1574 matches found
Use-after-free interacting with text directionality — Mozilla
Security researcher regenrecht reported, via TippingPoint's Zero Day Initiative, a use-after-free during text layout when interacting with text direction. This results in a crash which can lead to arbitrary code execution...
crypto.generateCRMFRequest does not validate type of key — Mozilla
Mozilla developer David Keeler reported that the crypto.generateCRFMRequest method did not correctly validate the key type of the KeyParams argument when generating ec-dual-use requests. This could lead to a crash and a denial of service DOS attack...
Use-after-free in HTML document templates — Mozilla
Security researcher Abhishek Arya Inferno of the Google Chrome Security Team used the Address Sanitizer tool to discover a user-after-free when interacting with HTML document templates. This leads to a potentially exploitable crash...
Memory corruption involving scrolling — Mozilla
Security researcher Nils reported two potentially exploitable memory corruption bugs involving scrolling. The first was a use-after-free condition due to scrolling an image document. The second was due to nodes in a range request being added as children of two different parents...
NativeKey continues handling key messages after widget is destroyed — Mozilla
Mozilla developer Masayuki Nakano discovered that the NativeKey widget continues handling key messages even when it is destroyed by dispatched event listeners. This could result in some key events being applied to other objects or plugins if the widget memory is reallocated to them, leading to a...
Integer overflow in ANGLE library — Mozilla
Security researcher Alex Chapman reported that the Almost Native Graphics Layer Engine ANGLE library used by Mozilla is vulnerable to an integer overflow. This vulnerability is present because of insufficient bounds checking in the drawLineLoop function, which can be driven by web content to...
Shared object library loading from writable location — Mozilla
Mozilla developer Vladimir Vukicevic reported that Firefox for Android will optionally load a shared object .so library in order to enable GL tracing. When this is occurs, it can be from a world writable location, allowing for it to be replaced by malicious third party applications before it is...
Privilege escalation through Mozilla Maintenance Service — Mozilla
Security researcher Frédéric Hoguin discovered that the Mozilla Maintenance Service on Windows was vulnerable to a buffer overflow. This system is used to update software without invoking the User Account Control UAC prompt. The Mozilla Maintenance Service is configured to allow unprivileged user...
Crash when combining SVG text on path with CSS — Mozilla
Security researcher Jonathan Stephens discovered that combining SVG text on a path with the setting of CSS properties could lead to a potentially exploitable crash...
Escalation of privilege through about:newtab — Mozilla
Security researcher Mariusz Mlynski reported that when a page opens a new tab, a subsequent window can then be opened that can be navigated to about:newtab, a chrome privileged page. Once about:newtab is loaded, the special context can potentially be used to escalate privilege, allowing for...
Potentially exploitable WebGL crashes — Mozilla
Michael Jordon of Context IS reported that in the ANGLE library used by WebGL the return value from GrowAtomTable was not checked for errors. If an attacker could cause requests that exceeded the available memory those would fail and potentially lead to a buffer overrun as subsequent code wrote...
Multiple WebGL crashes — Mozilla
Mozilla security researcher Christoph Diehl reported two crashes in WebGL code. One crash was the result of an out-of-bounds read and could be used to read data from other processes who had stored data in the GPU. The severity of this issue was determined to be high. The second crash was the resu...
Miscellaneous memory safety hazards (rv:2.0.1/ 1.9.2.17/ 1.9.1.19) — Mozilla
Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be...
Cross-site information disclosure via modal calls — Mozilla
Security researcher Eduardo Vela Nava reported that if a web page opened a new window and used a javascript: URL to make a modal call, such as alert, then subsequently navigated the page to a different domain, once the modal call returned the opener of the window could get access to objects in th...
XSS due to window.dialogArguments being readable cross-domain — Mozilla
Security researcher Hidetake Jo of Microsoft Vulnerability Research reported that the properties set on an object passed to showModalDialog were readable by the document contained in the dialog, even when the document was from a different domain. This is a violation of the same-origin policy and...
Web Worker Array Handling Heap Corruption Vulnerability — Mozilla
Security researcher Orlando Barrera II of SecTheory reported, via TippingPoint's Zero Day Initiative, that Mozilla's implementation of Web Workers contained an error in its handling of array data types when processing posted messages. This error could be used by an attacker to corrupt heap memory...
