1574 matches found
Buffer underflow when generating CRMF requests — Mozilla
Security researcher Nils used the Address Sanitizer to discover a use-after-free problem when generating a Certificate Request Message Format CRMF request with certain parameters. This causes a potentially exploitable crash...
Miscellaneous memory safety hazards (rv:23.0 / rv:17.0.8) — Mozilla
Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be...
Privileged content access and execution via XBL — Mozilla
Security researcher Mariusz Mlynski reported that it is possible to compile a user-defined function in the XBL scope of a specific element and then trigger an event within this scope to run code. In some circumstances, when this code is run, it can access content protected by System Only Wrappers...
Privilege escalation through Mozilla Updater — Mozilla
Security researcher Ash reported an issue with the Mozilla Updater. The Mozilla Updater can be made to load a malicious local DLL file in a privileged context through either the Mozilla Maintenance Service or independently on systems that do not use the service. This occurs when the DLL file is...
HTTPMonitor extension allows for remote debugging without explicit activation — Mozilla
Mozilla security researcher Mark Goodwin discovered an issue with the Firefox developer tools' debugger. If remote debugging is disabled, but the experimental HTTPMonitor extension has been installed and enabled, a remote user can connect to and use the remote debugging service through the port...
Firefox Recovery Key.html is saved with unsafe permission — Mozilla
magicant starmen reported that if a user chooses to export their Firefox Sync key the "Firefox Recovery Key.html" file is saved with incorrect permissions, making the file contents potentially readable by other users on Linux and OS X systems...
Directory traversal in resource: protocol — Mozilla
Security researcher Soroush Dalili reported that the resource: protocol could be exploited to allow directory traversal on Windows and the potential loading of resources from non-permitted locations. The impact would depend on whether interesting files existed in predictable locations in a useful...
Dangling pointer vulnerability in nsTreeContentView — Mozilla
Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that the implementation of XUL 's content view contains a dangling pointer vulnerability. One of the content view's methods for accessing the internal structure of the tree could be manipulated into removing a node pri...
Use-after-free error in NodeIterator — Mozilla
Security researcher regenrecht reported via TippingPoint's Zero Day Initiative an error in Mozilla's implementation of NodeIterator in which a malicious NodeFilter could be created which would detach nodes from the DOM tree while it was being traversed. The use of a detached and subsequently...
Dangling pointer vulnerability in nsPluginArray — Mozilla
Security researcher regenrecht reported via TippingPoint's Zero Day Initiative an error in the implementation of the window.navigator.plugins object. When a page reloads, the plugins array would reallocate all of its members without checking for existing references to each member. This could resu...
XMLHttpRequest allows reading HTTPOnly cookies — Mozilla
Developer and Mozilla community member Wladimir Palant reported that cookies marked HTTPOnly were readable by JavaScript via the XMLHttpRequest.getResponseHeader and XMLHttpRequest.getAllResponseHeaders APIs. This vulnerability bypasses the security mechanism provided by the HTTPOnly flag which...
Remote code execution by overflowing CSS reference counter — Mozilla
An anonymous researcher, via TippingPoint's Zero Day Initiative program, reported a vulnerability in Mozilla's internal CSSValue array data structure. The vulnerability was caused by an insufficiently sized variable being used as a reference counter for CSS objects. By creating a very large numbe...
JavaScript privilege escalation and arbitrary code execution — Mozilla
Mozilla contributors mozbugra4, Boris Zbarsky, and Johnny Stenback reported a series of vulnerabilities which allow scripts from page content to run with elevated privileges. mozbugra4 demonstrated additional variants of MFSA 2007-25 and MFSA2007-35 arbitrary code execution through XPCNativeWrapp...
Crashes with evidence of memory corruption (rv:1.8.1.12) — Mozilla
Mozilla developers identified and fixed several stability bugs in the browser engine used in Firefox 2.0.0.12 and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these coul...
Crashes with evidence of memory corruption (rv:1.8.0.8) — Mozilla
As part of the Firefox 1.5.0.8 release we fixed several bugs to improve the stability of the product. Some of these were crashes that showed evidence of memory corruption and we presume that at least some of these could be exploited to run arbitrary code with enough effort...
JavaScript engine vulnerabilities — Mozilla
Continuing our security audit of the JavaScript engine, Mozilla developers found and fixed several potential vulnerabilities...
JavaScript execution in mail when forwarding in-line — Mozilla
Georgi Guninski reports that forwarding mail in-line while using the default HTML "rich mail" editor will execute JavaScript embedded in the e-mail message. Forwarding mail in-line is not the default setting but it is easily accessed through the "Forward As" menu item...
