multiple character encodings — Mozilla

Security researchers Yosuke Hasegawa and Masatoshi Kimura reported that the x-mac-arabic, x-mac-farsi and x-mac-hebrew character encodings are vulnerable to XSS attacks due to some characters being converted to angle brackets when displayed by the rendering engine. Sites using these character...

Dangling pointer vulnerability in LookupGetterOrSetter — Mozilla

Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that when window.lookupGetter is called with no arguments the code assumes the top JavaScript stack value is a property name. Since there were no arguments passed into the function, the top value could represent...

Dangling pointer vulnerability using DOM plugin array — Mozilla

Security researcher Sergey Glazunov reported a dangling pointer vulnerability in the implementation of navigator.plugins in which the navigator object could retain a pointer to the plugins array even after it had been destroyed. An attacker could potentially use this issue to crash the browser an...

Frameset integer overflow vulnerability — Mozilla

Security researcher Chris Rohlf of Matasano Security reported that the implementation of the HTML frameset element contained an integer overflow vulnerability. The code responsible for parsing the frameset columns used an 8-byte counter for the column numbers, so when a very large number of colum...

XUL tree removal crash and remote code execution — Mozilla

Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that XUL objects could be manipulated such that the setting of certain properties on the object would trigger the removal of the tree from the DOM and cause certain sections of deleted memory to be accessed. In product...

Crash and remote code execution in normalizeDocument — Mozilla

Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that code used to normalize a document contained a logical flaw that could be leveraged to run arbitrary code. When the normalization code ran, a static count of the document's child nodes was used in the traversal, so...

Heap buffer overflow in nsTextFrameUtils::TransformText — Mozilla

Security researcher wushi of team509 reported a heap buffer overflow in code routines responsible for transforming text runs. A page could be constructed with a bidirectional text run which upon reflow could result in an incorrect length being calculated for the run of text. When this value is...

Image src redirect to mailto: URL opens email editor — Mozilla

phpBB developer Henry Sudhof reported that when an image tag points to a resource that redirects to a mailto: URL, the external mail handler application is launched. This issue poses no security threat to users but could create an annoyance when browsing a site that allows users to post arbitrary...

Upgrade PNG library to fix memory safety hazards — Mozilla

Google security researcher Tavis Ormandy reported several memory safety hazards to the libpng project, an external library used by Mozilla to render PNG images. These vulnerabilities could be used by a malicious website to crash a victim's browser and potentially execute arbitrary code on their...

Peer-trusted certs can use alt names to spoof — Mozilla

Mozilla developer John G. Myers reported a weakness in the trust model used by Mozilla regarding alternate names on self-signed certificates and those with mismatched names that if accepted could be used to spoof a secure connection to any other site. This problem was independently reported by...

Privilege escalation through Print Preview — Mozilla

Georgi Guninski reported two variants of using scripts in an XBL control to gain chrome privileges when the page is viewed under "Print Preview"...

Security Vulnerabilities fixed in Firefox 136 — Mozilla

On Windows, a compromised content process could use bad StreamData sent over AudioIPC to trigger a use-after-free in the Browser process. This could have led to a sandbox escape. Android apps can load web pages using the Custom Tabs feature. This feature supports a transition animation that could...

Security Vulnerabilities fixed in Thunderbird 131 — Mozilla

A compromised content process could have allowed for the arbitrary loading of cross-origin pages. An attacker could, via a specially crafted multipart response, execute arbitrary JavaScript under the resource://pdf.js origin. This could allow them to access cross-origin PDF content. This access i...

Security Vulnerabilities fixed in Firefox 128 — Mozilla

An error in the ECMA-262 specification relating to Async Generators could have resulted in a type confusion, potentially leading to memory corruption and an exploitable crash. Firefox Android allowed immediate interaction with permission prompts. This could be used for tapjacking. Clipboard code...

Security vulnerabilities fixed in Firefox ESR 45.5 — Mozilla

A heap-buffer-overflow in Cairo when processing SVG content caused by compiler optimization, resulting in a potentially exploitable crash. When the Mozilla Updater is run, if the Updater's log file in the working directory points to a hardlink, data can be appended to an arbitrary local file. Thi...

