1574 matches found
Potential XSS through ISO-2022-KR/ISO-2022-CN decoding issues — Mozilla
Security researcher Masato Kinugawa found that during the decoding of ISO-2022-KR and ISO-2022-CN character sets, characters near 1024 bytes are treated incorrectly, either doubling or deleting bytes. On certain pages it might be possible for an attacker to pad the output of the page such that...
Potentially exploitable crash in the YARR regular expression library — Mozilla
Security researcher Aki Helin reported a crash in the YARR regular expression library that could be triggered by javascript in web content...
Use-after-free error using Web Workers — Mozilla
Daniel Kozlowski reported that a JavaScript Worker could be used to keep a reference to an object that could be freed during garbage collection. Subsequent calls through this deleted reference could cause attacker-controlled memory to be executed on a victim's computer...
Location bar SSL spoofing using network error page — Mozilla
Google security researcher Michal Zalewski reported that when a window was opened to a site resulting in a network or certificate error page, the opening site could access the document inside the opened window and inject arbitrary content. An attacker could use this bug to spoof the location bar...
Information leak via XMLHttpRequest statusText — Mozilla
Matt Haggard reported that the statusText property of an XMLHttpRequest object is readable by the requester even when the request is made across origins. This status information reveals the presence of a web server and could be used to gather information about servers on internal private networks...
Miscellaneous memory safety hazards (rv:1.9.2.9/ 1.9.1.12) — Mozilla
Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be...
Use-after-free error in nsCycleCollector::MarkRoots() — Mozilla
Security researcher wushi of team509 reported that the frame construction process for certain types of menus could result in a menu containing a pointer to a previously freed menu item. During the cycle collection process, this freed item could be accessed, resulting in the execution of a section...
Location bar and SSL indicator spoofing via window.open() on invalid URL — Mozilla
Security researcher Juan Pablo Lopez Yacubian reported that an attacker could call window.open on an invalid URL which looks similar to a legitimate URL and then use document.write to place content within the new document, appearing to have come from the spoofed location. Additionally, if the...
Crashes with evidence of memory corruption (rv:1.9.1.2/1.9.0.13) — Mozilla
Mozilla developers and community members identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some ...
Crash with malformed GIF file on Mac OS X — Mozilla
Drew Yao of Apple Product Security reported a vulnerability in Mozilla graphics code which handles GIF rendering in Mac OS X. He demonstrated that a GIF file could be specially crafted to cause the browser to free an uninitialized pointer. An attacker could use this vulnerability to crash the...
Privacy issue with SSL Client Authentication — Mozilla
Peter Brodersen and Alexander Klink independently reported that the default setting for SSL Client Authentication, automatically selecting a client certificate on behalf of the user, creates a potential privacy issue for users by allowing tracking through client certificates. For users who alread...
jar: URI scheme XSS hazard — Mozilla
The jar: URI scheme was introduced as a mechanism to support digitally signed web pages, enabling web sites to load pages packaged in zip archives containing signatures in java-archive format...
File input focus stealing vulnerability — Mozilla
A user on the Sla.ckers.org forums named hong reported that a file upload control could be filled programmatically by switching page focus to the label before a file upload form control for selected keyboard events. An attacker could use this trick to steal files from the users' computer if the...
Spoofing using custom cursor and CSS3 hotspot — Mozilla
David Eckel reported that browser UI elements--such as the host name and security indicators--could be spoofed by using a large, mostly transparent, custom cursor and adjusting the CSS3 hotspot property so that the visible part of the cursor floated outside the browser content area...
Privilege escalation using crypto.generateCRMFRequest — Mozilla
shutdown demonstrated that the crypto.generateCRMFRequest method can be used to run arbitrary code with the privilege of the user, which could enable an attacker to install malware...
Downloading executables with "Save Image As..." — Mozilla
By layering a transparent image link to an executable on top of a visible and presumably desirable image a malicious site might be able to convince some visitors to right-click and choose "Save image as..." from the context menu and fool them by giving them the executable instead. When the users...
Crashes with evidence of memory corruption (rv:1.8.0.2) — Mozilla
As part of the Firefox 1.5.0.2 release we fixed several crash bugs to improve the stability of the product, with a particular focus on finding crashes caused by DHTML. Some of these crashes showed evidence of memory corruption that we presume could be exploited to run arbitrary code with enough...
