1574 matches found
Arbitrary file manipulation by local user through Mozilla updater and callback application path parameter — Mozilla
Security researcher Holger Fuhrmannek reported that when the Updater is opened directly using the callback application path parameter, a copy of a user specified file is made as a callback file. If the target of this file is made with a locked hardlink, an arbitrary local file can be replaced on...
Cairo rendering crash due to memory allocation issue with FFmpeg 0.10 — Mozilla
Security researcher Bert Massop reported a crash in the Cairo graphics layer on Linux systems using the LibAV library included in version 0.10 of the FFmpeg library. This was due to an error when allocating the LibAV header when decoding some videos...
Information disclosure through Resource Timing API during page navigation — Mozilla
Amazon software engineer Catalin Dumitru reported that the URLs of resources loaded after a navigation started such as in an unload event handler were leaked to the following page through the Resource Timing API. This leads to potential information disclosure...
Elevation of privilege with chrome.tabs.update API in web extensions — Mozilla
Security researcher Muneaki Nishimura nishimunea of Recruit Technologies Co., Ltd. reported that the chrome.tabs.update API for web extensions allows for navigation to javascript: URLs without additional permissions. This can used to elevate privilege for a universal cross-site scripting XSS atta...
Local file overwriting and potential privilege escalation through CSP reports — Mozilla
Security researcher Nicolas Golubovic reported that a malicious page can overwrite files on the user's machine using Content Security Policy CSP violation reports. The file contents are restricted to the JSON format of the report. In many cases overwriting a local file may simply be destructive,...
Same-origin policy violation using performance.getEntries and history navigation with session restore — Mozilla
Security researcher Jordi Chancel discovered a variant of Mozilla Foundation Security Advisory 2015-136 which was fixed in Firefox 43. In the original bug, it was possible to read cross-origin URLs following a redirect if performance.getEntries was used along with an iframe to host a page...
Out of Memory crash when parsing GIF format images — Mozilla
Security researcher Gustavo Grieco reported an out of memory crash when loading maliciously crafted GIF format images. Investigation of the issue determined that the root cause was an error in image parsing code during deinterlacing, leading to a potential integer overflow...
Crash with JavaScript variable assignment with unboxed objects — Mozilla
Security researcher Cajus Pollmeier reported that Firefox 41 was crashing during some Javascript variable assignments. The issue was caused by an implementation error with unboxed objects and property storing in the JavaScript engine. This error could result in a potentially exploitable crash whe...
Crash when using debugger with SavedStacks in JavaScript — Mozilla
Security researcher Spandan Veggalam reported a crash while using the debugger API with SavedStacks in JavaScript. This crash can only occurs when the debugger is in use but may be potentially exploitable...
Errors in the handling of CORS preflight request headers — Mozilla
Mozilla developer Ehsan Akhgari reported two issues with Cross-origin resource sharing CORS "preflight" requests...
Type confusion in Indexed Database Manager — Mozilla
Security researcher Paul Bandha reported a type confusion error where part of IDBDatabase is read by the Indexed Database Manager and incorrectly used as a pointer when it shouldn't be used as such. This leads to memory corruption and the possibility of an exploitable crash...
Uninitialized memory use during bitmap rendering — Mozilla
Google security researcher Michal Zalewski reported that when a malformed bitmap image is rendered by the bitmap decoder within a element, memory may not always be properly initialized. The resulting image then uses this uninitialized memory during rendering, allowing data to potentially leak to...
UI selection timeout missing on download prompts — Mozilla
Security researcher Jordi Chancel reported that the dialog for saving downloaded files did not implement a security timeout before button selections were processed. This could be used in concert with spoofing to convince users to select a different option than intended, causing downloaded files t...
Segmentation violation when replacing ordered list elements — Mozilla
Security researchers Tyson Smith and Jesse Schwartzentruber of the BlackBerry Security Automated Analysis Team used the Address Sanitizer tool while fuzzing to discover a mechanism where inserting an ordered list into a document through script could lead to a potentially exploitable crash that ca...
Memory corruption in workers — Mozilla
Security researcher Nils used the Address Sanitizer tool while fuzzing to discover a memory corruption issue with the JavaScript engine when using workers with direct proxies. This results in a potentially exploitable crash...
Improperly initialized memory and overflows in some JavaScript functions — Mozilla
Compiler Engineer Dan Gohman of Google discovered a flaw in the JavaScript engine where memory was being incorrectly allocated for some functions and the calls for allocations were not always properly checked for overflow, leading to potential buffer overflows. When combined with other...
