Location bar spoofing vulnerabilities — Mozilla

Security researcher Jonathan Morgan reported that when a page loaded over an insecure protocol, such as http: or file:, sets its document.location to a https: URL which responds with a 204 status and empty response body, the insecure page will receive SSL indicators near the location bar, but wil...

Crashes with evidence of memory corruption (rv:1.8.1.12) — Mozilla

Mozilla developers identified and fixed several stability bugs in the browser engine used in Firefox 2.0.0.12 and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these coul...

Unescaped URIs passed to external programs — Mozilla

Jesper Johansson pointed out that Mozilla did not percent-encode spaces and double-quotes in URIs handed off to external programs for handling, which can cause the receiving program to mistakenly interpret a single URI as multiple arguments. The danger depends on the arguments supported by the...

Remote code execution by launching Firefox from Internet Explorer — Mozilla

Internet Explorer calls registered URL protocols without escaping quotes and may be used to pass unexpected and potentially dangerous data to the application that registers that URL Protocol...

Improvements to help protect against Cross-Site Scripting attacks — Mozilla

Firefox 2.0.0.2 and 1.5.0.10 contain several small changes that will make it easier for sites to protect their visitors against Cross-Site Scripting XSS attacks. Invalid trailing characters in HTML tag attributes The Mozilla parser formerly ignored invalid trailing characters in HTML tag attribut...

Crashes with evidence of memory corruption (rv:1.8.0.9/1.8.1.1) — Mozilla

As part of the Firefox 2.0.0.1 and 1.5.0.9 update releases we fixed several bugs to improve the stability of the product. Some of these were crashes that showed evidence of memory corruption and we presume that at least some of these could be exploited to run arbitrary code with enough effort...

Crashes with evidence of memory corruption (rv:1.8.0.8) — Mozilla

As part of the Firefox 1.5.0.8 release we fixed several bugs to improve the stability of the product. Some of these were crashes that showed evidence of memory corruption and we presume that at least some of these could be exploited to run arbitrary code with enough effort...

Crashes with evidence of memory corruption (rv:1.8.0.7) — Mozilla

As part of the Firefox 1.5.0.7 release we fixed several bugs to improve the stability of the product. Some of these were crashes that showed evidence of memory corruption and we presume that at least some of these could be exploited to run arbitrary code with enough effort...

JavaScript engine vulnerabilities — Mozilla

Continuing our security audit of the JavaScript engine, Mozilla developers found and fixed several potential vulnerabilities...

JavaScript garbage-collection hazard audit — Mozilla

Igor Bukanov has audited the JavaScript engine for routines that use temporary variables not protected against garbage-collection. If malicious content could cause garbage-collection to run during the lifetime of these temporaries then the original routine would end up operating on freed memory...

Security Vulnerabilities fixed in Firefox 130 — Mozilla

A difference in the handling of StructFields and ArrayTypes in WASM could be used to trigger an exploitable type confusion vulnerability. A potentially exploitable type confusion could be triggered when looking up a property name on an object being used as the with environment. Multiple prompts a...

Security Vulnerabilities fixed in Focus for iOS 126 — Mozilla

The file scheme of URLs would be hidden, resulting in potential spoofing of a website's address in the location bar...

Security Vulnerabilities fixed in Firefox ESR 115.9.1 — Mozilla

An attacker was able to inject an event handler into a privileged object that would allow arbitrary JavaScript execution in the parent process. Note: This vulnerability affects Desktop Firefox only, it does not affect mobile versions of Firefox...

Security Vulnerabilities fixed in Firefox ESR 115.8 — Mozilla

When storing and re-accessing data on a networking channel, the length of buffers may have been confused, resulting in an out-of-bounds memory read. Through a series of API calls and redirects, an attacker-controlled alert dialog could have been displayed on another website with the victim...

Form input type change from password to text can store plain text password in session restore file — Mozilla

Mozilla employee Mike Kaply reported that the Firefox session restore data can contain passwords in plain text if a password input field on a page has its type changed from "password" to "text" during a session. This can occur if the password input field has a scripted mechanism to display the...

Delay following click events in file download dialog too short on OS X — Mozilla

Security researcher Jordi Chancel reported an issue on OS X where the delay between the download dialog getting focus and the button getting enabled was too short. If an attacker is able to induce the user to double-click in a specific location, they can then pass the second click through to the...

Privilege escalation vulnerabilities in WebExtension APIs — Mozilla

Mozilla developer Kris Maglione reported a mechanism where WebExtension APIs could be used to escalate privilege. This could allow arbitrary web content to execute code with the privileges of a particular WebExtension when using these API calls. Depending on the privileges of the extension used,...