Cairo rendering crash due to memory allocation issue with FFmpeg 0.10 — Mozilla

Security researcher Bert Massop reported a crash in the Cairo graphics layer on Linux systems using the LibAV library included in version 0.10 of the FFmpeg library. This was due to an error when allocating the LibAV header when decoding some videos...

Elevation of privilege with chrome.tabs.update API in web extensions — Mozilla

Security researcher Muneaki Nishimura nishimunea of Recruit Technologies Co., Ltd. reported that the chrome.tabs.update API for web extensions allows for navigation to javascript: URLs without additional permissions. This can used to elevate privilege for a universal cross-site scripting XSS atta...

Local file overwriting and potential privilege escalation through CSP reports — Mozilla

Security researcher Nicolas Golubovic reported that a malicious page can overwrite files on the user's machine using Content Security Policy CSP violation reports. The file contents are restricted to the JSON format of the report. In many cases overwriting a local file may simply be destructive,...

Same-origin policy violation using performance.getEntries and history navigation with session restore — Mozilla

Security researcher Jordi Chancel discovered a variant of Mozilla Foundation Security Advisory 2015-136 which was fixed in Firefox 43. In the original bug, it was possible to read cross-origin URLs following a redirect if performance.getEntries was used along with an iframe to host a page...

Memory safety errors in libGLES in the ANGLE graphics library — Mozilla

Security researcher Ronald Crane reported two issues in the libGLES portions of the ANGLE graphics library, used for WebGL and OpenGL content on Windows systems. The first of these is a missing bounds check leading to memory safety errors when manipulating shaders which could result in the writin...

Crash when using debugger with SavedStacks in JavaScript — Mozilla

Security researcher Spandan Veggalam reported a crash while using the debugger API with SavedStacks in JavaScript. This crash can only occurs when the debugger is in use but may be potentially exploitable...

Type confusion in Indexed Database Manager — Mozilla

Security researcher Paul Bandha reported a type confusion error where part of IDBDatabase is read by the Indexed Database Manager and incorrectly used as a pointer when it shouldn't be used as such. This leads to memory corruption and the possibility of an exploitable crash...

Buffer overflow and out-of-bounds read while parsing MP4 video metadata — Mozilla

Security researcher laf.intel reported a buffer overflow and out-of-bounds read in the libstagefright library while parsing invalid metadata in MPEG4 video files. This can lead to a potentially exploitable crash...

Uninitialized memory use during bitmap rendering — Mozilla

Google security researcher Michal Zalewski reported that when a malformed bitmap image is rendered by the bitmap decoder within a element, memory may not always be properly initialized. The resulting image then uses this uninitialized memory during rendering, allowing data to potentially leak to...

crypto.generateCRMFRequest does not validate type of key — Mozilla

Mozilla developer David Keeler reported that the crypto.generateCRFMRequest method did not correctly validate the key type of the KeyParams argument when generating ec-dual-use requests. This could lead to a crash and a denial of service DOS attack...

Segmentation violation when replacing ordered list elements — Mozilla

Security researchers Tyson Smith and Jesse Schwartzentruber of the BlackBerry Security Automated Analysis Team used the Address Sanitizer tool while fuzzing to discover a mechanism where inserting an ordered list into a document through script could lead to a potentially exploitable crash that ca...

Improperly initialized memory and overflows in some JavaScript functions — Mozilla

Compiler Engineer Dan Gohman of Google discovered a flaw in the JavaScript engine where memory was being incorrectly allocated for some functions and the calls for allocations were not always properly checked for overflow, leading to potential buffer overflows. When combined with other...

Memory corruption in workers — Mozilla

Security researcher Nils used the Address Sanitizer tool while fuzzing to discover a memory corruption issue with the JavaScript engine when using workers with direct proxies. This results in a potentially exploitable crash...

Wrong principal used for validating URI for some Javascript components — Mozilla

Security researcher Cody Crews reported that some Javascript components will perform checks against the wrong uniform resource identifier URI before performing security sensitive actions. This will return an incorrect location for the originator of the call. This could be used to bypass same-orig...