Wrong principal used for validating URI for some Javascript components — Mozilla
Security researcher Cody Crews reported that some Javascript components will perform checks against the wrong uniform resource identifier URI before performing security sensitive actions. This will return an incorrect location for the originator of the call. This could be used to bypass same-orig...
Memory corruption found using Address Sanitizer — Mozilla
Security researcher Abhishek Arya Inferno of the Google Chrome Security Team used the Address Sanitizer tool to discover a series of use-after-free problems rated critical as security issues in shipped software. Some of these issues are potentially exploitable, allowing for remote code execution...
File input control has access to full path — Mozilla
Mozilla security researcher mozbugra4 reported a mechanism to exploit the control when set to the file type in order to get the full path. This can lead to information leakage and could be combined with other exploits to target attacks on the local file system...
Crash with malformed embedded XSLT stylesheets — Mozilla
Security researchers Nicolas Grégoire and Aki Helin independently reported that when processing a malformed embedded XSLT stylesheet, Firefox can crash due to a memory corruption. While there is no evidence that this is directly exploitable, there is a possibility of remote code execution...
Cross-origin image theft on Mac with integrated Intel GPU — Mozilla
Claus Wahlers reported that random images from GPU memory were showing up in WebGL textures. Once incorporated into the WebGL graphics it is possible for a site to programmatically read the image data and potentially gain sensitive data from other things that had been displayed earlier. This...
XSS encoding hazard with inline SVG — Mozilla
Security researcher Mario Heiderich reported that HTML-encoded entities were being improperly decoded when displayed inside SVG elements. This could lead to XSS attacks on sites relying on HTML encoding of user-supplied content...
WebGLES vulnerabilities — Mozilla
Two crashes that could potentially be exploited to run malicious code were found in the WebGL feature and fixed in Firefox 4.0.1. In addition the WebGLES libraries could potentially be used to bypass a security feature of recent Windows versions. The WebGL feature was introduced in Firefox 4; old...
Integer overflow vulnerability in NewIdArray — Mozilla
Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that JavaScript arrays were vulnerable to an integer overflow vulnerability. The report demonstrated that an array could be constructed containing a very large number of items such that when memory was allocated to sto...
Heap buffer overflow mixing document.write and DOM insertion — Mozilla
Morten Kråkvik of Telenor SOC reported an exploit targeting particular versions of Firefox 3.6 on Windows XP that Telenor found while investigating an intrusion attempt on a customer network. The underlying vulnerability, however, was present on both the Firefox 3.5 and Firefox 3.6 development...
Dangling pointer vulnerability in nsTreeContentView — Mozilla
Security researcher regenrecht reported via TippingPoint's Zero Day Initiative an error in the way elements are inserted into a XUL tree . In certain cases, the number of references to an element is under-counted so that when the element is deleted, a live pointer to its old location is kept arou...
Crashes with evidence of memory corruption (rv:1.9.2.2/ 1.9.1.8/ 1.9.0.18) — Mozilla
Mozilla developers identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be...
XSS hazard using SVG document and binary Content-Type — Mozilla
Mozilla security researcher Georgi Guninski reported that when a SVG document which is served with Content-Type: application/octet-stream is embedded into another document via an tag with type="image/svg+xml", the Content-Type is ignored and the SVG document is processed normally. A website which...
Crashes with evidence of memory corruption (rv:1.9.1.4/ 1.9.0.15) — Mozilla
Mozilla developers and community members identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some ...
URL spoofing with box drawing character — Mozilla
Bjoern Hoehrmann and security researcher Moxie Marlinspike independently reported that Unicode box drawing characters were allowed in Internationalized Domain Names IDN where they could be visually confused with punctuation used in valid web addresses. This could be combined with a phishing-type...
Forced mouse drag — Mozilla
Mozilla developer Paul Nickerson reported a variant of a click-hijacking vulnerability discovered in Internet Explorer by Liu Die Yu. The vulnerability allowed an attacker to move the content window while the mouse was being clicked, causing an item to be dragged rather than clicked-on. This issu...
Command-line URLs launch multiple tabs when Firefox not running — Mozilla
Security researcher Billy Rios reported that if Firefox is not already running, passing it a command-line URI with pipe "|" symbols will open multiple tabs. This URI splitting could be used to launch chrome: URIs from the command-line, a partial bypass of the fix for MFSA 2005-53 which was intend...
Code execution through deleted frame reference — Mozilla
Thilo Girmann discovered that in certain circumstances a JavaScript reference to a frame or window was not properly cleared when the referenced content went away, and he demonstrated that this pointer to a deleted object could be used to execute native code supplied by the attacker...
