Security vulnerabilities fixed in Firefox ESR 60.5 — Mozilla

A use-after-free vulnerability can occur while parsing an HTML5 stream in concert with custom HTML elements. This results in the stream parser object being freed while still in use, leading to a potentially exploitable crash. An earlier fix for an Inter-process Communication IPC vulnerability,...

Delegated OCSP responder certificates failure with id-pkix-ocsp-nocheck extension — Mozilla

Brian Smith reported that delegated Online Certificate Status Protocol OCSP responder certificates fail to recognize the id-pkix-ocsp-nocheck extension. If this extension is present in a delegated OCSP response signing certificate, it will be discarded if it is signed by such a certificate. This...

Miscellaneous memory safety hazards (rv:18.0/ rv:10.0.12 / rv:17.0.2) — Mozilla

Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be...

Security Vulnerabilities fixed in Thunderbird 115.1 — Mozilla

Offscreen Canvas did not properly track cross-origin tainting, which could have been used to access image data from another site in violation of same-origin policy. In some circumstances, a stale value could have been used for a global variable in WASM JIT analysis. This resulted in incorrect...

Security Vulnerabilities fixed in Firefox ESR 102.8 — Mozilla

The Content-Security-Policy-Report-Only header could allow an attacker to leak a child iframe's unredacted URI when interaction with that iframe triggers a redirect. A background script invoking requestFullscreen and then blocking the main thread could force the browser into fullscreen mode...

Memory corruption in NSS via DER-encoded DSA and RSA-PSS signatures — Mozilla

NSS Network Security Services versions prior to 3.73 or 3.68.1 ESR are vulnerable to a heap overflow when handling DER-encoded DSA or RSA-PSS signatures. Applications using NSS for handling signatures encoded within CMS, S/MIME, PKCS 7, or PKCS 12 are likely to be impacted. Applications using NSS...

Security Vulnerabilities fixed in Firefox 78 — Mozilla

When %2F was present in a manifest URL, Firefox's AppCache behavior may have become confused and allowed a manifest to be served from a subdirectory. This could cause the appcache to be used to service requests for the top level directory. A VideoStreamEncoder may have been freed in a race...

Security vulnerabilities fixed in Firefox 64 — Mozilla

A buffer overflow occurs when drawing and validating elements with the ANGLE graphics library, used for WebGL content, when working with the VertexBuffer11 module. This results in a potentially exploitable crash. A buffer overflow and out-of-bounds read can occur in TextureStorage11 within the...

Security vulnerabilities fixed in Firefox 50.1 — Mozilla

A buffer overflow in SkiaGl caused when a GrGLBuffer is truncated during allocation. Later writers will overflow the buffer, resulting in a potentially exploitable crash. Use-after-free while manipulating DOM events and removing audio elements due to errors in the handling of node adoption. Event...

integer overflow in createImageBitmap() — Mozilla

An integer overflow in createImageBitmap was reported through the Pwn2Own contest. The fix for this vulnerability disables the experimental extensions to the createImageBitmap API. This function runs in the content sandbox, requiring a second vulnerability to compromise a user's computer...

NSS ticket handling issues — Mozilla

Mozilla developer Brian Smith and security researchers Antoine Delignat-Lavaud and Karthikeyan Bhargavan of the Prosecco research team at INRIA Paris reported issues with ticket handling in the Network Security Services NSS libraries. These have been addressed in the NSS 3.15.4 release, shipping ...

WebGL use-after-free and memory corruption — Mozilla

Security researcher miaubiz used the Address Sanitizer tool to discover two WebGL issues. The first issue is a use-after-free when WebGL shaders are called after being destroyed. The second issue exposes a problem with Mesa drivers on Linux, leading to a potentially exploitable crash...

Memory corruption with bitmap format images with negative height — Mozilla

Security researcher Frédéric Hoguin reported two related issues with the decoding of bitmap .BMP format images embedded in icon .ICO format files. When processing a negative "height" header value for the bitmap image, a memory corruption can be induced, allowing an attacker to write random memory...

Child nodes from nsDOMAttribute still accessible after removal of nodes — Mozilla

Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that removed child nodes of nsDOMAttribute can be accessed under certain circumstances because of a premature notification of AttributeChildRemoved. This use-after-free of the child nodes could possibly allow for remot...

Security Vulnerabilities fixed in Firefox ESR 91.5 — Mozilla

A race condition could have allowed bypassing the fullscreen notification which could have lead to a fullscreen window spoof being unnoticed.This bug only affects Thunderbird for Windows. Other operating systems are unaffected. When navigating from inside an iframe while requesting fullscreen...

Security vulnerabilities fixed in Thunderbird 60.7.2 — Mozilla

A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash. We are aware of targeted attacks in the wild abusing this flaw. Insufficient vetting of parameters passed with the Prompt:Open IPC message between chi...

