1568 matches found
Use-after-free crash in HTML parser — Mozilla
Security researcher Alin Rad Pop of Secunia Research reported that the HTML parser incorrectly freed used memory when insufficient space was available to process remaining input. Under such circumstances, memory occupied by in-use objects was freed and could later be filled with attacker-controll...
Heap buffer overflow in string to number conversion — Mozilla
Security researcher Alin Rad Pop of Secunia Research reported a heap-based buffer overflow in Mozilla's string to floating point number conversion routines. Using this vulnerability an attacker could craft some malicious JavaScript code containing a very long string to be converted to a floating...
Heap buffer overflow in GIF color map parser — Mozilla
Security research firm iDefense reported that researcher regenrecht discovered a heap-based buffer overflow in Mozilla's GIF image parser. This vulnerability could potentially be used by an attacker to crash a victim's browser and run arbitrary code on their computer...
Location bar spoofing via tall line-height Unicode characters — Mozilla
Security researcher Juan Pablo Lopez Yacubian reported that the default Windows font used to render the locationbar and other text fields was improperly displaying certain Unicode characters with tall line-height. In such cases the tall line-height would cause the rest of the text in the input...
Crash and remote code execution using watch and __defineSetter__ on SVG element — Mozilla
Security researcher PenPal reported a crash involving a SVG element on which a watch function and defineSetter function have been set for a particular property. The crash showed evidence of memory corruption and could potentially be used by an attacker to run arbitrary code on a victim's computer...
XUL scripts bypass content-policy checks — Mozilla
Mozilla add-on developer and community member Wladimir Palant reported that content-loading policies were not checked before loading external script files into XUL documents. The severity of this problem would depend on the reasons behind the content policy check, which include privacy from "web...
Crash in nsTextFrame::ClearTextRun() — Mozilla
One of the security fixes in Firefox 3.0.9 introduced a regression that caused some users to experience frequent crashes. Users of the HTML Validator add-on were particularly affected, but other users also experienced this crash in some situations. In analyzing this crash we discovered that it wa...
XSL Transformation vulnerability — Mozilla
Security researcher Guido Landi discovered that a XSL stylesheet could be used to crash the browser during a XSL transformation. An attacker could potentially use this crash to run arbitrary code on a victim's computer...
Local file stealing with SessionStore — Mozilla
Mozilla security researcher mozbugra4 reported that a form input control's type could be changed during the restoration of a closed tab. An attacker could set an input control's text value to the path of a local file whose location was known to the attacker. If the tab was then closed and the...
Additional XSS attack vectors in feed preview — Mozilla
Mozilla security researcher mozbugra4 reported an additional variation on the feed preview vulnerabilities fixed in Firefox 2.0.0.17. mozbugra4 demonstrated that it was still possible to use the feed preview as a vector for JavaScript privilege escalation. An attacker could use this issue to run...
XUL popup spoofing variant (cross-tab popups) — Mozilla
Mozilla contributor Chris Thomas demonstrated that it was possible to have a background tab create a borderless XUL pop-up in front of the active tab in the user's browser. This technique could be used by an attacker to spoof form elements such as a login prompt for a site opened in a different t...
Privacy issue with SSL Client Authentication — Mozilla
Peter Brodersen and Alexander Klink independently reported that the default setting for SSL Client Authentication, automatically selecting a client certificate on behalf of the user, creates a potential privacy issue for users by allowing tracking through client certificates. For users who alread...
Frame spoofing while window is loading — Mozilla
Ronen Zilberman and Michal Zalewski both reported that it was possible to exploit a timing issue to inject content into about:blank frames in a page. When opening a window from a script, it is possible to spoof the content of the newly opened window's frames within a short time frame, while the...
Embedded nulls in location.hostname confuse same-domain checks — Mozilla
Michal Zalewski demonstrated that setting location.hostname to a value with embedded null characters can confuse the browsers domain checks. Setting the value triggers a load, but the networking software reads the hostname only up to the null character while other checks for "parent domain" start...
Frame spoofing using document.open() — Mozilla
shutdown demonstrated a way to inject content into a sub-frame of another site using targetWindow.framesn.document.open, making the attackers content look like it was part of the victim site. Similar in effect to MFSA 2005-51...
RSA Signature Forgery — Mozilla
Philip Mackenzie and Marius Schilder of Google informed us of Daniel Bleichenbacher's recent presentation of a common implementation error in RSA signature verification, a failure to account for extra data in the signature. For signatures with a small exponent such as 3 it is possible for an...
Arbitrary code execution from Firefox sidebar panel — Mozilla
If a user bookmarked a malicious page as a Firefox sidebar panel that page could execute arbitrary programs by opening a privileged page and injecting javascript into it...
