Security vulnerabilities fixed in Firefox 65 — Mozilla

A use-after-free vulnerability can occur while parsing an HTML5 stream in concert with custom HTML elements. This results in the stream parser object being freed while still in use, leading to a potentially exploitable crash. A crash and out-of-bounds read can occur when the buffer of a texture...

Security vulnerabilities fixed in Thunderbird 60.4 — Mozilla

A buffer overflow and out-of-bounds read can occur in TextureStorage11 within the ANGLE graphics library, used for WebGL content. This results in a potentially exploitable crash. A use-after-free vulnerability can occur after deleting a selection element due to a weak reference to the select...

Security vulnerabilities fixed in Thunderbird 45.7 — Mozilla

JIT code allocation can allow for a bypass of ASLR and DEP protections leading to potential memory corruption attacks. Use-after-free while manipulating XSL in XSLT documents Hashed codes of JavaScript objects are shared between pages. This allows for pointer leaks because an object’s address can...

Vulnerabilities found through code inspection — Mozilla

Security researcher Ronald Crane reported three vulnerabilities affecting released code that were found through code inspection. These included a buffer overflow in the ANGLE graphics library and two issues of missing status checks in SVG rendering and during cryptographic key manipulation. These...

Uninitialized memory use during GIF rendering — Mozilla

Google security researcher Michal Zalewski discovered that when a malformated GIF image is rendered in certain circumstances, memory is not properly initialized before use. The resulting image then uses this memory during rendering. This could allow for the a script in web content to access this...

Miscellaneous memory safety hazards (rv:27.0 / rv:24.3) — Mozilla

Mozilla developers and community identified identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least...

Location object security checks bypassed by chrome code — Mozilla

Mozilla security researcher mozbugra4 reported that certain security checks in the location object can be bypassed if chrome code is called content in a specific manner. This allowed for the loading of restricted content. This can be combined with other issues to become potentially exploitable...

libpng integer overflow — Mozilla

An integer overflow in the libpng library can lead to a heap-buffer overflow when decompressing certain PNG images. This leads to a crash, which may be potentially exploitable...

Same-origin violations in XMLHttpRequest and XPCNativeWrapper.toString — Mozilla

Mozilla security researcher mozbugra4 reported that it is possible to create a document whose URI does not match the document's principal using XMLHttpRequest. This type of mismatch leads to incorrect results in principal-based security checks. An attacker could use this vulnerability to execute...

Security Vulnerabilities fixed in Firefox 124 — Mozilla

An attacker could have leveraged the Windows Error Reporter to run arbitrary code on the system escaping the sandbox. Note: This issue only affected Windows operating systems. Other operating systems are unaffected. Passing invalid data could have led to invalid wasm values being created, such as...

Security Vulnerabilities fixed in Firefox ESR 102.5 — Mozilla

Service Workers should not be able to infer information about opaque cross-origin responses; but timing information for cross-origin media combined with Range requests might have allowed them to determine the presence or length of a media file. Through a series of popup and window.print calls, an...

Security Vulnerabilities fixed in Firefox ESR 78.14 — Mozilla

When delegating navigations to the operating system, Firefox would accept the mk scheme which might allow attackers to launch pages and execute scripts in Internet Explorer in unprivileged mode. This bug only affects Firefox for Windows. Other operating systems are unaffected. Mozilla developers...

Security Vulnerabilities fixed in Firefox ESR 68.8 — Mozilla

A race condition when running shutdown code for Web Worker led to a use-after-free vulnerability. This resulted in a potentially exploitable crash. The Firefox content processes did not sufficiently lockdown access control which could result in a sandbox escape.Note: this issue only affects Firef...

Use-after-free in HTML5 string parser — Mozilla

Security researcher ca0nguyen, working with HP's Zero Day Initiative, reported a use-after-free issue in the HTML5 string parser when parsing a particular set of table-related tags in a foreign fragment context such as SVG. This results in a potentially exploitable crash...