Privilege escalation through IPC channel messages — Mozilla

Mozilla Developer Jed Davis and Mozilla security engineer Christoph Diehl reported that Mozilla had inherited a Inter-process Communication IPC vulnerability when IPC was introduced into Mozilla products through third-party code. This could allow for privilege escalation through IPC channels due ...

resource:// documents can load privileged pages — Mozilla

Security researcher Mariusz Mlynski reported, through HP Zero Day Initiative's Pwn2Own contest, that documents loaded though a resource: URL, such as Mozilla's PDF.js PDF file viewer, were able to subsequently load privileged chrome pages. The privilege restrictions on resource: URLs was handled...

Miscellaneous memory safety hazards (rv:32.0 / rv:31.1 / rv:24.8) — Mozilla

Mozilla developers and community identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of the...

Files extracted during updates are not always read only — Mozilla

Security researcher Ash reported an issue where the extracted files for updates to existing files are not read only during the update process. This allows for the potential replacement or modification of these files during the update process if a malicious application is present on the local syst...

Use-after-free and buffer overflow issues found using Address Sanitizer — Mozilla

Security researcher Abhishek Arya Inferno of the Google Chrome Security Team discovered a series critically rated of use-after-free, out of bounds read, and buffer overflow issues using the Address Sanitizer tool in shipped software. These issues are potentially exploitable, allowing for remote...

Firefox installer DLL hijacking — Mozilla

Security researcher Robert Kugler reported that when a specifically named DLL file on a Windows computer is placed in the default downloads directory with the Firefox installer, the Firefox installer will load this DLL when it is launched. In circumstances where the installer is run by an...

Security Vulnerabilities fixed in Firefox ESR 78.12 — Mozilla

A malicious webpage could have triggered a use-after-free, memory corruption, and a potentially exploitable crash. This bug only affected Firefox when accessibility was enabled. An out of bounds write in ANGLE could have allowed an attacker to corrupt memory leading to a potentially exploitable...

Security vulnerabilities fixed in Firefox 51 — Mozilla

JIT code allocation can allow for a bypass of ASLR and DEP protections leading to potential memory corruption attacks. Use-after-free while manipulating XSL in XSLT documents A memory corruption vulnerability in Skia that can occur when using transforms to make gradients, resulting in a potential...

Out-of-bounds read in format-number in XSLT — Mozilla

Security research Nicolas Grégoire used the Address Sanitizer tool to discover an out-of-bounds read in the format-number feature of XSLT, which can cause inaccurate formatting of numbers and information leakage. This is not directly exploitable...

Content Security Policy 1.0 implementation errors cause data leakage — Mozilla

Security researcher Karthikeyan Bhargavan of Prosecco at INRIA reported Content Security Policy CSP 1.0 implementation errors. CSP violation reports generated by Firefox and sent to the "report-uri" location include sensitive data within the "blocked-uri" parameter. These include fragment...

Crash in proxy auto-configuration regexp parsing — Mozilla

Security researcher Marco C. reported a flaw in the parsing of regular expressions used in Proxy Auto-configuration PAC files. In certain cases this flaw could be used by an attacker to crash a victim's browser and run arbitrary code on their computer. Since this vulnerability requires the victim...

Security Vulnerabilities fixed in Firefox 124.0.1 — Mozilla

An attacker was able to perform an out-of-bounds read or write on a JavaScript object by fooling range-based bounds check elimination. An attacker was able to inject an event handler into a privileged object that would allow arbitrary JavaScript execution in the parent process. Note: This...

Security Vulnerabilities fixed in Thunderbird 102.13.1 — Mozilla

Thunderbird allowed the Text Direction Override Unicode Character in filenames. An email attachment could be incorrectly shown as being a document file, while in fact it was an executable file. Newer versions of Thunderbird will strip the character and show the correct file extension...

Security vulnerabilities fixed in Firefox 50 — Mozilla

A heap-buffer-overflow in Cairo when processing SVG content caused by compiler optimization, resulting in a potentially exploitable crash. During URL parsing, a maliciously crafted URL can cause a potentially exploitable crash. When the Mozilla Updater is run, if the Updater's log file in the...

Miscellaneous memory safety hazards (rv:46.0 / rv:45.1 / rv:38.8) — Mozilla

Mozilla developers fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run...

Same origin violation and local file stealing via PDF reader — Mozilla

Security researcher Cody Crews reported on a way to violate the same origin policy and inject script into a non-privileged part of the built-in PDF Viewer. This would allow an attacker to read and steal sensitive local files on the victim's computer...

CSS cursor image buffer overflow (Windows only) — Mozilla

Frederik Reiss reported a crash when using the CSS cursor property to set the cursor to certain images on Windows. A miscalculated size during conversion of the image to a Windows bitmap can result in a heap buffer overflow which could be used to compromise the victim's computer...

