Memory corruption found using Address Sanitizer — Mozilla

Security researcher Abhishek Arya Inferno of the Google Chrome Security Team used the Address Sanitizer tool to discover a series of use-after-free problems rated critical as security issues in shipped software. Some of these issues are potentially exploitable, allowing for remote code execution...

File input control has access to full path — Mozilla

Mozilla security researcher mozbugra4 reported a mechanism to exploit the control when set to the file type in order to get the full path. This can lead to information leakage and could be combined with other exploits to target attacks on the local file system...

Use-after-free in Javascript Proxy objects — Mozilla

...

Miscellaneous memory safety hazards (rv:16.0.1) — Mozilla

Mozilla developers identified and fixed two top crashing bugs in the browser engine used in Firefox and other Mozilla-based products. These bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to ru...

Crash with WebGL content using textImage2D — Mozilla

Mozilla community member Ms2ger found an image rendering issue with WebGL when texImage2D uses use JSVALTOOBJECT on arbitrary objects. This can lead to a crash on a maliciously crafted web page. While there is no evidence that this is directly exploitable, there is a possibility of remote code...

Crash with malformed embedded XSLT stylesheets — Mozilla

Security researchers Nicolas Grégoire and Aki Helin independently reported that when processing a malformed embedded XSLT stylesheet, Firefox can crash due to a memory corruption. While there is no evidence that this is directly exploitable, there is a possibility of remote code execution...

Cross-origin image theft on Mac with integrated Intel GPU — Mozilla

Claus Wahlers reported that random images from GPU memory were showing up in WebGL textures. Once incorporated into the WebGL graphics it is possible for a site to programmatically read the image data and potentially gain sensitive data from other things that had been displayed earlier. This...

XSS encoding hazard with inline SVG — Mozilla

Security researcher Mario Heiderich reported that HTML-encoded entities were being improperly decoded when displayed inside SVG elements. This could lead to XSS attacks on sites relying on HTML encoding of user-supplied content...

Use-after-free error in JSON.stringify — Mozilla

Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that a method used by JSON.stringify contained a use-after-free error in which a currently in-use pointer was freed and subsequently dereferenced. This could lead to arbitrary code execution if an attacker was able to...

Miscellaneous memory safety hazards (rv:1.9.2.14/ 1.9.1.17) — Mozilla

Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be...

Integer overflow vulnerability in NewIdArray — Mozilla

Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that JavaScript arrays were vulnerable to an integer overflow vulnerability. The report demonstrated that an array could be constructed containing a very large number of items such that when memory was allocated to sto...

Heap buffer overflow mixing document.write and DOM insertion — Mozilla

Morten Kråkvik of Telenor SOC reported an exploit targeting particular versions of Firefox 3.6 on Windows XP that Telenor found while investigating an intrusion attempt on a customer network. The underlying vulnerability, however, was present on both the Firefox 3.5 and Firefox 3.6 development...

UTF-7 XSS by overriding document charset using <object> type attribute — Mozilla

Security researchers David Huang and Collin Jackson of Carnegie Mellon University CyLab Silicon Valley campus reported that the type attribute of an tag can override the charset of a framed HTML document, even when the document is included across origins. A page could be constructed containing su...

Dangling pointer vulnerability in nsTreeContentView — Mozilla

Security researcher regenrecht reported via TippingPoint's Zero Day Initiative an error in the way elements are inserted into a XUL tree . In certain cases, the number of references to an element is under-counted so that when the element is deleted, a live pointer to its old location is kept arou...

URL spoofing with box drawing character — Mozilla

Bjoern Hoehrmann and security researcher Moxie Marlinspike independently reported that Unicode box drawing characters were allowed in Internationalized Domain Names IDN where they could be visually confused with punctuation used in valid web addresses. This could be combined with a phishing-type...

Command-line URLs launch multiple tabs when Firefox not running — Mozilla

Security researcher Billy Rios reported that if Firefox is not already running, passing it a command-line URI with pipe "|" symbols will open multiple tabs. This URI splitting could be used to launch chrome: URIs from the command-line, a partial bypass of the fix for MFSA 2005-53 which was intend...

Javascript "lambda" replace exposes memory contents — Mozilla

A bug in javascript's regular expression string replacement when using an anonymous function as the replacement argument allows a malicious script to capture blocks of memory allocated to the browser. A web site could capture data and transmit it to a server without user interaction or knowledge...