Use-after-free when resizing canvas element during restyling — Mozilla

Mozilla community member Jean-Max Reymond discovered a use-after-free vulnerability with a element on a page. This occurs when a resize event is triggered in concert with style changes but the canvas references have been recreated in the meantime, destroying the originally referenced context. Thi...

Vulnerabilities found through code inspection — Mozilla

Security researcher Ronald Crane reported seven vulnerabilities affecting released code that he found through code inspection. These included three uses of uninitialized memory, one poor validation leading to an exploitable crash, one read of unowned memory in zip files, and two buffer overflows...

Use-after-free with imgRequestProxy and image processing — Mozilla

Security researcher Arthur Gerkis, via TippingPoint's Zero Day Initiative, reported a use-after-free during image processing from sites with specific content types in concert with the imgRequestProxy function. This causes a potentially exploitable crash...

Crash during WAV audio file decoding — Mozilla

Security researcher Aki Helin from OUSPG used the Address Sanitizer tool to discover a crash during the decoding of WAV format audio files in some instances. This crash is not exploitable but could be used for a denial of service DOS attack by malicious parties...

Buffer overflow while rendering GIF images — Mozilla

Security researcher Atte Kettunen from OUSPG used the Address Sanitizer tool to discover a buffer overflow while rendering GIF format images. This issue is potentially exploitable and could lead to arbitrary code execution...

Miscellaneous memory safety hazards (rv:13.0/ rv:10.0.5) — Mozilla

Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be...

Crash scaling <video> to extreme sizes — Mozilla

sczimmer reported a crash when scaling an OGG element to extreme sizes...

Use-after-free vulnerability when viewing XUL document with script disabled — Mozilla

Security researcher Martin Barbella reported that under certain conditions, viewing a XUL document while JavaScript was disabled caused deleted memory to be accessed. This flaw could potentially be used by an attacker to crash a victim's browser and run arbitrary code on their computer...

Fixes for potentially exploitable crashes ported to the legacy branch — Mozilla

Mozilla developers took fixes from previously fixed memory safety bugs in newer Mozilla-based products and ported them to the Mozilla 1.8.1 branch so they can be utilized by Thunderbird 2 and SeaMonkey 1.1...

Security Vulnerabilities fixed in Thunderbird 68.11 — Mozilla

By observing the stack trace for JavaScript errors in web workers, it was possible to leak the result of a cross-origin redirect. This applied only to content that can be parsed as script. WebRTC used the memory address of a class instance as a connection identifier. Unfortunately, this value is...

Buffer overflow in libvpx while parsing vp9 format video — Mozilla

Security researcher Khalil Zhani reported that a maliciously crafted vp9 format video could be used to trigger a buffer overflow while parsing the file. This leads to a potentially exploitable crash due to a flaw in the libvpx library...

Use-after-free, buffer overflow, and out of bounds read issues found using Address Sanitizer — Mozilla

Security researcher Abhishek Arya Inferno of the Google Chrome Security Team discovered a series of use-after-free, buffer overflow, and out of bounds read issues using the Address Sanitizer tool in shipped software. These issues are potentially exploitable, allowing for remote code execution. We...

Buffer overflow and use-after-free issues found using Address Sanitizer — Mozilla

Security researcher Abhishek Arya of Google used the Address Sanitizer tool to uncover several issues: two heap buffer overflow bugs and a use-after-free problem. The first heap buffer overflow was found in conversion from unicode to native character sets when the function fails. The use-after-fr...

Invalid frees causes heap corruption in gfxImageSurface — Mozilla

Using the Address Sanitizer tool, security researcher Atte Kettunen from OUSPG found a heap corruption in gfxImageSurface which allows for invalid frees and possible remote code execution. This happens due to float error, resulting from graphics values being passed through different number system...

Crashes with evidence of memory corruption (rv:1.9.0.9) — Mozilla

Mozilla developers identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be...