Security Vulnerabilities fixed in Firefox 139 — Mozilla
A double-free could have occurred in vpxcodecencinitmulti after a failed allocation when initializing the encoder for WebRTC. This could have caused memory corruption and a potentially exploitable crash. Error handling for script execution was incorrectly isolated from web content, which could ha...
Security Vulnerabilities fixed in Firefox for iOS 123 — Mozilla
An attacker could have executed unauthorized scripts on top origin sites using a JavaScript URI when opening an external URL with a custom Firefox scheme. Using an AMP url with a canonical element, an attacker could have executed JavaScript from an opened bookmarked page. Upon scanning a JavaScri...
Security Vulnerabilities fixed in Thunderbird 115.4.1 — Mozilla
It was possible for certain browser prompts and dialogs to be activated or dismissed unintentionally by the user due to an insufficient activation-delay. An attacker could have created a malicious link using bidirectional characters to spoof the location in the address bar when visited. Drivers a...
Security Issues fixed in Mozilla VPN for Linux v2.16.1 — Mozilla
An invalid Polkit Authentication check and missing authentication requirements for D-Bus methods allowed any local user to configure arbitrary VPN setups.This bug only affects Mozilla VPN on Linux. Other operating systems are unaffected...
Security Vulnerabilities fixed in Firefox for iOS 25 — Mozilla
For native-to-JS bridging, the app requires a unique token to be passed that ensures non-app code can't call the bridging functions. That token was being used for JS-to-native also, but it isn't needed in this case, and its usage was also leaking this token...
Security Vulnerabilities fixed in Firefox ESR 68.5 — Mozilla
A content process could have modified shared memory relating to crash reporting information, crash itself, and cause an out-of-bound write. This could have caused memory corruption and a potentially exploitable crash. By downloading a file with the .fileloc extension, a semi-privileged extension...
Security vulnerabilities fixed in - Thunderbird 68.1.1 — Mozilla
A crafted S/MIME message consisting of an inner encryption layer and an outer SignedData layer was shown as having a valid digital signature, although the signer might have had no access to the contents of the encrypted message, and might have stripped a different signature from the encrypted...
Privilege escalation through file deletion by Maintenance Service updater — Mozilla
Security researcher Holger Fuhrmannek reported an issue where the Mozilla Maintenance Service updater on Windows can delete arbitrary files because of its privileged system access. This file deletion can then potentially be used for further privilege escalation. This flaw requires users to execut...
Firefox for Android addressbar can be removed after fullscreen mode — Mozilla
Security researcher Jordi Chancel reported when Firefox for Android exits fullscreen mode, it can be induce through script to not restore the addressbar when the window is redrawn in normal mode. This could allow an attacker to spoof the addressbar with their own content...
Android intents can be used on Firefox for Android to open privileged files — Mozilla
Security researcher Muneaki Nishimura reported that on Firefox for Android, a search engine can be registered and used to launch Firefox through an Android intent. When Firefox for Android is launched, the URL can executed with Firefox's system privileges if the crash reporter is used. This allow...
Touch events are shared across iframes — Mozilla
Mozilla developer Wesley Johnston reported that when there are two or more iframes on the same HTML page, an iframe is able to see the touch events and their targets that occur within the other iframes on the page. If the iframes are from the same origin, they can also access the properties and...
Buffer overflow while line breaking after document.write with long string — Mozilla
Dirk Heinrich reported that on Windows platforms when document.write was called with a very long string a buffer overflow was caused in line breaking routines attempting to process the string for display. Such cases triggered an invalid read past the end of an array causing a crash which an...
Java security bypass from LiveConnect loaded via data: URL meta refresh — Mozilla
Security researcher Gregory Fleischer reported that when a Java LiveConnect script was loaded via a data: URL which redirects via a meta refresh, then the resulting plugin object was created with the wrong security principal and thus received elevated privileges such as the abilities to read loca...
XSS using addEventListener and setTimeout on a wrapped object — Mozilla
Mozilla security researcher mozbugra4 reports that by using an appropriately wrapped object it was possible to bypass the fix for MFSA 2007-19. Prior to Firefox 3.6 this gives an attacker the ability to perform cross-site scripting attacks against arbitrary sites as in the original MFSA 2007-19...
NTLM reflection vulnerability — Mozilla
Security researcher Takehiro Takahashi of the IBM X-Force reported that Mozilla's NTLM implementation was vulnerable to reflection attacks in which NTLM credentials from one application could be forwarded to another arbitrary application via the browser. If an attacker could get a user to visit a...
Memory safety fixes in liboggplay media library — Mozilla
Mozilla discovered several bugs in liboggplay which posed potential memory safety issues. The bugs which were fixed could potentially be used by an attacker to crash a victim's browser and execute arbitrary code on their computer...