Use-after-free with shared workers and IndexedDB — Mozilla

Security researcher Looben Yang discovered a use-after-free vulnerability when using a shared worker with IndexedDB due to a race condition with the worker. This results in a potentially exploitable crash that can be triggered through web content...

Feed protocol with POST bypasses mixed content protections — Mozilla

Security researcher Masato Kinugawa reported that opening a target page using a POST to the url prefixed with the feed: protocol disables the mixed content blocker for that page. This could allow for the risk of a man-in-the-middle MITM scripting attack on pages that accidentally include insecure...

OS X crash reports may contain entered key press information — Mozilla

Mozilla developer David Parks discovered while reviewing Firefox crash reports that personal data can sometimes be contained in reports from OS X systems. This is because these OS X crash reports will contain the native key that triggered the crash and this can sometimes contain key press...

Cursor clickjacking with flash and images — Mozilla

Security researcher Jordi Chancel reported a mechanism that made cursor invisible through flash content and then replaced it through the layering of HTML content. This flaw can be in used in combination with an image of the cursor manipulated through JavaScript, leading to clickjacking during...

Gecko Media Plugin sandbox escape — Mozilla

Security researcher Nils discovered a mechanism to break out of the Gecko Media Plugin GMP sandbox on Windows systems. The GMP sandbox is currently only used to host h.264 video playback using the OpenH264 plugin but is being developed to host other other media plugins. This bug would allow an...

Accessing cross-origin objects via the Alarms API — Mozilla

Mozilla developer Boris Zbarsky reported that a malicious app could use the AlarmAPI to read the values of cross-origin references, such as an iframe's location object, as part of an alarm's JSON data. This allows a malicious app to bypass same-origin policy...

Out-of-bounds write in Cairo — Mozilla

Security researcher Jukka Jylänki reported a crash in the the Cairo graphics library. This happens when Cairo paints out-of-bounds to the destination buffer in the compositing function when working with canvas in certain circumstances. This issue allows malicious web content to cause a potentiall...

WebGL Information disclosure through OS X NVIDIA graphic drivers — Mozilla

Mozilla developer Victor Porof reported a flaw in the NVIDIA OS X graphic drivers that would allow portions of a user's desktop or other visible applications to be incorporated into WebGL canvases. This could result in personal information becoming available to web content...

Use-after-free in ListenerManager — Mozilla

Security researcher regenrecht reported, via TippingPoint's Zero Day Initiative, a use-after-free within the ListenerManager when garbage collection is forced after data in listener objects have been allocated in some circumstances. This results in a use-after-free which can lead to arbitrary cod...

Information disclosure though Windows file shares and shortcut files — Mozilla

Security researcher Paul Stone reported an attack where an HTML page hosted on a Windows share and then loaded could then load Windows shortcut files .lnk in the same share. These shortcut files could then link to arbitrary locations on the local file system of the individual loading the HTML pag...

Potential XSS through ISO-2022-KR/ISO-2022-CN decoding issues — Mozilla

Security researcher Masato Kinugawa found that during the decoding of ISO-2022-KR and ISO-2022-CN character sets, characters near 1024 bytes are treated incorrectly, either doubling or deleting bytes. On certain pages it might be possible for an attacker to pad the output of the page such that...

Potentially exploitable crash in the YARR regular expression library — Mozilla

Security researcher Aki Helin reported a crash in the YARR regular expression library that could be triggered by javascript in web content...

Use-after-free error using Web Workers — Mozilla

Daniel Kozlowski reported that a JavaScript Worker could be used to keep a reference to an object that could be freed during garbage collection. Subsequent calls through this deleted reference could cause attacker-controlled memory to be executed on a victim's computer...

Location bar SSL spoofing using network error page — Mozilla

Google security researcher Michal Zalewski reported that when a window was opened to a site resulting in a network or certificate error page, the opening site could access the document inside the opened window and inject arbitrary content. An attacker could use this bug to spoof the location bar...

Information leak via XMLHttpRequest statusText — Mozilla

Matt Haggard reported that the statusText property of an XMLHttpRequest object is readable by the requester even when the request is made across origins. This status information reveals the presence of a web server and could be used to gather information about servers on internal private networks...

Miscellaneous memory safety hazards (rv:1.9.2.9/ 1.9.1.12) — Mozilla

Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be...

Location bar and SSL indicator spoofing via window.open() on invalid URL — Mozilla

Security researcher Juan Pablo Lopez Yacubian reported that an attacker could call window.open on an invalid URL which looks similar to a legitimate URL and then use document.write to place content within the new document, appearing to have come from the spoofed location. Additionally, if the...

