Mozilla Network Security Services (NSS) SSLv2 buffer overflows — Mozilla

iDefense has informed Mozilla about two potential buffer overflow vulnerabilities found by researcher regenrecht in the Network Security Services NSS code for processing the SSLv2 protocol...

XSS by setting img.src to javascript: URI — Mozilla

mozbugra4 reported that the src attribute of an IMG element loaded in a frame could be changed to a javascript: URI that was able to bypass the protections against cross-site script XSS injection. The injected script could steal credentials and financial data, or perform destructive actions on...

Running Script can be recompiled — Mozilla

shutdown demonstrated that it was possible to modify a Script object while it was executing, potentially leading to the execution of arbitrary JavaScript bytecode...

Code execution through deleted frame reference — Mozilla

Thilo Girmann discovered that in certain circumstances a JavaScript reference to a frame or window was not properly cleared when the referenced content went away, and he demonstrated that this pointer to a deleted object could be used to execute native code supplied by the attacker...

Security Vulnerabilities fixed in Firefox ESR 91.12 — Mozilla

When combining CSS properties for overflow and transform, the mouse cursor could interact with different coordinates than displayed. When visiting directory listings for chrome:// URLs as source text, some parameters were reflected...

Security Vulnerabilities fixed in Thunderbird 68.12 — Mozilla

If Thunderbird is installed to a user-writable directory, the Mozilla Maintenance Service would execute updater.exe from the install location with system privileges. Although the Mozilla Maintenance Service does ensure that updater.exe is signed by Mozilla, the version could have been rolled back...

Security vulnerabilities fixed in Firefox ESR 45.4 — Mozilla

An out-of-bounds write of a boolean value during text conversion with some unicode characters A bad cast when processing layout with input elements can result in a potentially exploitable crash. A use-after-free vulnerability triggered by setting a aria-owns attribute. A use-after-free issue in w...

Addressbar spoofing with right-to-left characters on Firefox for Android — Mozilla

Security researcher Rafay Baloch reported a mechanism to spoof the addressbar in Firefox for Android using right-to-left character sets when combined with left-to-right characters. This can be used to cause only certain portions of the loaded left-to-right character portion of the URL to be...

Use-after-free deleting tables from a contenteditable document — Mozilla

Security researcher firehack used the Address Sanitizer tool to discover a use-after-free in contenteditable mode. This occurs when deleting document object model DOM table elements created within the editor and results in a potentially exploitable crash...

Addressbar spoofing attacks — Mozilla

Security researcher Jordi Chancel reported two issues involving addressbar spoofing...

Scripted proxies can access inner window — Mozilla

Security researcher André Bargull reported that when a web page creates a scripted proxy for the window with a handler defined a certain way, a reference to the inner window will be passed, rather than that of the outer window in violation of the specification...

Use-after-free while manipulating HTML media content — Mozilla

An anonymous researcher reported, via HP's Zero Day Initiative, a use-after-free vulnerability with HTML media elements on a page during script manipulation of the URI table of these elements. This results in a potentially exploitable crash...

Buffer overflow while decoding WebM video — Mozilla

Using the Address Sanitizer tool, security researcher Atte Kettunen discovered a buffer overflow in the nestegg library when decoding a WebM format video with maliciously formatted headers. This leads to a potentially exploitable crash...

Wifi direct system messages don't require a permission — Mozilla

Paul Theriault of Mozilla discovered a privacy issue with a WiFi-related system message that wasn't properly restricted to apps with the "wifi-manage" permission. As a result, even unprivileged apps could have received those messages, allowing them to extract limited information from a vulnerable...

Miscellaneous memory safety hazards (rv:38.0 / rv:31.7) — Mozilla

Mozilla developers and community identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of the...

Loading privileged content through Reader mode — Mozilla

Security researcher Armin Ebert reported a flaw in Reader mode on Firefox for Android. Reader mode reformats web content for easy readability and operates as unprivileged content that is the equivalent of the formatted content. When Reader mode is unable to process content, it displays the origin...

Invoking Mozilla updater will load locally stored DLL files — Mozilla

Security researcher Holger Fuhrmannek reported that when the Mozilla updater is run directly, the updater will load binary DLL format files from the local working directory or from the Windows temporary directories. This occurs when it is run without the Mozilla Maintenance Service on Windows...

Use-after-free during HTML5 parsing — Mozilla

Security researcher SkyLined reported a use-after-free created by triggering the creation of a second root element while parsing HTML written to a document created with document.open. This leads to a potentially exploitable crash...