Malicious search plugins can inject code into arbitrary sites — Mozilla
Security researcher Prateek Saxena reported that a malicious MozSearch plugin could be created using a javascript: URI in the SearchForm value. This URI is used as the default landing page when an empty search is performed. If an attacker could get a user to install the malicious plugin and perfo...
Arbitrary code execution via XUL tree element — Mozilla
Security researcher Nils reported via TippingPoint's Zero Day Initiative that the XUL tree method moveToEdgeShift was in some cases triggering garbage collection routines on objects which were still in use. In such cases, the browser would crash when attempting to access a previously destroyed...
Memory corruption vulnerabilities (rv:1.8.1.10) — Mozilla
The Firefox 2.0.0.10 update contains fixes for three bugs that improve the stability of the product. These crashes showed some evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code...
Code execution via QuickTime Media-link files — Mozilla
On his blog Petko D. Petkov reported that QuickTime Media-Link files contain a qtnext attribute that could be used on Windows systems to launch the default browser with arbitrary command-line options. When the default browser is Firefox 2.0.0.6 or earlier use of the -chrome option allowed a remot...
XSS using addEventListener and setTimeout — Mozilla
Mozilla contributor mozbugra4 demonstrated that the methods addEventListener and setTimeout could be used to inject script into another site in violation of the browser's same-origin policy. This could be used to access or modify private or valuable information from that other site...
Path Abuse in Cookies — Mozilla
Nicolas Derouet reported two problems with cookie handling in Mozilla clients. The first was that the cookie path parameter was not subject to any length checks, and this could be abused to cause the victim's browser to use excessive amounts of memory while it was running as well as waste the dis...
XSS and local file access by opening blocked popupsand local file access by opening blocked popups — Mozilla
shutdown reported that if you could convince a user to open a blocked popup you could perform a cross-site scripting attack against any site that contains a frame whose source is a data: URL. To accomplish this the attacker's site would have to frame the target site plus another frame whose sourc...
LiveConnect crash finalizing JS objects — Mozilla
Steven Michaud reported a crash in LiveConnect, the bridge code that allows Java applets and web JavaScript to communicate. The crash is due to re-use of an already-freed object and we presume this could be exploited with enough effort...
JavaScript execution in mail via XBL — Mozilla
Georgi Guninski demonstrated that even with JavaScript disabled in mail the default an attacker can still execute JavaScript when a mail message is viewed, replied to, or forwarded by putting the script in a remote XBL file loaded by the message. The executed script could be used to alter or chan...
"View Image" local resource linking (Windows) — Mozilla
Normally Mozilla-based clients prevent web content from linking to local files but Eric Foley reports a partial bypass of this restriction by using Windows filename syntax on a Windows computer rather than a file:/// URL as the SRC= attribute. The image will not be loaded on the web page--it will...
Privilege escalation using addSelectionListener — Mozilla
Web content could access the nsISelectionPrivate interface of the Selection object and use it to add a SelectionListener. The listener would be called when the user did a "Find" on the page or a "select all", and as intended this shouldn't cause any problems. But as with escaping the PAC sandbox ...
Privilege escalation using a JavaScript function's cloned parent — Mozilla
shutdown discovered it was possible to use the Object.watch method to access an internal function object the "clone parent" which could then be used to run arbitrary JavaScript code with full permission. This could be used to install malware such as password sniffers or viruses...
File stealing by changing input type — Mozilla
Claus Jörgensen reports that a text input box can be pre-filled with a filename and then turned into a file-upload control with the contents intact, allowing a malicious website the ability to steal any local file whose name they can guess...
"AnyName" entrainment and access control hazard — Mozilla
The implementation of E4X introduced an internal "AnyName" object which was unintentionally exposed to web content. This singleton object could be used by two cooperating domains as a communication channel to get around same-origin restrictions that prevent direct access from one window or frame ...
Window Injection Spoofing — Mozilla
A website can inject content into a popup opened by another site if the target name of the popup window is known. An attacker who knows you are going to visit that other site could spoof the contents of the popup...
Security Vulnerabilities fixed in Thunderbird ESR 128.8 — Mozilla
Certain crafted MIME email messages that claimed to contain an encrypted OpenPGP message, which instead contained an OpenPGP signed message, were wrongly shown as being encrypted. When requesting an OpenPGP key from a WKD server, an incorrect padding size was used and a network observer could hav...
Security Vulnerabilities fixed in Firefox ESR 115.12 — Mozilla
Memory corruption in the networking stack could have led to a potentially exploitable crash. If a garbage collection was triggered at the right time, a use-after-free could have occurred during object transplant. By monitoring the time certain operations take, an attacker could have guessed which...