Long document title causes startup denial of service — Mozilla
Web pages with extremely long titles--the public demonstration had a title 2.5 million characters long--cause subsequent launches of the browser to appear to "hang" for up to a few minutes, or even crash if the computer has insufficient memory...
JavaScript garbage-collection hazards — Mozilla
Garbage collection hazards have been found in the JavaScript engine where some routines used temporary variables that were not properly protected rooted. Specially crafted objects could contain a user-defined method that would be called during the lifetime of these temporaries. If this method...
Security Vulnerabilities fixed in Firefox 138 — Mozilla
Mozilla Firefox's update mechanism allowed a medium-integrity user process to interfere with the SYSTEM-level updater by manipulating the file-locking behavior. By injecting code into the user-privileged process, an attacker could bypass intended access controls, allowing SYSTEM-level file...
Use-after-free when using alt key and toplevel menus — Mozilla
Security researcher Abhishek Arya Inferno of the Google Chrome Security Team reported a use-after-free vulnerability when the alt key is used in conjunction with toplevel menu items in Firefox. This results in a potentially exploitable crash when triggered. This vulnerability is mitigated by not...
Out-of-bounds write with WebGL shader — Mozilla
Security researcher Aral reported an out-of-bounds write when using the ANGLE graphics library, which is used for WebGL content on Windows systems. This crash occurs due to improper size checking while writing to an array during some WebGL shader operations...
CSP reports fail to strip location information for embedded iframe pages — Mozilla
Security researcher Muneaki Nishimura nishimunea of Recruit Technologies Co.,Ltd. reported that Content Security Policy CSP violation reports contained full path information for cross-origin iframe navigations in violation of the CSP specification. This could result in information disclosure...
WebRTC and LibVPX vulnerabilities found through code inspection — Mozilla
Security researcher Ronald Crane reported five "moderate" rated vulnerabilities affecting released code that were found through code inspection. These included the following issues in WebRTC: an integer underflow, a missing status check, race condition, and a use of deleted pointers to create new...
Miscellaneous memory safety hazards (rv:43.0 / rv:38.5) — Mozilla
Mozilla developers and community identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of the...
Memory corruption in libjar through zip files — Mozilla
Security researcher Gustavo Grieco reported a buffer underflow in libjar triggered through a maliciously crafted ZIP format file. This results in a potentially exploitable crash...
CSP bypass due to permissive Reader mode whitelist — Mozilla
Security researcher Mario Heiderich reported an issue where the security protections of Reader mode in Firefox can be bypassed, allowing scripts to be run. Mozilla developer Frederik Braun independently discovered and reported this same issue as well. This issue happens even though Reader View...
Out of bounds read in QCMS library with ICC V4 profile attributes — Mozilla
Security researcher Felix Gröbert of Google discovered an out of bounds read in the QCMS color management library while manipulating an image with specific attributes in its ICC V4 profile. This causes a crash and could lead to information disclosure...
Redefinition of non-configurable JavaScript object properties — Mozilla
Security researcher André Bargull reported non-configurable properties on JavaScript objects can be redefined while parsing JSON in violation of the ECMAScript 6 standard. This allows malicious web content to bypass same-origin policy by editing these properties to arbitrary values...
Bypass of XrayWrappers using XBL Scopes — Mozilla
Mozilla Developer Bobby Holley and Mozilla security researcher mozbugra4 discovered a mechanism where XBL scopes can be be used to circumvent XrayWrappers from within the Chrome on unprivileged objects. This allows web content to potentially confuse privileged code and weaken invariants and can...
Web content bypass of COW and SOW security wrappers — Mozilla
Mozilla developer Bobby Holley discovered that it was possible to bypass some protections in Chrome Object Wrappers COW and System Only Wrappers SOW, making their prototypes mutable by web content. This could be used leak information from chrome objects and possibly allow for arbitrary code...
Miscellaneous memory safety hazards (rv:9.0) — Mozilla
Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be...
Stealing of cross-domain images using WebGL textures — Mozilla
Security research firm Context IS discovered that an image from a different domain could be loaded into a WebGL texture, and then each pixel could be rendered into a canvas element with a shader program, creating an approximation of the image in a form that was readable by the creator of the WebG...
GeckoActiveXObject exception messages can be used to enumerate installed COM objects — Mozilla
Security researcher Gregory Fleischer reported that the exception messages generated by Mozilla's GeckoActiveXObject differ based on whether or not the requested COM object's ProgID is present in the system registry. A malicious site could use this vulnerability to enumerate a list of COM objects...