Upgrade media libraries to fix memory safety bugs — Mozilla
Mozilla upgraded several third party libraries used in media rendering to address multiple memory safety and stability bugs identified by members of the Mozilla community. Some of the bugs discovered could potentially be used by an attacker to crash a victim's browser and execute arbitrary code o...
TreeColumns dangling pointer vulnerability — Mozilla
An anonymous security researcher, via TippingPoint's Zero Day Initiative, reported that the columns of a XUL tree element could be manipulated in a particular way which would leave a pointer owned by the column pointing to freed memory. An attacker could potentially use this vulnerability to cras...
Buffer overflow in http-index-format parser — Mozilla
Justin Schuh of the IBM X-Force reported a flaw in the way Mozilla parses the http-index-format MIME type. By sending a specially crafted 200 header line in the HTTP index response, an attacker can cause the browser to crash and run arbitrary code on the victim's computer...
nsXMLDocument::OnChannelRedirect() same-origin violation — Mozilla
Mozilla security researcher mozbugra4 reported that the same-origin check in nsXMLDocument::OnChannelRedirect could be bypassed. This vulnerability could be used to execute JavaScript in the context of a different website...
Crashes with evidence of memory corruption (rv:1.9.0.2/1.8.1.17) — Mozilla
Mozilla developers identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be...
HTTP Referrer spoofing with malformed URLs — Mozilla
Security researcher Gregory Fleischer demonstrated a problem with the HTTP Referer: sic header sent with requests to URLs containing Basic Authentication credentials with empty usernames. In these cases a number of leading characters, based on the length of the password in the URL, are removed fr...
Digest authentication request splitting — Mozilla
Security researcher Stefano Di Paola reported that Firefox did not properly validate the user ID when making an HTTP request using Digest Authentication to log into a web site. A malicious page could abuse this to inject arbitrary HTTP headers by including a newline character in the user ID...
File type confusion due to %00 in name — Mozilla
Ronald van den Heetkamp reported that a filename URL containing %00 encoded null can cause Firefox to interpret the file extension differently than the underlying Windows operating system potentially leading to unsafe actions such as running a program. This is only accessible locally...
Mozilla Network Security Services (NSS) SSLv2 buffer overflows — Mozilla
iDefense has informed Mozilla about two potential buffer overflow vulnerabilities found by researcher regenrecht in the Network Security Services NSS code for processing the SSLv2 protocol...
XSS by setting img.src to javascript: URI — Mozilla
mozbugra4 reported that the src attribute of an IMG element loaded in a frame could be changed to a javascript: URI that was able to bypass the protections against cross-site script XSS injection. The injected script could steal credentials and financial data, or perform destructive actions on...
Running Script can be recompiled — Mozilla
shutdown demonstrated that it was possible to modify a Script object while it was executing, potentially leading to the execution of arbitrary JavaScript bytecode...
Security Vulnerabilities fixed in Firefox ESR 115.3 — Mozilla
A compromised content process could have provided malicious data to FilterNodeD2D1 resulting in an out-of-bounds write, leading to a potentially exploitable crash in a privileged process.This bug only affects Firefox on Windows. Other operating systems are unaffected. A compromised content proces...
Stack underflow during 2D graphics rendering — Mozilla
Georg Koppen of the Tor Project used the Address Sanitizer tool to discover a stack buffer underflow when calculating clipping regions in 2D graphics. This results in a potentially exploitable crash...
Write to invalid HashMap entry through JavaScript.watch() — Mozilla
The CESG, the Information Security Arm of GCHQ, reported that the JavaScript .watch method could be used to overflow the 32-bit generation count of the underlying HashMap, resulting in a write to an invalid entry. Under the right conditions this write could lead to arbitrary code execution. The...
Addressbar spoofing though history navigation and Location protocol property — Mozilla
Security researcher Tsubasa Iinuma reported a mechanism where the displayed addressbar can be spoofed to users. This issue involves using history navigation in concert with the Location protocol property. After navigating from a malicious page to another, if the user navigates back to the initial...
Service Worker Manager out-of-bounds read in Service Worker Manager — Mozilla
Security researcher Looben Yang reported a mechanism where the Clients API in Service Workers can be used to trigger an out-of-bounds read in ServiceWorkerManager. This results in a potentially exploitable crash...
Use-after-free in GetStaticInstance in WebRTC — Mozilla
Security researcher Ronald Crane reported a race condition in GetStaticInstance in WebRTC which results in a use-after-free. This could result in a potentially exploitable crash. This issue was found through code inspection and does not have clear mechanism to be exploited through web content but...
