1568 matches found
Information disclosure with *FromPoint on iframes — Mozilla
Security researcher Jordan Milne reported an information leak where document.caretPositionFromPoint and document.elementFromPoint functions could be used on a cross-origin iframe to gain information on the iframe's DOM and other attributes through a timing attack, violating same-origin policy...
Shared object library loading from writable location — Mozilla
Mozilla developer Vladimir Vukicevic reported that Firefox for Android will optionally load a shared object .so library in order to enable GL tracing. When this is occurs, it can be from a world writable location, allowing for it to be replaced by malicious third party applications before it is...
Miscellaneous memory safety hazards (rv:23.0 / rv:17.0.8) — Mozilla
Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be...
Buffer underflow when generating CRMF requests — Mozilla
Security researcher Nils used the Address Sanitizer to discover a use-after-free problem when generating a Certificate Request Message Format CRMF request with certain parameters. This causes a potentially exploitable crash...
Privileged content access and execution via XBL — Mozilla
Security researcher Mariusz Mlynski reported that it is possible to compile a user-defined function in the XBL scope of a specific element and then trigger an event within this scope to run code. In some circumstances, when this code is run, it can access content protected by System Only Wrappers...
Javascript: URLs run in privileged context on New Tab page — Mozilla
Security researcher [email protected] reported that if a javascript: URL is selected from the list of Firefox "new tab" page, the script will inherit the privileges of the privileged "new tab" page. This allows for the execution of locally installed programs if a user can be convinced to save a...
Firefox Recovery Key.html is saved with unsafe permission — Mozilla
magicant starmen reported that if a user chooses to export their Firefox Sync key the "Firefox Recovery Key.html" file is saved with incorrect permissions, making the file contents potentially readable by other users on Linux and OS X systems...
Integer underflow when using JavaScript RegExp — Mozilla
Mark Kaplan reported a potentially exploitable crash due to integer underflow when using a large JavaScript RegExp expression. We would also like to thank Mark for contributing the fix for this problem...
Potentially exploitable WebGL crashes — Mozilla
Michael Jordon of Context IS reported that in the ANGLE library used by WebGL the return value from GrowAtomTable was not checked for errors. If an attacker could cause requests that exceeded the available memory those would fail and potentially lead to a buffer overrun as subsequent code wrote...
Security issues addressed in Firefox 3.6.20 — Mozilla
Miscellaneous memory safety hazards rv:1.9.2.20 Impact: Critical Description: Mozilla developers and community members identified and fixed several memory safety bugs in the browser engine used in Firefox 3.6 and other Mozilla-based products. Some of these bugs showed evidence of memory corruptio...
Use-after-free error in nsBarProp — Mozilla
Security researcher Sergey Glazunov reported that it was possible to access the locationbar property of a window object after it had been closed. Since the closed window's memory could have been subsequently reused by the system it was possible that an attempt to access the locationbar property...
Unsafe library loading vulnerabilities — Mozilla
Mozilla developer Ehsan Akhgari reported that a function used to load external libraries on Windows platforms was using a relative path to a DLL-loading application and was thus vulnerable to binary planting if an attacker was able to place an executable of the same name in the current working...
Dangling pointer vulnerability in nsTreeContentView — Mozilla
Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that the implementation of XUL 's content view contains a dangling pointer vulnerability. One of the content view's methods for accessing the internal structure of the tree could be manipulated into removing a node pri...
Use-after-free error in NodeIterator — Mozilla
Security researcher regenrecht reported via TippingPoint's Zero Day Initiative an error in Mozilla's implementation of NodeIterator in which a malicious NodeFilter could be created which would detach nodes from the DOM tree while it was being traversed. The use of a detached and subsequently...
Cross-origin data disclosure via Web Workers and importScripts — Mozilla
Security researcher Yosuke Hasegawa reported that the Web Worker method importScripts can read and parse resources from other domains even when the content is not valid JavaScript. This is a violation of the same-origin policy and could be used by an attacker to steal information from other sites...
Cross-origin data leakage from script filename in error messages — Mozilla
Security researcher Soroush Dalili reported that potentially sensitive URL parameters could be leaked across domains upon script errors when the script filename and line number is included in the error message...
TreeColumns dangling pointer vulnerability — Mozilla
An anonymous security researcher, via TippingPoint's Zero Day Initiative, reported that the columns of a XUL tree element could be manipulated in a particular way which would leave a pointer owned by the column pointing to freed memory. An attacker could potentially use this vulnerability to cras...
Arbitrary domain cookie access by local file: resources — Mozilla
Security researcher Gregory Fleischer reported that local resources loaded via the file: protocol can access any domain's cookies which have been saved on a user's machine. Fleischer demonstrated that a local document's domain was being calculated incorrectly from its URL. If a victim could be...
