Information disclosure via the High Resolution Time API — Mozilla

Security researchers Yossef Oren, Vasileios P. Kemerlis, Simha Sethumadhavan, Angelos D. Keromytis of Columbia University's Network Security Lab reported a method of using the High Resolution Time API for side channel attacks. This attack uses JavaScript loaded through a hostile web page to track...

Script access to .documentURI and .textContent in mail — Mozilla

Mozilla developer Boris Zbarsky reported that a malicious mail message might be able to glean personal information about the recipient from the mailbox URI such as computer account name if the mail recipient has enabled JavaScript in mail. If a malicious mail is forwarded "in-line" to a recipient...

Stored password corruption — Mozilla

Mozilla developer Justin Dolske discovered that malicious sites, upon a user saving his or her password, could inject newlines into Firefox's password store and corrupt saved passwords for other sites...

Firefox 1.0.7 / Mozilla Suite 1.7.12 Vulnerability Fixes — Mozilla

Fixes for multiple vulnerabilities with an overall severity of "critical" have been released in Mozilla Firefox 1.0.7 and the Mozilla Suite 1.7.12 Heap overrun in XBM image processing Critical Crash on "zero-width non-joiner" sequence Critical XMLHttpRequest header spoofing Moderate Object spoofi...

Standalone applications can run arbitrary code through the browser — Mozilla

Several media players, for example Flash and QuickTime, support scripted content with the ability to open URLs in the default browser. The default behavior for Firefox was to replace the currently open browser window's content with the externally opened content. If the external URL was a...

"Wrapped" javascript: urls bypass security checks — Mozilla

Some security checks intended to prevent script injection were incorrect and could be bypassed by wrapping a javascript: url in the view-source: pseudo-protocol. Michael Krax demonstrated that a variant of his favicon exploit could still execute arbitrary code, and the same technique could also b...

Missing Install object instance checks — Mozilla

The native implementations of InstallTrigger and other XPInstall-related javascript objects did not properly validate that they were called on instances of the correct type. By passing other objects, even raw numbers, the javascript interpreter would jump to the wrong place in memory. Although no...

Memory overwrite in string library — Mozilla

Daniel de Wildt discovered a memory handling flaw in Mozilla string classes that could overwrite memory at a fixed location if reallocation fails during string growth. This could theoretically lead to arbitrary code execution. Creating the exact conditions for exploitation--including running out ...

Security Vulnerabilities fixed in Firefox for iOS 131.2 — Mozilla

Opening an external link to an HTTP website when Firefox iOS was previously closed and had an HTTPS tab open could in some cases result in the padlock icon showing an HTTPS indicator incorrectly...

UMS (USB) mounting after reboot even without unlocking — Mozilla

Clement Lefevre reported a bug in USB Mass Storage handling of Firefox OS that would allow unauthorized access to device data through the USB interface. The logic error would under certain circumstances expose USB media volumes to USB hosts while the device is locked with a pass code, for example...

Mis-issued TURKTRUST certificates — Mozilla

Google reported to Mozilla that TURKTRUST, a certificate authority in Mozilla’s root program, had mis-issued two intermediate certificates to customers. The issue was not specific to Firefox but there was evidence that one of the certificates was used for man-in-the-middle MITM traffic management...

Protection against fraudulent DigiNotar certificates — Mozilla

Description: Google Chrome user alibo encountered an active "man in the middle" MITM attack on secure SSL connections to Google servers. The fraudulent certificate was mis-issued by DigiNotar, a Dutch Certificate Authority. DigiNotar has reported evidence that other fraudulent certificates were...

Buffer length checks in MIME processing — Mozilla

As a follow-up to vulnerability reported in MFSA 2008-12 Mozilla has checked similar constructs in the rest of the MIME handling code. Although no further buffer overflows were found we changed several function calls to use safer versions of the string routines that will be more robust in the fac...

Code execution via "Set as Wallpaper" — Mozilla

If an attacker can convince a victim to use the "Set As Wallpaper" context menu item on a specially crafted image then they can run arbitrary code on the user's computer. The image "source" must be a javascript: url containing an eval statement and such an image would get the "broken image" icon,...

XBL scripts ran even when Javascript disabled — Mozilla

Scripts in XBL controls from web content continued to be run even when Javascript was disabled. By itself this causes no harm, but it could be combined with most script-based exploits to attack people running vulnerable versions who thought disabling javascript would protect them...

Cross-site Scripting through global scope pollution — Mozilla

As you browse from site to site each new page should start with a clean slate. shutdown reports a technique that pollutes the global scope of a window in a way that persists from page to page. A malicious script could define a setter function for a variable known to be used by a popular site, and...

javascript: links in Thunderbird launch Internet Explorer — Mozilla

Clicking on javascript: links in Thunderbird launched the default handler for that scheme registered with the OS. On the Windows operating system Internet Explorer is the default handler for the javascript: scheme even when Firefox is the default browser...