SSL tampering via non-200 responses to proxy CONNECT requests — Mozilla

Microsoft security researchers Shuo Chen, Ziqing Mao, Yi-Min Wang, and Ming Zhang reported that when a CONNECT request is sent to a proxy server and a non-200 response is returned, then the body of the response is incorrectly rendered within the context of the request Host: header. An active...

XSS using a chrome XBL method and window.eval — Mozilla

Mozilla security researcher mozbugra4 reported that a chrome XBL method can be used in conjunction with window.eval to execute arbitrary JavaScript within the context of another website, violating the same origin policy...

Privilege escalation via XPCnativeWrapper pollution — Mozilla

Mozilla security researcher mozbugra4 reported a series of vulnerabilities by which page content can pollute XPCNativeWrappers and have arbitrary code run with chrome privileges. One variant reported by mozbugra4 only affected Firefox 2...

Crash with malformed GIF file on Mac OS X — Mozilla

Drew Yao of Apple Product Security reported a vulnerability in Mozilla graphics code which handles GIF rendering in Mac OS X. He demonstrated that a GIF file could be specially crafted to cause the browser to free an uninitialized pointer. An attacker could use this vulnerability to crash the...

Java socket connection to any local port via LiveConnect — Mozilla

Security researcher Gregory Fleischer demonstrated that web content fetched via the jar: protocol can use Java via LiveConnect to open socket connections to arbitrary ports on the user's machine "localhost". The issue is caused by improper parsing of the content origin passed from the browser to...

Possible information disclosure in BMP decoder — Mozilla

Security researcher Gynvael Coldwind of Vexillium crediting help from udevd and porneL demonstrated that BMP images could be used to reveal small chunks of uninitialized memory that might contain sensitive data from other pages or other programs, and that this data could be extracted from the ima...

Auto-update compromise through DNS and SSL spoofing — Mozilla

The Firefox and Thunderbird auto-update mechanism protects itself against DNS spoofing using SSL; only a site presenting a valid certificate for aus2.mozilla.org will be trusted as a source of update information. Jon Oberheide points out, however, that many users accept unverifiable self-signed...

JavaScript execution in mail when forwarding in-line — Mozilla

Georgi Guninski reports that forwarding mail in-line while using the default HTML "rich mail" editor will execute JavaScript embedded in the e-mail message. Forwarding mail in-line is not the default setting but it is easily accessed through the "Forward As" menu item...

GIF heap overflow parsing Netscape extension 2 — Mozilla

An GIF processing error when parsing the obsolete Netscape extension 2 can lead to an exploitable heap overrun, allowing an attacker to run arbitrary code on the user's machine...

Security Vulnerabilities fixed in Firefox ESR 115.6 — Mozilla

The WebGL DrawElementsInstanced method was susceptible to a heap buffer overflow when used on systems with the Mesa VM driver. This issue could allow an attacker to perform remote code execution and sandbox escape. EncryptingOutputStream was susceptible to exposing uninitialized data. This issue...

Security Vulnerabilities fixed in Firefox ESR 115.2 — Mozilla

When receiving rendering data over IPC mStream could have been destroyed when initialized, which could have led to a use-after-free causing a potentially exploitable crash. When creating a callback over IPC for showing the Color Picker window, multiple of the same callbacks could have been create...

Security Vulnerabilities fixed in Firefox ESR 91.8 — Mozilla

NSSToken objects were referenced via direct points, and could have been accessed in an unsafe way on different threads, leading to a use-after-free and potentially exploitable crash. If a compromised content process sent an unexpected number of WebAuthN Extensions in a Register command to the...

Security vulnerabilities fixed in Firefox ESR 45.6 — Mozilla

Use-after-free while manipulating DOM events and removing audio elements due to errors in the handling of node adoption. Event handlers on marquee elements were executed despite a strict Content Security Policy CSP that disallowed inline JavaScript. Memory corruption resulting in a potentially...

Use-after-free when using alt key and toplevel menus — Mozilla

Security researcher Abhishek Arya Inferno of the Google Chrome Security Team reported a use-after-free vulnerability when the alt key is used in conjunction with toplevel menu items in Firefox. This results in a potentially exploitable crash when triggered. This vulnerability is mitigated by not...

Use-after-free and buffer overflow in Service Workers — Mozilla

Security researcher Looben Yang reported two issues discovered in Service Workers using Address Sanitizer...

WebRTC and LibVPX vulnerabilities found through code inspection — Mozilla

Security researcher Ronald Crane reported five "moderate" rated vulnerabilities affecting released code that were found through code inspection. These included the following issues in WebRTC: an integer underflow, a missing status check, race condition, and a use of deleted pointers to create new...