Out of bounds write in NSPR — Mozilla

Security researcher Abhishek Arya Inferno of the Google Chrome Security Team reported an out of bounds write in the Netscape Portable Runtime NSPR leading to a potentially exploitable crash or code execution. This issue is fixed in NSPR version 4.10.6...

Integer overflow in ANGLE library — Mozilla

Security researcher Alex Chapman reported that the Almost Native Graphics Layer Engine ANGLE library used by Mozilla is vulnerable to an integer overflow. This vulnerability is present because of insufficient bounds checking in the drawLineLoop function, which can be driven by web content to...

Use-after-free with select element — Mozilla

Security researcher Scott Bell used the Address Sanitizer tool to discover a use-after-free when using a element in a form after it has been destroyed. This could lead to a potentially exploitable crash...

Memory corruption involving scrolling — Mozilla

Security researcher Nils reported two potentially exploitable memory corruption bugs involving scrolling. The first was a use-after-free condition due to scrolling an image document. The second was due to nodes in a range request being added as children of two different parents...

Privileged content access and execution via XBL — Mozilla

Security researcher Mariusz Mlynski reported that it is possible to compile a user-defined function in the XBL scope of a specific element and then trigger an event within this scope to run code. In some circumstances, when this code is run, it can access content protected by System Only Wrappers...

Privilege escalation through Mozilla Updater — Mozilla

Security researcher Ash reported an issue with the Mozilla Updater. The Mozilla Updater can be made to load a malicious local DLL file in a privileged context through either the Mozilla Maintenance Service or independently on systems that do not use the service. This occurs when the DLL file is...

Crash when combining SVG text on path with CSS — Mozilla

Security researcher Jonathan Stephens discovered that combining SVG text on a path with the setting of CSS properties could lead to a potentially exploitable crash...

HTTPMonitor extension allows for remote debugging without explicit activation — Mozilla

Mozilla security researcher Mark Goodwin discovered an issue with the Firefox developer tools' debugger. If remote debugging is disabled, but the experimental HTTPMonitor extension has been installed and enabled, a remote user can connect to and use the remote debugging service through the port...

WebGLES vulnerabilities — Mozilla

Two crashes that could potentially be exploited to run malicious code were found in the WebGL feature and fixed in Firefox 4.0.1. In addition the WebGLES libraries could potentially be used to bypass a security feature of recent Windows versions. The WebGL feature was introduced in Firefox 4; old...

Directory traversal in resource: protocol — Mozilla

Security researcher Soroush Dalili reported that the resource: protocol could be exploited to allow directory traversal on Windows and the potential loading of resources from non-permitted locations. The impact would depend on whether interesting files existed in predictable locations in a useful...

Dangling pointer vulnerability in nsPluginArray — Mozilla

Security researcher regenrecht reported via TippingPoint's Zero Day Initiative an error in the implementation of the window.navigator.plugins object. When a page reloads, the plugins array would reallocate all of its members without checking for existing references to each member. This could resu...

Crashes with evidence of memory corruption (rv:1.9.2.2/ 1.9.1.8/ 1.9.0.18) — Mozilla

Mozilla developers identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be...

Web Worker Array Handling Heap Corruption Vulnerability — Mozilla

Security researcher Orlando Barrera II of SecTheory reported, via TippingPoint's Zero Day Initiative, that Mozilla's implementation of Web Workers contained an error in its handling of array data types when processing posted messages. This error could be used by an attacker to corrupt heap memory...

XSS due to window.dialogArguments being readable cross-domain — Mozilla

Security researcher Hidetake Jo of Microsoft Vulnerability Research reported that the properties set on an object passed to showModalDialog were readable by the document contained in the dialog, even when the document was from a different domain. This is a violation of the same-origin policy and...

XSS hazard using SVG document and binary Content-Type — Mozilla

Mozilla security researcher Georgi Guninski reported that when a SVG document which is served with Content-Type: application/octet-stream is embedded into another document via an tag with type="image/svg+xml", the Content-Type is ignored and the SVG document is processed normally. A website which...

Crashes with evidence of memory corruption (rv:1.9.1.4/ 1.9.0.15) — Mozilla

Mozilla developers and community members identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some ...

Upgrade media libraries to fix memory safety bugs — Mozilla

Mozilla upgraded several third party libraries used in media rendering to address multiple memory safety and stability bugs identified by members of the Mozilla community. Some of the bugs discovered could potentially be used by an attacker to crash a victim's browser and execute arbitrary code o...