XML data theft via RDFXMLDataSource and cross-domain redirect — Mozilla
Mozilla security researcher Georgi Guninski reported that a website could use nsIRDFService and a cross-domain redirect to steal arbitrary XML data from another domain, a violation of the same-origin policy. This vulnerability could be used by a malicious website to steal private data from users...
XMLHttpRequest allows reading HTTPOnly cookies — Mozilla
Developer and Mozilla community member Wladimir Palant reported that cookies marked HTTPOnly were readable by JavaScript via the XMLHttpRequest.getResponseHeader and XMLHttpRequest.getAllResponseHeaders APIs. This vulnerability bypasses the security mechanism provided by the HTTPOnly flag which...
Crash and remote code execution via __proto__ tampering — Mozilla
Mozilla developer Jesse Ruderman demonstrated that by tampering with the window.proto.proto object, one can cause the browser to place a lock on a non-native object, leading to a crash. Although we have not demonstrated such control, a determined attacker might be able to exploit this crash to ru...
Privilege escalation, XSS, Remote Code Execution — Mozilla
Mozilla contributors mozbugra4 and Boris Zbarsky submitted a series of vulnerabilities which allow scripts from page content to escape from its sandboxed context and/or run with chrome privileges. An additional vulnerability reported by mozbugra4 demonstrated that the XMLDocument.load function ca...
onUnload + document.write() memory corruption — Mozilla
Michal Zalewski reported a memory corruption vulnerability in Firefox 2.0.0.1 involving mixing the onUnload event handler and self-modifying document.write calls. This flaw was introduced in Firefox 2.0.0.1 and 1.5.0.9 and does not affect earlier versions; it is fixed in Firefox 2.0.0.2 and 1.5.0...
UniversalBrowserRead privilege escalation — Mozilla
shutdown reports that scripts granted the UniversalBrowserRead privilege can leverage that into the equivalent of the far more powerful UniversalXPConnect since they are allowed to "read" into a privileged context. This allows the attacker the ability to run scripts with the full privilege of the...
Accessing XBL compilation scope via valueOf.call() — Mozilla
mozbugra4 discovered that the compilation scope of privileged built-in XBL bindings was not fully protected from web content and could be accessed by calling valueOf.call and valueOf.apply on a method of that binding. This could then be used to compile and run attacker-supplied JavaScript, giving...
Mail Multiple Information Disclosure — Mozilla
As a privacy measure to prevent senders primarily spammers from tracking when e-mail is read Thunderbird does not load remote content referenced from an HTML mail message until a user tells it to do so. This normally includes the content of frames and CSS files, but CrashFr showed it was possible...
Privilege escalation via XBL.method.eval — Mozilla
Using the eval associated with methods of an XBL binding it was possible to create JavaScript functions that would get compiled with the wrong privileges, allowing the attacker to run code of their choice with the full permission of the user running the browser. This could be used to install...
Crashes with evidence of memory corruption (rv:1.8) — Mozilla
As part of the Firefox 1.5 release we fixed several crash bugs to improve the stability of the product. Some of these crashes showed evidence of memory corruption that we presume could be exploited to run arbitrary code and have been applied to the Firefox 1.0.x and Mozilla Suite 1.7.x releases...
Drag and drop loading of privileged XUL — Mozilla
A malicious page that could lure a user into dragging something such as a fake scrollbar can bypass the restriction on opening privileged XUL. The startup scripts in the XUL will run with enhanced privilege, though the actions taken upon merely opening most XUL are benign. So far no way to run...
Security Vulnerabilities fixed in Firefox ESR 115.3 — Mozilla
A compromised content process could have provided malicious data to FilterNodeD2D1 resulting in an out-of-bounds write, leading to a potentially exploitable crash in a privileged process.This bug only affects Firefox on Windows. Other operating systems are unaffected. A compromised content proces...
Security Vulnerabilities fixed in Firefox ESR 91.2 — Mozilla
During operations on MessageTasks, a task may have been removed while it was still scheduled, resulting in memory corruption and a potentially exploitable crash. Through use of reportValidity and window.open, a plain-text validation message could have been overlaid on another origin, leading to...
Memory corruption with malicious NPAPI plugin — Mozilla
The CESG, the Information Security Arm of GCHQ, reported a dangling pointer dereference within the Netscape Plugin Application Programming Interface NPAPI that could lead to the NPAPI subsystem crashing. This issue requires a maliciously crafted NPAPI plugin in concert with scripted web content,...
Service Worker Manager out-of-bounds read in Service Worker Manager — Mozilla
Security researcher Looben Yang reported a mechanism where the Clients API in Service Workers can be used to trigger an out-of-bounds read in ServiceWorkerManager. This results in a potentially exploitable crash...
