Security Vulnerabilities fixed in Firefox ESR 115.5.0 — Mozilla

On some systems—depending on the graphics settings and drivers—it was possible to force an out-of-bounds read and leak memory data into the images created on the canvas element. It was possible to cause the use of a MessagePort after it had already been freed, which could potentially have led to ...

Mozilla VPN local privilege escalation vis uncontrolled OpenSSL search path — Mozilla

Mozilla VPN can load an OpenSSL configuration file from an unsecured directory. A user or attacker with limited privileges could leverage this to launch arbitrary code with SYSTEM privilege...

Security Vulnerabilities fixed in Firefox ESR 91.1 — Mozilla

When delegating navigations to the operating system, Firefox would accept the mk scheme which might allow attackers to launch pages and execute scripts in Internet Explorer in unprivileged mode. This bug only affects Firefox for Windows. Other operating systems are unaffected. Mozilla developers...

Miscellaneous memory safety hazards (rv:37.0 / rv:31.6) — Mozilla

Mozilla developers and community identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of the...

Use-after-free in Web Audio due to incorrect control message ordering — Mozilla

Using the Address Sanitizer tool, security researcher Atte Kettunen from OUSPG discovered a use-after-free in Web Audio due to an issue with how control messages for Web Audio are ordered and processed. This leads to a potentially exploitable crash...

Reader Mode pages have chrome privileges — Mozilla

Security researcher Warren He reported that when a page is transitioned into Reader Mode in Firefox for Android, the resulting page has chrome privileges and its content is not thoroughly sanitized. A successful attack requires user enabling of reader mode for a malicious page, which could then...

Scriptable plugin execution in SeaMonkey mail — Mozilla

Security researcher Georgi Guninski reported that scriptable plugin content, such as Flash objects, could be loaded and executed in SeaMonkey mail messages by embedding the content in an iframe inside the message. If a user were to reply to or forward such a message, malicious JavaScript embedded...

POST data sent to wrong site when saving web page with embedded frame — Mozilla

Developer and Mozilla community member Paolo Amadini reported that when saving the inner frame of a web page as a file when the outer page has POST data associated with it, the POST data will be incorrectly sent to the URL of the inner frame. This could potentially result in a user's sensitive da...

Mozilla Firefox XUL Linked Clones Double Free Vulnerability — Mozilla

An anonymous researcher, via TippingPoint's Zero Day Initiative program, reported a vulnerability in Mozilla's garbage collection process. The vulnerability was caused by improper memory management of a set of cloned XUL DOM elements which were linked as a parent and child. After reloading the...

XSS vulnerabilities in SessionStore — Mozilla

Mozilla security researcher mozbugra4 reported vulnerabilities in the session-restore feature by which content could be injected into an incorrect document storage location, including storage locations for other domains. An attacker could utilize these issues to violate the browser's same-origin...

Faulty .properties file results in uninitialized memory being used — Mozilla

Mozilla developer Daniel Glazman demonstrated that an improperly encoded .properties file in an add-on can result in uninitialized memory being used. This could potentially result in small chunks of data formerly used by other programs being exposed to the add-on code. If the localized string wer...

URL token stealing via stylesheet redirect — Mozilla

Security researcher Martin Straka reported that Gecko-based browsers update the .href property of stylesheet DOM nodes to reflect the final URI of the stylesheet after following any 302 redirects much as the document.location property is updated. This differs from other browsers and could...

Referer-spoofing via window.location race condition — Mozilla

Gregory Fleischer demonstrated that it was possible to generate a fake HTTP Referer header by exploiting a timing condition when setting the window.location property. This could be used to conduct a Cross-site Request Forgery CSRF attack against websites that rely only on the Referer header as...

Unauthorized access to wyciwyg:// documents — Mozilla

Michal Zalewski reported that it was possible to bypass the same-origin checks and read from cached wyciwyg documents. It is possible to access wyciwyg:// documents without proper same domain policy checks through the use of HTTP 302 redirects. This enables the attacker to steal sensitive data...

RSS Feed-preview referrer leak — Mozilla

Jared Breland reported on LEGROOM.net that when the new "Feed Preview" feature in Firefox 2.0 retrieves the icons of the installed web-based feed viewers it is potentially informing those services of your feed-browsing habits by sending the URL of the feed in a referrer header with each icon...

RSA Signature Forgery (variant) — Mozilla

MFSA 2006-60 reported that RSA digital signatures with a low exponent typically 3 could be forged. This flaw was corrected in the Mozilla Network Security Services NSS library version 3.11.3 used by Firefox 2.0 and current development versions of Mozilla clients...