Buffer overflow in http-index-format parser — Mozilla

Justin Schuh of the IBM X-Force reported a flaw in the way Mozilla parses the http-index-format MIME type. By sending a specially crafted 200 header line in the HTTP index response, an attacker can cause the browser to crash and run arbitrary code on the victim's computer...

Crashes with evidence of memory corruption (rv:1.9.0.2/1.8.1.17) — Mozilla

Mozilla developers identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be...

Remote code execution by overflowing CSS reference counter — Mozilla

An anonymous researcher, via TippingPoint's Zero Day Initiative program, reported a vulnerability in Mozilla's internal CSSValue array data structure. The vulnerability was caused by an insufficiently sized variable being used as a reference counter for CSS objects. By creating a very large numbe...

JavaScript privilege escalation and arbitrary code execution — Mozilla

Mozilla contributors mozbugra4, Boris Zbarsky, and Johnny Stenback reported a series of vulnerabilities which allow scripts from page content to run with elevated privileges. mozbugra4 demonstrated additional variants of MFSA 2007-25 and MFSA2007-35 arbitrary code execution through XPCNativeWrapp...

HTTP Referrer spoofing with malformed URLs — Mozilla

Security researcher Gregory Fleischer demonstrated a problem with the HTTP Referer: sic header sent with requests to URLs containing Basic Authentication credentials with empty usernames. In these cases a number of leading characters, based on the length of the password in the URL, are removed fr...

File type confusion due to %00 in name — Mozilla

Ronald van den Heetkamp reported that a filename URL containing %00 encoded null can cause Firefox to interpret the file extension differently than the underlying Windows operating system potentially leading to unsafe actions such as running a program. This is only accessible locally...

Security Vulnerabilities fixed in Firefox ESR 91.10 — Mozilla

A malicious website could have learned the size of a cross-origin resource that supported Range requests. A malicious webpage could have caused an out-of-bounds write in WebGL, leading to memory corruption and a potentially exploitable crash. When exiting fullscreen mode, an iframe could have...

Security vulnerabilities fixed in Firefox ESR 45.7 — Mozilla

JIT code allocation can allow for a bypass of ASLR and DEP protections leading to potential memory corruption attacks. Use-after-free while manipulating XSL in XSLT documents Hashed codes of JavaScript objects are shared between pages. This allows for pointer leaks because an object’s address can...

Addressbar spoofing though history navigation and Location protocol property — Mozilla

Security researcher Tsubasa Iinuma reported a mechanism where the displayed addressbar can be spoofed to users. This issue involves using history navigation in concert with the Location protocol property. After navigating from a malicious page to another, if the user navigates back to the initial...

Service Worker Manager out-of-bounds read in Service Worker Manager — Mozilla

Security researcher Looben Yang reported a mechanism where the Clients API in Service Workers can be used to trigger an out-of-bounds read in ServiceWorkerManager. This results in a potentially exploitable crash...

Lockscreen delay bypass in Firefox OS — Mozilla

Frederik Braun of Mozilla discovered a bug in the lockscreen state logic that allows an attacker to bypass the lockscreen delay. The delay was introduced to make it harder to brute-force the passcode lock of a Firefox OS device when an attacker has gained physical access. A successful attack woul...

Buffer overflow during image interactions in canvas — Mozilla

Security researcher Looben Yang reported a buffer overflow in the JPEGEncoder function during script interactions with a canvas element. This is caused by a race condition and incorrectly matched sizes following image interactions. This leads to a potentially exploitable crash...

Overflow issues in libstagefright — Mozilla

An anonymous researcher reported, via TippingPoint's Zero Day Initiative, two integer overflows in the libstagefright library that could be triggered by a malicious 'saio' chunk in an MPEG4 video. These overflows allowed for potential arbitrary code execution. This issue was independently reporte...

Use-after-free in XMLHttpRequest with shared workers — Mozilla

Security researcher Looben Yang discovered a use-after-free vulnerability when recursively calling .open on an XMLHttpRequest in a SharedWorker...

Code execution through incorrect JavaScript bounds checking elimination — Mozilla

Security researcher ilxu1a reported, through HP Zero Day Initiative's Pwn2Own contest, a flaw in Mozilla's implementation of typed array bounds checking in JavaScript just-in-time compilation JIT and its management of bounds checking for heap access. This flaw can be leveraged into the reading an...