Synthetic middle-click event can steal clipboard contents — Mozilla

Script-generated middle-click events can steal clipboard contents on systems where that action is a paste. Middle-click paste is the default behavior on Unix systems, and a hidden option elsewhere...

Security Vulnerabilities fixed in Thunderbird 140.10.2 — Mozilla

Memory safety bugs present in Thunderbird ESR 140.10.1 and Thunderbird 150.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code...

Security Vulnerabilities fixed in Firefox 141 — Mozilla

On 64-bit platforms IonMonkey-JIT only wrote 32 bits of the 64-bit return value space on the stack. Baseline-JIT, however, read the entire 64 bits. On arm64, a WASM brtable instruction with a lot of entries could lead to the label being too far from the instruction causing truncation and incorrec...

Security Vulnerabilities fixed in Firefox ESR 128.11 — Mozilla

A double-free could have occurred in vpxcodecencinitmulti after a failed allocation when initializing the encoder for WebRTC. This could have caused memory corruption and a potentially exploitable crash. Error handling for script execution was incorrectly isolated from web content, which could ha...

Security Vulnerabilities fixed in Thunderbird ESR 128.9 — Mozilla

JavaScript code running while transforming a document with the XSLTProcessor could lead to a use-after-free. A crafted URL containing specific Unicode characters could have hidden the true origin of the page, resulting in a potential spoofing attack. Memory safety bugs present in Firefox 136,...

Security Vulnerabilities fixed in Firefox ESR 128.9 — Mozilla

JavaScript code running while transforming a document with the XSLTProcessor could lead to a use-after-free. A crafted URL containing specific Unicode characters could have hidden the true origin of the page, resulting in a potential spoofing attack. Memory safety bugs present in Firefox 136,...

Security Vulnerabilities fixed in Firefox for iOS 136 — Mozilla

Malicious websites utilizing a server-side redirect to an internal error page could result in a spoofed website URL Websites redirecting to a non-HTTP scheme URL could allow a website address to be spoofed for a malicious page Scanning certain QR codes that included text with a website URL could...

Security Vulnerabilities fixed in Thunderbird 135 — Mozilla

An attacker could have caused a use-after-free via crafted XSLT data, leading to a potentially exploitable crash. An attacker could have caused a use-after-free via the Custom Highlight API, leading to a potentially exploitable crash. The fullscreen notification is prematurely hidden when...

Security Vulnerabilities fixed in Thunderbird ESR 128.7 — Mozilla

An attacker could have caused a use-after-free via crafted XSLT data, leading to a potentially exploitable crash. An attacker could have caused a use-after-free via the Custom Highlight API, leading to a potentially exploitable crash. A bug in WebAssembly code generation could have lead to a cras...

Security Vulnerabilities fixed in Firefox ESR 115.18 — Mozilla

Certain WebGL operations on Apple silicon M series devices could have lead to an out-of-bounds write and memory corruption due to a flaw in Apple's GPU driver. This bug only affected the application on Apple M series hardware. Other platforms were unaffected. Enhanced Tracking Protection's Strict...

Security Vulnerabilities fixed in Firefox ESR 128.5 — Mozilla

Certain WebGL operations on Apple silicon M series devices could have lead to an out-of-bounds write and memory corruption due to a flaw in Apple's GPU driver. This bug only affected the application on Apple M series hardware. Other platforms were unaffected. An attacker could cause a select...

Security Vulnerabilities fixed in Thunderbird 132 — Mozilla

A permission leak could have occurred from a trusted site to an untrusted site via embed or object elements. An attacker could have caused a use-after-free when accessibility was enabled, leading to a potentially exploitable crash. The origin of an external protocol handler prompt could have been...

Update to HTTPS certificate blacklist — Mozilla

Several invalid HTTPS certificates were placed on the certificate blacklist to prevent their misuse...

Privilege escalation via DOM property overrides — Mozilla

mozbugra4 reported several exploits giving an attacker the ability to install malicious code or steal data, requiring only that the user do commonplace actions like click on a link or open the context menu. The common cause in each case was privileged UI code "chrome" being overly trusting of DOM...

Internationalized Domain Name (IDN) homograph spoofing — Mozilla

Internationalized Domain Names IDN allow non-English speakers to use domains in their local language. Because many supported characters are similar to other if not identical in some fonts there is the possibility this could be used to construct perfect, indistinguishable phishing sites...

Cross-site scripting by dropping javascript: link on tab — Mozilla

Dropping a javascript: or data: link on a tab executes in the context of the site already loaded in the tab. If an attacker could convince a user to drag and drop such a link on a particular tab this could be used to steal information or credentials associated with the site in that tab...