Security Vulnerabilities fixed in Firefox 131 — Mozilla

A user who enables full-screen mode on a specially crafted web page could potentially be prevented from exiting full screen mode. This may allow spoofing of other sites as the address bar is no longer visible.This bug only affects Firefox Focus for Android. Other versions of Firefox are unaffecte...

Security Vulnerabilities fixed in Firefox ESR 102.11 — Mozilla

In multiple cases browser prompts could have been obscured by popups controlled by content. These could have led to potential user confusion and spoofing attacks. An out-of-bound read could have led to a crash in the RLBox Expat driver. A missing delay in popup notifications could have made it...

Favicon network connection can persist when page is closed — Mozilla

Security researcher Toni Huttunen reported that once the favicon is requested from a site, the remote server can keep the favicon network connection open even when the page is later closed. This allows a malicious site to continue to use this channel to send requests to the browser, leading to...

Arbitrary file manipulation by local user through Mozilla updater and callback application path parameter — Mozilla

Security researcher Holger Fuhrmannek reported that when the Updater is opened directly using the callback application path parameter, a copy of a user specified file is made as a callback file. If the target of this file is made with a locked hardlink, an arbitrary local file can be replaced on...

Stack underflow during 2D graphics rendering — Mozilla

Georg Koppen of the Tor Project used the Address Sanitizer tool to discover a stack buffer underflow when calculating clipping regions in 2D graphics. This results in a potentially exploitable crash...

Type confusion in display transformation — Mozilla

Using the Address Sanitizer tool, security researcher Nils reported a type confusion flaw in display transformation during rendering due to incorrect bounds checking. This leads to a potentially exploitable crash and can be triggered by web content...

Information disclosure through Resource Timing API during page navigation — Mozilla

Amazon software engineer Catalin Dumitru reported that the URLs of resources loaded after a navigation started such as in an unload event handler were leaked to the following page through the Resource Timing API. This leads to potential information disclosure...

Miscellaneous memory safety hazards (rv:47.0 / rv:45.2) — Mozilla

Mozilla developers and community members reported several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these...

Write to invalid HashMap entry through JavaScript.watch() — Mozilla

The CESG, the Information Security Arm of GCHQ, reported that the JavaScript .watch method could be used to overflow the 32-bit generation count of the underlying HashMap, resulting in a write to an invalid entry. Under the right conditions this write could lead to arbitrary code execution. The...

Use-after-free during XML transformations — Mozilla

Security researcher Nicolas Grégoire used the Address Sanitizer to find a use-after-free during XML transformation operations. This results in a potentially exploitable crash triggerable by web content...

Use-after-free in GetStaticInstance in WebRTC — Mozilla

Security researcher Ronald Crane reported a race condition in GetStaticInstance in WebRTC which results in a use-after-free. This could result in a potentially exploitable crash. This issue was found through code inspection and does not have clear mechanism to be exploited through web content but...

Out of Memory crash when parsing GIF format images — Mozilla

Security researcher Gustavo Grieco reported an out of memory crash when loading maliciously crafted GIF format images. Investigation of the issue determined that the root cause was an error in image parsing code during deinterlacing, leading to a potential integer overflow...

Hash in data URI is incorrectly parsed — Mozilla

Security researcher Abdulrahman Alqabandi reported that when a data: URI is parsed, the hash '' symbol is incorrectly handled, allowing for spoofing attacks. This issue could result in the wrong URI being displayed as a location, which can mislead users to believe they are on a different site tha...

Crash with JavaScript variable assignment with unboxed objects — Mozilla

Security researcher Cajus Pollmeier reported that Firefox 41 was crashing during some Javascript variable assignments. The issue was caused by an implementation error with unboxed objects and property storing in the JavaScript engine. This error could result in a potentially exploitable crash whe...

Miscellaneous memory safety hazards (rv:40.0 / rv:38.2) — Mozilla

Mozilla developers and community identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of the...

Same-origin bypass through anchor navigation — Mozilla

Mozilla developer Olli Pettay reported that while investigating Mozilla Foundation Security Advisory 2015-28, he and Mozilla developer Boris Zbarsky found an alternate way to trigger a similar vulnerability. The previously reported flaw used an issue with SVG content navigation to bypass...

