1574 matches found
Crash with malformed GIF file on Mac OS X — Mozilla
Drew Yao of Apple Product Security reported a vulnerability in Mozilla graphics code which handles GIF rendering in Mac OS X. He demonstrated that a GIF file could be specially crafted to cause the browser to free an uninitialized pointer. An attacker could use this vulnerability to crash the...
jar: URI scheme XSS hazard — Mozilla
The jar: URI scheme was introduced as a mechanism to support digitally signed web pages, enabling web sites to load pages packaged in zip archives containing signatures in java-archive format...
File input focus stealing vulnerability — Mozilla
A user on the Sla.ckers.org forums named hong reported that a file upload control could be filled programmatically by switching page focus to the label before a file upload form control for selected keyboard events. An attacker could use this trick to steal files from the users' computer if the...
Spoofing using custom cursor and CSS3 hotspot — Mozilla
David Eckel reported that browser UI elements--such as the host name and security indicators--could be spoofed by using a large, mostly transparent, custom cursor and adjusting the CSS3 hotspot property so that the visible part of the cursor floated outside the browser content area...
Crashes with evidence of memory corruption (rv:1.8.0.2) — Mozilla
As part of the Firefox 1.5.0.2 release we fixed several crash bugs to improve the stability of the product, with a particular focus on finding crashes caused by DHTML. Some of these crashes showed evidence of memory corruption that we presume could be exploited to run arbitrary code with enough...
JavaScript garbage-collection hazards — Mozilla
Garbage collection hazards have been found in the JavaScript engine where some routines used temporary variables that were not properly protected rooted. Specially crafted objects could contain a user-defined method that would be called during the lifetime of these temporaries. If this method...
Long document title causes startup denial of service — Mozilla
Web pages with extremely long titles--the public demonstration had a title 2.5 million characters long--cause subsequent launches of the browser to appear to "hang" for up to a few minutes, or even crash if the computer has insufficient memory...
Security Vulnerabilities fixed in Firefox 138 — Mozilla
Mozilla Firefox's update mechanism allowed a medium-integrity user process to interfere with the SYSTEM-level updater by manipulating the file-locking behavior. By injecting code into the user-privileged process, an attacker could bypass intended access controls, allowing SYSTEM-level file...
Security Vulnerabilities fixed in Firefox ESR 102.1 — Mozilla
When combining CSS properties for overflow and transform, the mouse cursor could interact with different coordinates than displayed. When visiting directory listings for chrome:// URLs as source text, some parameters were reflected. When opening a Windows shortcut from the local filesystem, an...
Security Vulnerabilities fixed in Thunderbird 91.1 — Mozilla
When delegating navigations to the operating system, Thunderbird would accept the mk scheme which might allow attackers to launch pages and execute scripts in Internet Explorer in unprivileged mode. This bug only affects Thunderbird for Windows. Other operating systems are unaffected. Mozilla...
Use-after-free when using alt key and toplevel menus — Mozilla
Security researcher Abhishek Arya Inferno of the Google Chrome Security Team reported a use-after-free vulnerability when the alt key is used in conjunction with toplevel menu items in Firefox. This results in a potentially exploitable crash when triggered. This vulnerability is mitigated by not...
Out-of-bounds write with WebGL shader — Mozilla
Security researcher Aral reported an out-of-bounds write when using the ANGLE graphics library, which is used for WebGL content on Windows systems. This crash occurs due to improper size checking while writing to an array during some WebGL shader operations...
WebRTC and LibVPX vulnerabilities found through code inspection — Mozilla
Security researcher Ronald Crane reported five "moderate" rated vulnerabilities affecting released code that were found through code inspection. These included the following issues in WebRTC: an integer underflow, a missing status check, race condition, and a use of deleted pointers to create new...
HTML injection in homescreen app bypassing DOM sanitizer — Mozilla
Mozilla fixed a bug in the l10n localization of the default homescreen app of Firefox OS reported by security researcher Muneaki Nishimura. Exploiting this issue requires tricking the user into bookmarking a specially crafted web page via the 'Add to home screen' functionality. As a result, an...
Memory corruption in libjar through zip files — Mozilla
Security researcher Gustavo Grieco reported a buffer underflow in libjar triggered through a maliciously crafted ZIP format file. This results in a potentially exploitable crash...
Use-after-free with shared workers and IndexedDB — Mozilla
Security researcher Looben Yang discovered a use-after-free vulnerability when using a shared worker with IndexedDB due to a race condition with the worker. This results in a potentially exploitable crash that can be triggered through web content...