Buffer overflow during image interactions in canvas — Mozilla
Security researcher Looben Yang reported a buffer overflow in the JPEGEncoder function during script interactions with a canvas element. This is caused by a race condition and incorrectly matched sizes following image interactions. This leads to a potentially exploitable crash...
Use-after-free while manipulating HTML media content — Mozilla
An anonymous researcher reported, via HP's Zero Day Initiative, a use-after-free vulnerability with HTML media elements on a page during script manipulation of the URI table of these elements. This results in a potentially exploitable crash...
Use-after-free in XMLHttpRequest with shared workers — Mozilla
Security researcher Looben Yang discovered a use-after-free vulnerability when recursively calling .open on an XMLHttpRequest in a SharedWorker...
Wifi direct system messages don't require a permission — Mozilla
Paul Theriault of Mozilla discovered a privacy issue with a WiFi-related system message that wasn't properly restricted to apps with the "wifi-manage" permission. As a result, even unprivileged apps could have received those messages, allowing them to extract limited information from a vulnerable...
Buffer overflow during CSS restyling — Mozilla
Security researcher Atte Kettunen used the Address Sanitizer tool to discover an out-of-bounds read during the application of restyling and reflowing changes of web content using CSS. This results in a potentially exploitable crash...
Invoking Mozilla updater will load locally stored DLL files — Mozilla
Security researcher Holger Fuhrmannek reported that when the Mozilla updater is run directly, the updater will load binary DLL format files from the local working directory or from the Windows temporary directories. This occurs when it is run without the Mozilla Maintenance Service on Windows...
Miscellaneous memory safety hazards (rv:35.0 / rv:31.4) — Mozilla
Mozilla developers and community identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of the...
Use-after-free during HTML5 parsing — Mozilla
Security researcher SkyLined reported a use-after-free created by triggering the creation of a second root element while parsing HTML written to a document created with document.open. This leads to a potentially exploitable crash...
Out of bounds write in NSPR — Mozilla
Security researcher Abhishek Arya Inferno of the Google Chrome Security Team reported an out of bounds write in the Netscape Portable Runtime NSPR leading to a potentially exploitable crash or code execution. This issue is fixed in NSPR version 4.10.6...
Clickjacking through cursor invisibility after Flash interaction — Mozilla
Security researcher Jordi Chancel reported a mechanism where the cursor can be rendered invisible after it has been used on an embedded flash object when used outside of the object. This flaw can be in used in combination with an image of the cursor manipulated through JavaScript, leading to...
Use-after-free in Event Listener Manager — Mozilla
Security researchers Tyson Smith and Jesse Schwartzentruber of the BlackBerry Security Automated Analysis Team used the Address Sanitizer tool while fuzzing to discover a use-after-free in the event listener manager. This can be triggered by web content and leads to a potentially exploitable cras...
Use-after-free with select element — Mozilla
Security researcher Scott Bell used the Address Sanitizer tool to discover a use-after-free when using a element in a form after it has been destroyed. This could lead to a potentially exploitable crash...
Buffer underflow when generating CRMF requests — Mozilla
Security researcher Nils used the Address Sanitizer to discover a use-after-free problem when generating a Certificate Request Message Format CRMF request with certain parameters. This causes a potentially exploitable crash...
Miscellaneous memory safety hazards (rv:23.0 / rv:17.0.8) — Mozilla
Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be...
Privileged content access and execution via XBL — Mozilla
Security researcher Mariusz Mlynski reported that it is possible to compile a user-defined function in the XBL scope of a specific element and then trigger an event within this scope to run code. In some circumstances, when this code is run, it can access content protected by System Only Wrappers...
Privilege escalation through Mozilla Updater — Mozilla
Security researcher Ash reported an issue with the Mozilla Updater. The Mozilla Updater can be made to load a malicious local DLL file in a privileged context through either the Mozilla Maintenance Service or independently on systems that do not use the service. This occurs when the DLL file is...
HTTPMonitor extension allows for remote debugging without explicit activation — Mozilla
Mozilla security researcher Mark Goodwin discovered an issue with the Firefox developer tools' debugger. If remote debugging is disabled, but the experimental HTTPMonitor extension has been installed and enabled, a remote user can connect to and use the remote debugging service through the port...