Security Vulnerabilities fixed in Firefox 131 — Mozilla
A user who enables full-screen mode on a specially crafted web page could potentially be prevented from exiting full screen mode. This may allow spoofing of other sites as the address bar is no longer visible.This bug only affects Firefox Focus for Android. Other versions of Firefox are unaffecte...
Security Vulnerabilities fixed in Thunderbird 131 — Mozilla
A compromised content process could have allowed for the arbitrary loading of cross-origin pages. An attacker could, via a specially crafted multipart response, execute arbitrary JavaScript under the resource://pdf.js origin. This could allow them to access cross-origin PDF content. This access i...
Security Vulnerabilities fixed in Firefox ESR 102.11 — Mozilla
In multiple cases browser prompts could have been obscured by popups controlled by content. These could have led to potential user confusion and spoofing attacks. An out-of-bound read could have led to a crash in the RLBox Expat driver. A missing delay in popup notifications could have made it...
Security Vulnerabilities fixed in Firefox ESR 91.10 — Mozilla
A malicious website could have learned the size of a cross-origin resource that supported Range requests. A malicious webpage could have caused an out-of-bounds write in WebGL, leading to memory corruption and a potentially exploitable crash. When exiting fullscreen mode, an iframe could have...
Type confusion in display transformation — Mozilla
Using the Address Sanitizer tool, security researcher Nils reported a type confusion flaw in display transformation during rendering due to incorrect bounds checking. This leads to a potentially exploitable crash and can be triggered by web content...
Addressbar spoofing with right-to-left characters on Firefox for Android — Mozilla
Security researcher Rafay Baloch reported a mechanism to spoof the addressbar in Firefox for Android using right-to-left character sets when combined with left-to-right characters. This can be used to cause only certain portions of the loaded left-to-right character portion of the URL to be...
Use-after-free deleting tables from a contenteditable document — Mozilla
Security researcher firehack used the Address Sanitizer tool to discover a use-after-free in contenteditable mode. This occurs when deleting document object model DOM table elements created within the editor and results in a potentially exploitable crash...
Use-after-free during XML transformations — Mozilla
Security researcher Nicolas Grégoire used the Address Sanitizer to find a use-after-free during XML transformation operations. This results in a potentially exploitable crash triggerable by web content...
Addressbar spoofing attacks — Mozilla
Security researcher Jordi Chancel reported two issues involving addressbar spoofing...
Hash in data URI is incorrectly parsed — Mozilla
Security researcher Abdulrahman Alqabandi reported that when a data: URI is parsed, the hash '' symbol is incorrectly handled, allowing for spoofing attacks. This issue could result in the wrong URI being displayed as a location, which can mislead users to believe they are on a different site tha...
Memory safety errors in libGLES in the ANGLE graphics library — Mozilla
Security researcher Ronald Crane reported two issues in the libGLES portions of the ANGLE graphics library, used for WebGL and OpenGL content on Windows systems. The first of these is a missing bounds check leading to memory safety errors when manipulating shaders which could result in the writin...
Buffer overflow while decoding WebM video — Mozilla
Using the Address Sanitizer tool, security researcher Atte Kettunen discovered a buffer overflow in the nestegg library when decoding a WebM format video with maliciously formatted headers. This leads to a potentially exploitable crash...
Miscellaneous memory safety hazards (rv:40.0 / rv:38.2) — Mozilla
Mozilla developers and community identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of the...
Miscellaneous memory safety hazards (rv:38.0 / rv:31.7) — Mozilla
Mozilla developers and community identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of the...
Buffer overflow and out-of-bounds read while parsing MP4 video metadata — Mozilla
Security researcher laf.intel reported a buffer overflow and out-of-bounds read in the libstagefright library while parsing invalid metadata in MPEG4 video files. This can lead to a potentially exploitable crash...
Same-origin bypass through anchor navigation — Mozilla
Mozilla developer Olli Pettay reported that while investigating Mozilla Foundation Security Advisory 2015-28, he and Mozilla developer Boris Zbarsky found an alternate way to trigger a similar vulnerability. The previously reported flaw used an issue with SVG content navigation to bypass...
Incorrect memory management for simple-type arrays in WebRTC — Mozilla
Security researcher Mitchell Harper used Valgrind to discover incorrect memory management for simple-type arrays in WebRTC. This was undefined behavior which is theoretically dangerous but was determined to be safe in this instance...