Out of bounds read in QCMS library with ICC V4 profile attributes — Mozilla
Security researcher Felix Gröbert of Google discovered an out of bounds read in the QCMS color management library while manipulating an image with specific attributes in its ICC V4 profile. This causes a crash and could lead to information disclosure...
Redefinition of non-configurable JavaScript object properties — Mozilla
Security researcher André Bargull reported non-configurable properties on JavaScript objects can be redefined while parsing JSON in violation of the ECMAScript 6 standard. This allows malicious web content to bypass same-origin policy by editing these properties to arbitrary values...
OS X crash reports may contain entered key press information — Mozilla
Mozilla developer David Parks discovered while reviewing Firefox crash reports that personal data can sometimes be contained in reports from OS X systems. This is because these OS X crash reports will contain the native key that triggered the crash and this can sometimes contain key press...
Cursor clickjacking with flash and images — Mozilla
Security researcher Jordi Chancel reported a mechanism that made cursor invisible through flash content and then replaced it through the layering of HTML content. This flaw can be in used in combination with an image of the cursor manipulated through JavaScript, leading to clickjacking during...
Use-after-free in event listeners — Mozilla
Security researchers Tyson Smith and Jesse Schwartzentruber of the BlackBerry Security Automated Analysis Team used the Address Sanitizer tool while fuzzing to discover a user-after-free when interacting with event listeners from the mListeners array. This leads to a potentially exploitable crash...
Bypass of XrayWrappers using XBL Scopes — Mozilla
Mozilla Developer Bobby Holley and Mozilla security researcher mozbugra4 discovered a mechanism where XBL scopes can be be used to circumvent XrayWrappers from within the Chrome on unprivileged objects. This allows web content to potentially confuse privileged code and weaken invariants and can...
Memory corruption while rendering grayscale PNG images — Mozilla
Mozilla community member Tobias Schula reported that if gfx.colormanagement.enablev4 preference is enabled manually in about:config, some grayscale PNG images will be rendered incorrectly and cause memory corruption during PNG decoding when certain color profiles are in use. A crafted PNG image...
Miscellaneous memory safety hazards (rv:9.0) — Mozilla
Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be...
Stealing of cross-domain images using WebGL textures — Mozilla
Security research firm Context IS discovered that an image from a different domain could be loaded into a WebGL texture, and then each pixel could be rendered into a canvas element with a shader program, creating an approximation of the image in a form that was readable by the creator of the WebG...
GeckoActiveXObject exception messages can be used to enumerate installed COM objects — Mozilla
Security researcher Gregory Fleischer reported that the exception messages generated by Mozilla's GeckoActiveXObject differ based on whether or not the requested COM object's ProgID is present in the system registry. A malicious site could use this vulnerability to enumerate a list of COM objects...
Crashes with evidence of memory corruption (rv:1.9.0.4/1.8.1.18) — Mozilla
Mozilla developers identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be...
-moz-binding property bypasses security checks on codebase principals — Mozilla
Security researcher Collin Jackson reported that the -moz-binding CSS property can be used to bypass security checks which validate codebase principals. Similar to the issue reported in MFSA 2008-23, Jackson demonstrated that an attacker can replace a stylesheet in a signed JAR which uses relativ...
resource: traversal vulnerabilities — Mozilla
Mozilla developer Boris Zbarsky reported that the resource: protocol allowed directory traversal on Linux when using URL-encoded slashes...
Remote site run as local file via Windows URL shortcut — Mozilla
Mozilla community member Geoff reported that URL shortcut files on Windows for example, saved IE favorites could be interpreted as if they were in the local file context when opened by Firefox, although the referenced remote content would be downloaded and displayed. Scripts loaded from the remot...
Privacy issue with SSL Client Authentication — Mozilla
Peter Brodersen and Alexander Klink independently reported that the default setting for SSL Client Authentication, automatically selecting a client certificate on behalf of the user, creates a potential privacy issue for users by allowing tracking through client certificates. For users who alread...
Heap buffer overflow in external MIME bodies — Mozilla
Security research firm iDefense reported that researcher regenrecht discovered a heap-based buffer overflow vulnerability in Mozilla mail code which could potentially allow an attacker to run arbitrary code. The vulnerability is caused by allocating a buffer that can be three bytes too small in...
Web browsing history and forward navigation stealing — Mozilla
Mozilla contributor David Bloom reported a vulnerability in the way images are treated by the browser when a user leaves a page which utilizes designMode frames. The reported issue can be used to steal a user's navigation history, forward navigation information, and crash the user's browser. The...