Security Vulnerabilities fixed in Thunderbird 68.7.0 — Mozilla

Under certain conditions, when running the nsDocShell destructor, a race condition can cause a use-after-free. Under certain conditions, when handling a ReadableStream, a race condition can cause a use-after-free. When reading from areas partially or fully outside the source resource with WebGL's...

Cross-origin information leak through web workers — Mozilla

Security researcher Masato Kinugawa reported a cross-origin information leak through web workers' error messages. This violates same-origin policy and the leaked information could potentially be used to gather authentication tokens and other data from third-party websites...

CRMF requests allow for code execution and XSS attacks — Mozilla

Mozilla security researcher mozbugra4 reported a mechanism to execute arbitrary code or a cross-site scripting XSS attack when Certificate Request Message Format CRMF request is generated in certain circumstances...

Chrome Object Wrapper (COW) does not disallow access to privileged functions or properties — Mozilla

Security researcher Mariusz Mlynski reported that when InstallTrigger fails, it throws an error wrapped in a Chrome Object Wrapper COW that fails to specify exposed properties. These can then be added to the resulting object by an attacker, allowing access to chrome privileged functions through...

Web console eval capable of executing chrome-privileged code — Mozilla

Security researcher Colby Russell discovered that eval in the web console can execute injected code with chrome privileges, leading to the running of malicious code in a privileged context. This allows for arbitrary code execution through a malicious web page if the web console is invoked by the...

XSS with multiple Content Security Policy headers — Mozilla

Security Researcher Mike Brooks of Sitewatch reported that if multiple Content Security Policy CSP headers are present on a page, they have an additive effect page policy. Using carriage return line feed CRLF injection, a new CSP rule can be introduced which allows for cross-site scripting XSS on...

Crashes with evidence of memory corruption (rv:1.9.0.7) — Mozilla

Mozilla developers identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be...

Security Vulnerabilities fixed in Thunderbird 78.1 — Mozilla

By observing the stack trace for JavaScript errors in web workers, it was possible to leak the result of a cross-origin redirect. This applied only to content that can be parsed as script. WebRTC used the memory address of a class instance as a connection identifier. Unfortunately, this value is...

Buffer overflow when parsing compressed XML — Mozilla

Security researcher Ucha Gobejishvili used the Address Sanitizer tool to find a buffer overflow while parsing compressed XML content. This was due to an error in how buffer space is created and modified when handling large amounts of XML data. This results in a potentially exploitable crash...

Clone protected content with XBL scopes — Mozilla

Security researcher Cody Crews reported a method to bypass System Only Wrappers SOW by using XML Binding Language XBL content scopes to clone protected XUL elements. This could be used to clone anonymous nodes, making trusted XUL content web accessible...

Miscellaneous memory safety hazards (rv:25.0 / rv:24.1 / rv:17.0.10) — Mozilla

Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be...

Security Vulnerabilities fixed in Firefox ESR 91.7 — Mozilla

When resizing a popup after requesting fullscreen access, the popup would not display the fullscreen notification. If an attacker could control the contents of an iframe sandboxed with allow-popups but not allow-scripts, they were able to craft a link that, when clicked, would lead to JavaScript...

Addressbar spoofing though the SELECT element — Mozilla

Security researcher Jordi Chancel reported a method to spoof the contents of the addressbar. This uses a persistent menu within a element, which acts as a container for HTML content and can be placed in an arbitrary location. When placed over the addressbar, this can mask the true site URL,...

Vulnerabilities found through code inspection — Mozilla

Security researcher Ronald Crane reported three vulnerabilities affecting released code that were found through code inspection. These included a buffer overflow in the ANGLE graphics library and two issues of missing status checks in SVG rendering and during cryptographic key manipulation. These...

Use-after-free when resizing canvas element during restyling — Mozilla

Mozilla community member Jean-Max Reymond discovered a use-after-free vulnerability with a element on a page. This occurs when a resize event is triggered in concert with style changes but the canvas references have been recreated in the meantime, destroying the originally referenced context. Thi...

getUserMedia permission dialog incorrectly displays location — Mozilla

Mozilla engineer Matt Wobensmith discovered that when the getUserMedia permission dialog for an iframe appears in one domain, it will display its origin as that of the top-level document and not the calling framed page. This could lead to users incorrectly giving camera or microphone permissions...

Same-origin violations in XMLHttpRequest and XPCNativeWrapper.toString — Mozilla

Mozilla security researcher mozbugra4 reported that it is possible to create a document whose URI does not match the document's principal using XMLHttpRequest. This type of mismatch leads to incorrect results in principal-based security checks. An attacker could use this vulnerability to execute...