-moz-binding property bypasses security checks on codebase principals — Mozilla
Security researcher Collin Jackson reported that the -moz-binding CSS property can be used to bypass security checks which validate codebase principals. Similar to the issue reported in MFSA 2008-23, Jackson demonstrated that an attacker can replace a stylesheet in a signed JAR which uses relativ...
Crashes with evidence of memory corruption (rv:1.9.0.4/1.8.1.18) — Mozilla
Mozilla developers identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be...
resource: traversal vulnerabilities — Mozilla
Mozilla developer Boris Zbarsky reported that the resource: protocol allowed directory traversal on Linux when using URL-encoded slashes...
Remote site run as local file via Windows URL shortcut — Mozilla
Mozilla community member Geoff reported that URL shortcut files on Windows for example, saved IE favorites could be interpreted as if they were in the local file context when opened by Firefox, although the referenced remote content would be downloaded and displayed. Scripts loaded from the remot...
Heap buffer overflow in external MIME bodies — Mozilla
Security research firm iDefense reported that researcher regenrecht discovered a heap-based buffer overflow vulnerability in Mozilla mail code which could potentially allow an attacker to run arbitrary code. The vulnerability is caused by allocating a buffer that can be three bytes too small in...
Web browsing history and forward navigation stealing — Mozilla
Mozilla contributor David Bloom reported a vulnerability in the way images are treated by the browser when a user leaves a page which utilizes designMode frames. The reported issue can be used to steal a user's navigation history, forward navigation information, and crash the user's browser. The...
File action dialog tampering — Mozilla
Security researcher Michal Zalewski demonstrated that timer-enabled security dialogs can be subverted by attackers using JavaScript to change the window focus. Zalewski showed that a user could be tricked into confirming a security dialog of this type by bringing the dialog back into focus right...
Privilege escalation by setting img.src to javascript: URI — Mozilla
mozbugra4 reports that the fix for MFSA 2006-72 in Firefox 1.5.0.9 and Firefox 2.0.0.1 introduced a regression that allows scripts from web content to execute arbitrary code by setting the src attribute of an IMG tag to a specially crafted javascript: URI...
EvalInSandbox escape (Proxy Autoconfig, Greasemonkey) — Mozilla
Mozilla researcher mozbugra4 demonstrated that javascript run via EvalInSandbox can escape the sandbox and gain elevated privilege by calling valueOf on objects created outside the sandbox and inserted into it. Malicious scripts could use these privileges to compromise your computer or data...
Fixes for crashes with potential memory corruption (rv:1.8.0.4) — Mozilla
Mozilla team members discovered several crashes during testing of the browser engine showing evidence of memory corruption that we presume is exploitable...
Cross-site scripting using .valueOf.call() — Mozilla
mozbugra4 discovered that .valueOf.call and .valueOf.apply when called with no arguments were returning the Object class prototype rather than the caller's global window object. When called on a reachable property of another window this provides a hook to get around the same-origin protection,...
Security Vulnerabilities fixed in Thunderbird 128 — Mozilla
An error in the ECMA-262 specification relating to Async Generators could have resulted in a type confusion, potentially leading to memory corruption and an exploitable crash. Clipboard code failed to check the index on an array access. This could have led to an out-of-bounds read. It was possibl...
Security Vulnerabilities fixed in Focus for iOS 122 — Mozilla
Using a javascript: URI with a setTimeout race condition, an attacker can execute unauthorized scripts on top origin sites in urlbar. This bypasses security measures, potentially leading to arbitrary code execution or unauthorized actions within the user's loaded webpage. An attacker could execut...
Security Vulnerabilities fixed in Firefox for iOS 102 — Mozilla
Internal URLs are protected by a secret UUID key, which could have been leaked to web page through the Referrer header...
JavaScript garbage collection crash with Java applet — Mozilla
Mozilla community member Vytautas Staraitis reported an issue with the interaction of Java applets and JavaScript. The Java plugin can deallocate a JavaScript wrapper when it is still in use, which leads to a JavaScript garbage collection crash. This crash is potentially exploitable...
Out-of-bounds read with malformed MP3 file — Mozilla
Security researcher Aki Helin used the Address Sanitizer tool to discover an out-of-bounds read during playback of a malformed MP3 format audio file which switches sample formats. This could trigger a potentially exploitable crash or the reading of out-of-bounds memory content in some circumstanc...