Download dialog source spoofing — Mozilla

The true source of a download can be disguised by using a host name long enough that the most significant parts are truncated. Spoofing can be made even more convincing on windows if the subdomain labels contain a string of non-breaking space characters...

Secure site lock can be spoofed with a binary download — Mozilla

While on an insecure page triggering a load of a binary file from a secure server will cause the SSL lock icon to appear. The certificate information is that of the binary file's host, while the location bar URL correctly shows the original insecure page...

Browser responds to proxy auth request from non-proxy server (ssl/https) — Mozilla

If a proxy is configured the browser would respond to a 407 proxy auth request from any SSL-connected server rather than only responding to the configured proxy server. This could leak NTLM or SPNEGO credentials outside the organization...

Script-generated event can download without prompting — Mozilla

Script-generated click events were indistinguishable from true clicks. Combined with the Firefox Alt+click feature that downloads links to the default location without prompting this could be used by malicious sites to place executables or other malware onto a windows user's desktop without their...

Security Vulnerabilities fixed in Firefox ESR 140.10.2 — Mozilla

Memory safety bugs present in Firefox ESR 115.35.1, Firefox ESR 140.10.1 and Firefox 150.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code...

Security Vulnerabilities fixed in Firefox for iOS 144.0 — Mozilla

Unicode RTLO characters could allow malicious websites to spoof filenames in the downloads UI for Firefox for iOS, potentially tricking users into saving files of an unexpected file type...

Security Vulnerabilities fixed in Thunderbird 141 — Mozilla

On 64-bit platforms IonMonkey-JIT only wrote 32 bits of the 64-bit return value space on the stack. Baseline-JIT, however, read the entire 64 bits. On arm64, a WASM brtable instruction with a lot of entries could lead to the label being too far from the instruction causing truncation and incorrec...

Security Vulnerabilities fixed in Thunderbird 128.11 — Mozilla

A double-free could have occurred in vpxcodecencinitmulti after a failed allocation when initializing the encoder for WebRTC. This could have caused memory corruption and a potentially exploitable crash. Error handling for script execution was incorrectly isolated from web content, which could ha...

Security Vulnerabilities fixed in Thunderbird 138.0.2 — Mozilla

An attacker was able to perform an out-of-bounds read or write on a JavaScript Promise object. An attacker was able to perform an out-of-bounds read or write on a JavaScript object by confusing array index sizes...

Security vulnerability fixed in Firefox 137.0.2 — Mozilla

A race condition existed in nsHttpTransaction that could have been exploited to cause memory corruption, potentially leading to an exploitable condition...

Security Vulnerabilities fixed in Firefox ESR 128.7 — Mozilla

An attacker could have caused a use-after-free via crafted XSLT data, leading to a potentially exploitable crash. An attacker could have caused a use-after-free via the Custom Highlight API, leading to a potentially exploitable crash. A bug in WebAssembly code generation could have lead to a cras...

Security Vulnerabilities fixed in Thunderbird ESR 128.6 — Mozilla

The WebChannel API, which is used to transport various information across processes, did not check the sending principal but rather accepted the principal being sent. This could have led to privilege escalation attacks. Assuming a controlled failed memory allocation, an attacker could have caused...

Security Vulnerabilities fixed in Firefox 134 — Mozilla

In resizeToAtLeast of SkRegion.cpp, there was a possible out of bounds write due to an integer overflow When redirecting to an invalid protocol scheme, an attacker could spoof the address bar. Note: This issue only affected Android operating systems. Other operating systems are unaffected. Under...

Security Vulnerabilities fixed in Focus for iOS 132 — Mozilla

Focus was incorrectly allowing internal links to utilize the app scheme used for deeplinking, which could result in links potentially circumventing some URL safety checks...

Additional protection against fraudulent DigiNotar certificates — Mozilla

Description: As more information has come to light about the attack on the DigiNotar Certificate Authority we have improved the protections added in MFSA 2011-34. The main change is to add explicit distrust to the DigiNotar root certificate and several intermediates. Removing the root as in our...

Content-generated event vulnerabilities — Mozilla

In several places the browser UI did not correctly distinguish between true user events, such as mouse clicks or keystrokes, and synthetic events generated by web content. The problems ranged from minor annoyances like switching tabs or entering full-screen mode, to a variant on MFSA 2005-34...

Download dialog spoofing using Content-Disposition header — Mozilla

Andreas Sandblad of Secunia Research demonstrated a method to spoof the download dialog for saving files by supplying a Content-Disposition header with a different extension than the extension visible in the link and download dialog. Users could be tricked into downloading a safe-looking file suc...