Incorrect memory management for simple-type arrays in WebRTC — Mozilla

Security researcher Mitchell Harper used Valgrind to discover incorrect memory management for simple-type arrays in WebRTC. This was undefined behavior which is theoretically dangerous but was determined to be safe in this instance...

Buffer overflow during CSS restyling — Mozilla

Security researcher Atte Kettunen used the Address Sanitizer tool to discover an out-of-bounds read during the application of restyling and reflowing changes of web content using CSS. This results in a potentially exploitable crash...

Use-after-free interacting with text directionality — Mozilla

Security researcher regenrecht reported, via TippingPoint's Zero Day Initiative, a use-after-free during text layout when interacting with text direction. This results in a crash which can lead to arbitrary code execution...

Use-after-free in Event Listener Manager — Mozilla

Security researchers Tyson Smith and Jesse Schwartzentruber of the BlackBerry Security Automated Analysis Team used the Address Sanitizer tool while fuzzing to discover a use-after-free in the event listener manager. This can be triggered by web content and leads to a potentially exploitable cras...

Use-after-free in HTML document templates — Mozilla

Security researcher Abhishek Arya Inferno of the Google Chrome Security Team used the Address Sanitizer tool to discover a user-after-free when interacting with HTML document templates. This leads to a potentially exploitable crash...

NativeKey continues handling key messages after widget is destroyed — Mozilla

Mozilla developer Masayuki Nakano discovered that the NativeKey widget continues handling key messages even when it is destroyed by dispatched event listeners. This could result in some key events being applied to other objects or plugins if the widget memory is reallocated to them, leading to a...

Privilege escalation through Mozilla Maintenance Service — Mozilla

Security researcher Frédéric Hoguin discovered that the Mozilla Maintenance Service on Windows was vulnerable to a buffer overflow. This system is used to update software without invoking the User Account Control UAC prompt. The Mozilla Maintenance Service is configured to allow unprivileged user...

Escalation of privilege through about:newtab — Mozilla

Security researcher Mariusz Mlynski reported that when a page opens a new tab, a subsequent window can then be opened that can be navigated to about:newtab, a chrome privileged page. Once about:newtab is loaded, the special context can potentially be used to escalate privilege, allowing for...

Code execution via NoWaiverWrapper — Mozilla

Mozilla security researcher mozbugra4 reported that an internal privilege check failed to respect the NoWaiverWrappers introduced with Firefox 4. This could result in elevated privilege being granted to web content...

Multiple WebGL crashes — Mozilla

Mozilla security researcher Christoph Diehl reported two crashes in WebGL code. One crash was the result of an out-of-bounds read and could be used to read data from other processes who had stored data in the GPU. The severity of this issue was determined to be high. The second crash was the resu...

Miscellaneous memory safety hazards (rv:2.0.1/ 1.9.2.17/ 1.9.1.19) — Mozilla

Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be...

Crash and remote code execution using HTML tags inside a XUL tree — Mozilla

Security researcher wushi of team509 reported that when a XUL tree had an HTML element nested inside a element then code attempting to display content in the XUL tree would incorrectly treat the element as a parent node to tree content underneath it resulting in incorrect indexes being calculated...

Cross-site information disclosure via modal calls — Mozilla

Security researcher Eduardo Vela Nava reported that if a web page opened a new window and used a javascript: URL to make a modal call, such as alert, then subsequently navigated the page to a different domain, once the modal call returned the opener of the window could get access to objects in th...

Crashes with evidence of memory corruption (rv:1.9.2.4/ 1.9.1.10) — Mozilla

Mozilla developers identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be...

nsXMLDocument::OnChannelRedirect() same-origin violation — Mozilla

Mozilla security researcher mozbugra4 reported that the same-origin check in nsXMLDocument::OnChannelRedirect could be bypassed. This vulnerability could be used to execute JavaScript in the context of a different website...

Forced mouse drag — Mozilla

Mozilla developer Paul Nickerson reported a variant of a click-hijacking vulnerability discovered in Internet Explorer by Liu Die Yu. The vulnerability allowed an attacker to move the content window while the mouse was being clicked, causing an item to be dragged rather than clicked-on. This issu...

Digest authentication request splitting — Mozilla

Security researcher Stefano Di Paola reported that Firefox did not properly validate the user ID when making an HTTP request using Digest Authentication to log into a web site. A malicious page could abuse this to inject arbitrary HTTP headers by including a newline character in the user ID...