JavaScript garbage-collection hazard audit — Mozilla
Igor Bukanov has audited the JavaScript engine for routines that use temporary variables not protected against garbage-collection. If malicious content could cause garbage-collection to run during the lifetime of these temporaries then the original routine would end up operating on freed memory...
Privilege escalation via XBL.method.eval — Mozilla
Using the eval associated with methods of an XBL binding it was possible to create JavaScript functions that would get compiled with the wrong privileges, allowing the attacker to run code of their choice with the full permission of the user running the browser. This could be used to install...
Crashes with evidence of memory corruption (rv:1.8) — Mozilla
As part of the Firefox 1.5 release we fixed several crash bugs to improve the stability of the product. Some of these crashes showed evidence of memory corruption that we presume could be exploited to run arbitrary code and have been applied to the Firefox 1.0.x and Mozilla Suite 1.7.x releases...
Lockscreen passcode bypass due to race condition — Mozilla
Shally Li was first to report a race condition in the lockscreen of Firefox OS that can be used to bypass the passcode lock of a Firefox OS device. Under certain circumstances on a locked device, the user will be dropped directly to the homescreen instead of being presented with the passcode inpu...
Arbitrary file overwriting through Mozilla Maintenance Service with hard links — Mozilla
Security researcher James Forshaw, security researcher with Google Project Zero, reported that the Mozilla Maintenance Service on Windows can be made to write its log file in a restricted location with an arbitrary file name through the use of a hard link by means of a race condition. This can...
Overflow issues in libstagefright — Mozilla
An anonymous researcher reported, via TippingPoint's Zero Day Initiative, two integer overflows in the libstagefright library that could be triggered by a malicious 'saio' chunk in an MPEG4 video. These overflows allowed for potential arbitrary code execution. This issue was independently reporte...
Out-of-bounds read and write in asm.js validation — Mozilla
Security researcher Dougall Johnson reported an out-of-bounds read and write in asm.js during JavaScript validation due to an error in how heap lengths are defined. This results in a potentially exploitable crash and could allow for the reading of random memory which may contain sensitive data...
Gecko Media Plugin sandbox escape — Mozilla
Security researcher Nils discovered a mechanism to break out of the Gecko Media Plugin GMP sandbox on Windows systems. The GMP sandbox is currently only used to host h.264 video playback using the OpenH264 plugin but is being developed to host other other media plugins. This bug would allow an...
Use-after-free in DirectWrite font handling — Mozilla
Mozilla community member James Kitchener reported a crash in DirectWrite when rendering MathML content with specific fonts due to an error in how font resources and tables are handled. This leads to use-after-free of a DirectWrite font-face object, resulting in a potentially exploitable crash...
Information disclosure with *FromPoint on iframes — Mozilla
Security researcher Jordan Milne reported an information leak where document.caretPositionFromPoint and document.elementFromPoint functions could be used on a cross-origin iframe to gain information on the iframe's DOM and other attributes through a timing attack, violating same-origin policy...
Same-origin bypass through symbolic links — Mozilla
Security researcher Takeshi Terada reported a mechanism to violate same-origin policy for local files using file:// through the use of symbolic links. This problem only affects web pages loaded from the local filesystem. This could allow for cross-site scripting XSS and access to locally stored...
Use-after-free in ListenerManager — Mozilla
Security researcher regenrecht reported, via TippingPoint's Zero Day Initiative, a use-after-free within the ListenerManager when garbage collection is forced after data in listener objects have been allocated in some circumstances. This results in a use-after-free which can lead to arbitrary cod...
Javascript: URLs run in privileged context on New Tab page — Mozilla
Security researcher [email protected] reported that if a javascript: URL is selected from the list of Firefox "new tab" page, the script will inherit the privileges of the privileged "new tab" page. This allows for the execution of locally installed programs if a user can be convinced to save a...
Integer underflow when using JavaScript RegExp — Mozilla
Mark Kaplan reported a potentially exploitable crash due to integer underflow when using a large JavaScript RegExp expression. We would also like to thank Mark for contributing the fix for this problem...
Security issues addressed in Firefox 3.6.20 — Mozilla
Miscellaneous memory safety hazards rv:1.9.2.20 Impact: Critical Description: Mozilla developers and community members identified and fixed several memory safety bugs in the browser engine used in Firefox 3.6 and other Mozilla-based products. Some of these bugs showed evidence of memory corruptio...
Use-after-free error in nsBarProp — Mozilla
Security researcher Sergey Glazunov reported that it was possible to access the locationbar property of a window object after it had been closed. Since the closed window's memory could have been subsequently reused by the system it was possible that an attempt to access the locationbar property...
Unsafe library loading vulnerabilities — Mozilla
Mozilla developer Ehsan Akhgari reported that a function used to load external libraries on Windows platforms was using a relative path to a DLL-loading application and was thus vulnerable to binary planting if an attacker was able to place an executable of the same name in the current working...