File action dialog tampering — Mozilla
Security researcher Michal Zalewski demonstrated that timer-enabled security dialogs can be subverted by attackers using JavaScript to change the window focus. Zalewski showed that a user could be tricked into confirming a security dialog of this type by bringing the dialog back into focus right...
Privilege escalation by setting img.src to javascript: URI — Mozilla
mozbugra4 reports that the fix for MFSA 2006-72 in Firefox 1.5.0.9 and Firefox 2.0.0.1 introduced a regression that allows scripts from web content to execute arbitrary code by setting the src attribute of an IMG tag to a specially crafted javascript: URI...
Auto-update compromise through DNS and SSL spoofing — Mozilla
The Firefox and Thunderbird auto-update mechanism protects itself against DNS spoofing using SSL; only a site presenting a valid certificate for aus2.mozilla.org will be trusted as a source of update information. Jon Oberheide points out, however, that many users accept unverifiable self-signed...
EvalInSandbox escape (Proxy Autoconfig, Greasemonkey) — Mozilla
Mozilla researcher mozbugra4 demonstrated that javascript run via EvalInSandbox can escape the sandbox and gain elevated privilege by calling valueOf on objects created outside the sandbox and inserted into it. Malicious scripts could use these privileges to compromise your computer or data...
Fixes for crashes with potential memory corruption (rv:1.8.0.4) — Mozilla
Mozilla team members discovered several crashes during testing of the browser engine showing evidence of memory corruption that we presume is exploitable...
Downloading executables with "Save Image As..." — Mozilla
By layering a transparent image link to an executable on top of a visible and presumably desirable image a malicious site might be able to convince some visitors to right-click and choose "Save image as..." from the context menu and fool them by giving them the executable instead. When the users...
Privilege escalation using crypto.generateCRMFRequest — Mozilla
shutdown demonstrated that the crypto.generateCRMFRequest method can be used to run arbitrary code with the privilege of the user, which could enable an attacker to install malware...
Cross-site scripting using .valueOf.call() — Mozilla
mozbugra4 discovered that .valueOf.call and .valueOf.apply when called with no arguments were returning the Object class prototype rather than the caller's global window object. When called on a reachable property of another window this provides a hook to get around the same-origin protection,...
Security Vulnerabilities fixed in Thunderbird 128 — Mozilla
An error in the ECMA-262 specification relating to Async Generators could have resulted in a type confusion, potentially leading to memory corruption and an exploitable crash. Clipboard code failed to check the index on an array access. This could have led to an out-of-bounds read. It was possibl...
Security Vulnerabilities fixed in Focus for iOS 122 — Mozilla
Using a javascript: URI with a setTimeout race condition, an attacker can execute unauthorized scripts on top origin sites in urlbar. This bypasses security measures, potentially leading to arbitrary code execution or unauthorized actions within the user's loaded webpage. An attacker could execut...
Security Vulnerabilities fixed in Firefox for iOS 102 — Mozilla
Internal URLs are protected by a secret UUID key, which could have been leaked to web page through the Referrer header...
CSP reports fail to strip location information for embedded iframe pages — Mozilla
Security researcher Muneaki Nishimura nishimunea of Recruit Technologies Co.,Ltd. reported that Content Security Policy CSP violation reports contained full path information for cross-origin iframe navigations in violation of the CSP specification. This could result in information disclosure...
Miscellaneous memory safety hazards (rv:43.0 / rv:38.5) — Mozilla
Mozilla developers and community identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of the...
JavaScript garbage collection crash with Java applet — Mozilla
Mozilla community member Vytautas Staraitis reported an issue with the interaction of Java applets and JavaScript. The Java plugin can deallocate a JavaScript wrapper when it is still in use, which leads to a JavaScript garbage collection crash. This crash is potentially exploitable...
CSP bypass due to permissive Reader mode whitelist — Mozilla
Security researcher Mario Heiderich reported an issue where the security protections of Reader mode in Firefox can be bypassed, allowing scripts to be run. Mozilla developer Frederik Braun independently discovered and reported this same issue as well. This issue happens even though Reader View...
Out-of-bounds read with malformed MP3 file — Mozilla
Security researcher Aki Helin used the Address Sanitizer tool to discover an out-of-bounds read during playback of a malformed MP3 format audio file which switches sample formats. This could trigger a potentially exploitable crash or the reading of out-of-bounds memory content in some circumstanc...
Remote HTML tag injection in Gaia Search app — Mozilla
Security researcher Muneaki Nishimura reported an issue with Gaia's Search app which allows an attacker to inject HTML code into the System app's context via specially-crafted search links. The injection occurs when the user opens such malicious link in the browser and then re-opens the browser o...