Missing delay following user click events in protocol handler dialog — Mozilla
Security researcher window reported an issue where the protocol handler dialog appears, double click events are treated as two single click events. This was caused by the lack of a delay following the initial focus in the file download dialog. This could cause a second dialog to be sent the secon...
Lockscreen passcode bypass due to race condition — Mozilla
Shally Li was first to report a race condition in the lockscreen of Firefox OS that can be used to bypass the passcode lock of a Firefox OS device. Under certain circumstances on a locked device, the user will be dropped directly to the homescreen instead of being presented with the passcode inpu...
Underflow through code inspection — Mozilla
Security researcher Ronald Crane reported an underflow found through code inspection. This does not all have a clear mechanism to be exploited through web content but could be vulnerable if a means can be found to trigger it...
Information disclosure through NTLM authentication — Mozilla
Security researcher Tim Brown reported that Firefox discloses the hostname and possibly the Windows domain through NTLM-based HTTP authentication when sending type 3 messages as part of the authentication exchange. This is because the Workstation field is populated with the hostname of the system...
Arbitrary file overwriting through Mozilla Maintenance Service with hard links — Mozilla
Security researcher James Forshaw, security researcher with Google Project Zero, reported that the Mozilla Maintenance Service on Windows can be made to write its log file in a restricted location with an arbitrary file name through the use of a hard link by means of a race condition. This can...
Out-of-bounds read and write in asm.js validation — Mozilla
Security researcher Dougall Johnson reported an out-of-bounds read and write in asm.js during JavaScript validation due to an error in how heap lengths are defined. This results in a potentially exploitable crash and could allow for the reading of random memory which may contain sensitive data...
Toolbar dialog customization event spoofing — Mozilla
Mozilla developers David Chan and Gijs Kruitbosch reported that it is possible to create a drag and drop event in web content which mimics the behavior of a chrome customization event. This can occur when a user is customizing a page or panel. This results in a limited ability to move UI icons...
Use-after-free in DirectWrite font handling — Mozilla
Mozilla community member James Kitchener reported a crash in DirectWrite when rendering MathML content with specific fonts due to an error in how font resources and tables are handled. This leads to use-after-free of a DirectWrite font-face object, resulting in a potentially exploitable crash...
UI selection timeout missing on download prompts — Mozilla
Security researcher Jordi Chancel reported that the dialog for saving downloaded files did not implement a security timeout before button selections were processed. This could be used in concert with spoofing to convince users to select a different option than intended, causing downloaded files t...
Same-origin bypass through symbolic links — Mozilla
Security researcher Takeshi Terada reported a mechanism to violate same-origin policy for local files using file:// through the use of symbolic links. This problem only affects web pages loaded from the local filesystem. This could allow for cross-site scripting XSS and access to locally stored...
Improper state in HTML5 Tree Builder with templates — Mozilla
Using the Address Sanitizer tool, security researcher Atte Kettunen from OUSPG found that the HTML5 Tree Builder does not properly store state when interacting with template elements. Because some stack information is incorrectly stored, the template insertion mode stack can be used when it is...
Mozilla Updater does not lock MAR file after signature verification — Mozilla
Security researcher Seb Patane reported that the Mozilla Updater does not write-lock the MAR update file when it is in use by the Updater. This leaves open the possibility of altering the contents of the MAR file after the signature on the file has been verified as valid but before it has been...
World read and write access to app_tmp directory on Android — Mozilla
Security researcher Shuichiro Suzuki of the Fourteenforty Research Institute reported the apptmp directory is set to be world readable and writeable by Firefox for Android. This potentially allows for third party applications to replace or alter Firefox add-ons when downloaded because they are...
Use-after-free in shlwapi.dll — Mozilla
Security researchers Blair Strang and Scott Bell of Security Assessment found that when a parent window spawns and closes a child window that uses the file open dialog, a crash can be induced in shlwapi.dll on 32-bit Windows 7 systems. This crash may be potentially exploitable...
Crash caused by corrupted JPEG image — Mozilla
Security researcher Jordi Chancel reported that a JPEG image could be constructed that would be decoded incorrectly, causing data to be written past the end of a buffer created to store the image. An attacker could potentially craft such an image that would cause malicious code to be stored in...
XMLDocument::load() doesn't check nsIContentPolicy — Mozilla
Mozilla community member Wladimir Palant reported that XML documents were failing to call certain security checks when loading new content. This could result in certain resources being loaded that would otherwise violate security policies set by the browser or installed add-ons...
Privilege escalation via chrome window.opener — Mozilla
Security researcher David James reported that a content window which is opened by a chrome window retains a reference to the chrome window via the window.opener property. Using this reference, content in the new window can access functions inside the chrome window, such as eval, and use these...