Cross-origin data leakage from script filename in error messages — Mozilla
Security researcher Soroush Dalili reported that potentially sensitive URL parameters could be leaked across domains upon script errors when the script filename and line number is included in the error message...
Cross-origin data disclosure via Web Workers and importScripts — Mozilla
Security researcher Yosuke Hasegawa reported that the Web Worker method importScripts can read and parse resources from other domains even when the content is not valid JavaScript. This is a violation of the same-origin policy and could be used by an attacker to steal information from other sites...
XMLDocument::load() doesn't check nsIContentPolicy — Mozilla
Mozilla community member Wladimir Palant reported that XML documents were failing to call certain security checks when loading new content. This could result in certain resources being loaded that would otherwise violate security policies set by the browser or installed add-ons...
Privilege escalation via chrome window.opener — Mozilla
Security researcher David James reported that a content window which is opened by a chrome window retains a reference to the chrome window via the window.opener property. Using this reference, content in the new window can access functions inside the chrome window, such as eval, and use these...
Location bar spoofing vulnerabilities — Mozilla
Security researcher Jonathan Morgan reported that when a page loaded over an insecure protocol, such as http: or file:, sets its document.location to a https: URL which responds with a 204 status and empty response body, the insecure page will receive SSL indicators near the location bar, but wil...
Arbitrary domain cookie access by local file: resources — Mozilla
Security researcher Gregory Fleischer reported that local resources loaded via the file: protocol can access any domain's cookies which have been saved on a user's machine. Fleischer demonstrated that a local document's domain was being calculated incorrectly from its URL. If a victim could be...
XML data theft via RDFXMLDataSource and cross-domain redirect — Mozilla
Mozilla security researcher Georgi Guninski reported that a website could use nsIRDFService and a cross-domain redirect to steal arbitrary XML data from another domain, a violation of the same-origin policy. This vulnerability could be used by a malicious website to steal private data from users...
Crash and remote code execution via __proto__ tampering — Mozilla
Mozilla developer Jesse Ruderman demonstrated that by tampering with the window.proto.proto object, one can cause the browser to place a lock on a non-native object, leading to a crash. Although we have not demonstrated such control, a determined attacker might be able to exploit this crash to ru...
Privilege escalation, XSS, Remote Code Execution — Mozilla
Mozilla contributors mozbugra4 and Boris Zbarsky submitted a series of vulnerabilities which allow scripts from page content to escape from its sandboxed context and/or run with chrome privileges. An additional vulnerability reported by mozbugra4 demonstrated that the XMLDocument.load function ca...
URIs with invalid %-encoding mishandled by Windows — Mozilla
On Windows XP with Internet Explorer 7 installed several "web related" URI schemes do not launch the registered protocol-handler if the URI contains an invalid %-encoded sequence. This was initially reported by Billy Rios and Nate McFeters with additional investigation by Secunia. A patch that...
Remote code execution by launching Firefox from Internet Explorer — Mozilla
Internet Explorer calls registered URL protocols without escaping quotes and may be used to pass unexpected and potentially dangerous data to the application that registers that URL Protocol...
onUnload + document.write() memory corruption — Mozilla
Michal Zalewski reported a memory corruption vulnerability in Firefox 2.0.0.1 involving mixing the onUnload event handler and self-modifying document.write calls. This flaw was introduced in Firefox 2.0.0.1 and 1.5.0.9 and does not affect earlier versions; it is fixed in Firefox 2.0.0.2 and 1.5.0...
Crashes with evidence of memory corruption (rv:1.8.0.9/1.8.1.1) — Mozilla
As part of the Firefox 2.0.0.1 and 1.5.0.9 update releases we fixed several bugs to improve the stability of the product. Some of these were crashes that showed evidence of memory corruption and we presume that at least some of these could be exploited to run arbitrary code with enough effort...
UniversalBrowserRead privilege escalation — Mozilla
shutdown reports that scripts granted the UniversalBrowserRead privilege can leverage that into the equivalent of the far more powerful UniversalXPConnect since they are allowed to "read" into a privileged context. This allows the attacker the ability to run scripts with the full privilege of the...
Mail Multiple Information Disclosure — Mozilla
As a privacy measure to prevent senders primarily spammers from tracking when e-mail is read Thunderbird does not load remote content referenced from an HTML mail message until a user tells it to do so. This normally includes the content of frames and CSS files, but CrashFr showed it was possible...
Accessing XBL compilation scope via valueOf.call() — Mozilla
mozbugra4 discovered that the compilation scope of privileged built-in XBL bindings was not fully protected from web content and could be accessed by calling valueOf.call and valueOf.apply on a method of that binding. This could then be used to compile and run attacker-supplied JavaScript, giving...