Popup-blocker cross-site scripting (XSS) — Mozilla

shutdown demonstrated that blocked popups opened from the status bar "blocked popups" icon were always opened in the context of the site listed in the Location address bar, even if the blocked popup were originally opened by a subframe loaded from another site. This allows the popup to perform a...

Web site XSS using BOM on UTF-8 pages — Mozilla

Masatoshi Kimura reports that the Unicode Byte-order-Mark BOM is stripped from UTF-8 pages during the conversion to Unicode before the parser sees the web page. As a result the parser will see and process script tags that web input sanitizers may miss because they appear as "scrBOMipt" or similar...

Code execution through shared function objects — Mozilla

Improper cloning of base objects allowed web content scripts to walk up the prototype chain to get to a privileged object. This could be used to execute code with enhanced privileges...

Security Vulnerabilities fixed in Thunderbird 137.0.2 — Mozilla

Thunderbird processes the X-Mozilla-External-Attachment-URL header to handle attachments which can be hosted externally. When an email is opened, Thunderbird accesses the specified URL to determine file size, and navigates to it when the user clicks the attachment. Because the URL is not validate...

Security Vulnerabilities fixed in Firefox ESR 115.14 — Mozilla

Insufficient checks when processing graphics shared memory could have led to memory corruption. This could be leveraged by an attacker to perform a sandbox escape. Incomplete WebAssembly exception handing could have led to a use-after-free. Editor code failed to check an attribute value. This cou...

Security Vulnerabilities fixed in Firefox for iOS 115 — Mozilla

The permission request prompt from the site in the background tab was overlaid on top of the site in the foreground tab. The session restore helper crashed whenever there was no parameter sent to the message handler...

Security Vulnerabilities fixed in Firefox for iOS 28 — Mozilla

A rogue webpage could override the injected WKUserScript used by the download feature, this exploit could result in the user downloading an unintended file. A rogue webpage could override the injected WKUserScript used by the logins autofill, this exploit could result in leaking a password for th...

Information stealing via form history — Mozilla

Security researcher Paul Stone reported that a Java applet could be used to mimic interaction with form autocomplete controls and steal entries from the form history...

ParanoidFragmentSink allows javascript: URLs in chrome documents — Mozilla

Security researcher Roberto Suggi Liverani reported that ParanoidFragmentSink, a class used to sanitize potentially unsafe HTML for display, allows javascript: URLs and other inline JavaScript when the embedding document is a chrome document. While there are no unsafe uses of this class in any...

Memory corruption during text run construction (Windows) — Mozilla

Alex Miller reported that when very long strings were constructed and inserted into an HTML document, the browser would incorrectly construct the layout objects used to display the text. Under such conditions an incorrect length would be calculated for a text run resulting in too small of a memor...

Buffer overflow in JavaScript atom map — Mozilla

Security researcher Christian Holler reported that the JavaScript engine's internal mapping of string values contained an error in cases where the number of values being stored was above 64K. In such cases an offset pointer was manually moved forwards and backwards to access the larger address...

SSL wildcard certificate matching IP addresses — Mozilla

Security researcher Richard Moore reported that when an SSL certificate was created with a common name containing a wildcard followed by a partial IP address a valid SSL connection could be established with a server whose IP address matched the wildcard range by browsing directly to the IP addres...

Chrome privilege escalation due to incorrectly cached wrapper — Mozilla

Mozilla add-on developer and community member Wladimir Palant reported broken functionality on pages that had a Link: HTTP header when an add-on was installed which implemented a Content Policy in JavaScript, such as AdBlock Plus or NoScript. Mozilla security researcher mozbugra4 demonstrated tha...

Heap overflow in certificate regexp parsing — Mozilla

Moxie Marlinspike reported a heap overflow vulnerability in the code that handles regular expressions in certificate names. This vulnerability could be used to compromise the browser and run arbitrary code by presenting a specially crafted certificate to the client. This code provided compatibili...

setTimeout loses XPCNativeWrappers — Mozilla

Mozilla developer Blake Kaplan reported that setTimeout, when called with certain object parameters which should be protected with a XPCNativeWrapper, will fail to keep the object wrapped when compiling the new function to be executed. If chrome privileged code were to call setTimeout using this ...

Crashes with evidence of memory corruption (rv:1.9.0.5/1.8.1.19) — Mozilla

Mozilla developers identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be...

nsXMLHttpRequest::NotifyEventListeners() same-origin violation — Mozilla

Mozilla security researcher mozbugra4 reported that the same-origin check in nsXMLHttpRequest::NotifyEventListeners could be bypassed. This vulnerability could be used to execute JavaScript in the context of a different website...

Heap overflow when canceling newsgroup message — Mozilla

Georgi Guninski reported a buffer overflow in the handling of cancelled newsgroup messages. The error was caused by too small a heap buffer being allocated to store message header information. This buffer could be overrun by an attacker using a specially crafted message which could crash the mail...

Privilege escalation using feed preview page and XSS flaw — Mozilla

Mozilla security researcher mozbugra4 reported a series of vulnerabilities in feedWriter which allow scripts from page content to run with chrome privileges...

XSS through JavaScript same-origin violation — Mozilla

Mozilla contributor mozbugra4 submitted a set of vulnerabilities which allow scripts from one document to be executed in the context of a different document. These vulnerabilities could be used by an attacker to violate the same-origin policy and perform an XSS attack against arbitrary sites,...

Multiple XSS vulnerabilities from character encoding — Mozilla

WebKit developer Alexey Proskuryakov reported that the Mozilla HTML parser treated the backspace character as whitespace contrary to the HTML specification and different from other browsers. This difference might lead to Cross-site Scripting XSS risks on sites which filtered input in accordance...

onUnload Tailgating — Mozilla

Michal Zalewski demonstrated that onUnload event handlers had access to the address of the new page about to be loaded, even if the navigation was triggered from outside the page content such as by using a bookmark, pressing the back button, or typing an address into the location bar. If the...

Crashes with evidence of memory corruption (rv:1.8.0.12/1.8.1.4) — Mozilla

As part of the Firefox 2.0.0.4 and 1.5.0.12 update releases Mozilla developers fixed many bugs to improve the stability of the product. Some of these crashes that showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could b...

JavaScript Regular Expression Heap Corruption — Mozilla

Priit Laes reported a crash due to a heap buffer overflow triggered by a JavaScript regular expression containing a minimal quantifier. We presume this could be exploited to run arbitrary code...

Crashes with evidence of memory corruption (rv:1.8.0.5) — Mozilla

As part of the Firefox 1.5.0.5 stability and security release, developers in the Mozilla community looked for and fixed several crash bugs to improve the stability of Mozilla clients. Some of these crashes showed evidence of memory corruption that we presume could be exploited to run arbitrary co...

Javascript navigator Object Vulnerability — Mozilla

An anonymous researcher for TippingPoint and the Zero Day Initiative showed that when used in a web page Java would reference properties of the window.navigator object as it started up. If the page replaced the navigator object before starting Java then the browser would crash in a way that could...

PAC privilege escalation using Function.prototype.call — Mozilla

mozbugra4 reports that a malicious Proxy AutoConfig PAC server could serve a PAC script that can execute code with elevated privileges by setting the required FindProxyForURL function to the eval method on a privileged object that leaked into the PAC sandbox. By redirecting the victim to a...

JavaScript new Function race condition — Mozilla

H. D. Moore reported a testcase that was able to trigger a race condition where JavaScript garbage collection deleted a temporary variable still being used in the creation of a new Function object. The resulting use of a deleted object may be potentially exploitable to run native code provided by...

PLUGINSPAGE privileged JavaScript execution II — Mozilla

Paul Nickerson reports that the fix for MFSA 2005-34 can be bypassed using nested javascript: URLs, again allowing the attacker to execute privileged code. The attacker must first convince the user to first click on the missing-plugin icon in the page or the "Install Missing Plugins..." button in...

HTTP response smuggling — Mozilla

Kazuho Oku of Cybozu Labs reports via the Information-technology Promotion Agency, Japan, that Firefox is vulnerable to HTTP response smuggling when used with certain proxy servers...

Mozilla Firefox Tag Order Vulnerability — Mozilla

A particular sequence of HTML tags that reliably crash Mozilla clients was reported by an anonymous researcher via TippingPoint and the Zero Day Initiative. The crash is due to memory corruption that can be exploited to run arbitrary code...

Integer overflows in E4X, SVG, and Canvas — Mozilla

Georgi Guninski reports integer overflows in the new E4X, SVG, and Canvas features. These lead to memory corruption that is potentially exploitable to run arbitrary code...

Security Vulnerabilities fixed in Thunderbird 128.10.1 — Mozilla

Thunderbird parses addresses in a way that can allow sender spoofing in case the server allows an invalid From address to be used. For example, if the From header contains an invalid value "Spoofed Name [email protected] [email protected]", Thunderbird treats [email protected] as the...

Security Vulnerabilities fixed in Firefox ESR 115.21 — Mozilla

In resizeToAtLeast of SkRegion.cpp, there was a possible out of bounds write due to an integer overflow On Windows, a compromised content process could use bad StreamData sent over AudioIPC to trigger a use-after-free in the Browser process. This could have led to a sandbox escape. It was possibl...