Security Vulnerabilities fixed in Firefox ESR 102.12 — Mozilla

The error page for sites with invalid TLS certificates was missing the activation-delay Firefox uses to protect prompts and permission dialogs from attacks that exploit human response time delays. If a malicious page elicited user clicks in precise locations immediately before navigating to a sit...

Security Vulnerabilities fixed in Firefox ESR 78.8 — Mozilla

As specified in the W3C Content Security Policy draft, when creating a violation report, "User agents need to ensure that the source file is the URL requested by the page, pre-redirects. If that’s not possible, user agents need to strip the URL down to an origin to avoid unintentional leakage."...

Security vulnerabilities fixed in Thunderbird 45.6 — Mozilla

Use-after-free while manipulating DOM events and removing audio elements due to errors in the handling of node adoption. Event handlers on marquee elements were executed despite a strict Content Security Policy CSP that disallowed inline JavaScript. Memory corruption resulting in a potentially...

Memory leak in mozTCPSocket to servers — Mozilla

Security researcher David Chan reported that Mozilla's mozTCPSocket implementation could leak data past the end of an array, allowing for the potential exposure of memory or private data to malicious servers...

Mozilla Windows updater can be run outside of application directory — Mozilla

Security researcher Holger Fuhrmannek previously reported CVE-2015-0833, which was fixed in MFSA2015-12. That flaw allowed for the updater to load binary DLL format files from the local working directory or from the Windows temporary directories. During the fixing of CVE-2015-0833, the need to...

Out-of-bounds read in Web Audio audio timeline — Mozilla

Security researcher Holger Fuhrmannek discovered an out-of-bounds read during the creation of an audio timeline in Web Audio. This results in a crash and could allow for the reading of random memory values...

Use-after-free with SMIL Animation Controller — Mozilla

Security researcher Nils used the Address Sanitizer to discover a use-after-free problem with the SMIL Animation Controller when interacting with and rendering improperly formed web content. This causes a potentially exploitable crash...

Out-of-bounds write through TypedArrayObject after neutering — Mozilla

Security researcher George Hotz, via TippingPoint's Pwn2Own contest, discovered an issue where values are copied from an array into a second, neutered array. This allows for an out-of-bounds write into memory, causing an exploitable crash leading to arbitrary code execution...

Miscellaneous memory safety hazards (rv:24.0 / rv:17.0.9) — Mozilla

Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be...

Use-after-free with video and onresize event — Mozilla

Security researcher Nils reported a use-after-free when resizing video while playing. This could allow for arbitrary code execution...

Compartment mismatch with quickstubs returned values — Mozilla

Mozilla developer Boris Zbarsky reported reported a problem where jsval-returning quickstubs fail to wrap their return values, causing a compartment mismatch. This mismatch can cause garbage collection to occur incorrectly and lead to a potentially exploitable crash...

Use-after-free issues found using Address Sanitizer — Mozilla

Security researcher Abhishek Arya Inferno of the Google Chrome Security Team discovered a series of use-after-free issues using the Address Sanitizer tool. Many of these issues are potentially exploitable, allowing for remote code execution...

Potential site identity spoofing when loading RSS and Atom feeds — Mozilla

Security researcher Jeroen van der Gun reported that if RSS or Atom XML invalid content is loaded over HTTPS, the addressbar updates to display the new location of the loaded resource, including SSL indicators, while the main window still displays the previously loaded content. This allows for...

Memory corruption due to multipart/x-mixed-replace images — Mozilla

Security researcher Jordi Chancel reported a crash on multipart/x-mixed-replace images due to memory corruption...

Security Vulnerabilities fixed in Thunderbird 115.9 — Mozilla

An unchecked return value in TLS handshake code could have caused a potentially exploitable crash. An attacker could have leveraged the Windows Error Reporter to run arbitrary code on the system escaping the sandbox. Note: This issue only affected Windows operating systems. Other operating system...

Security vulnerabilities fixed in Firefox 50.0.1 — Mozilla

Redirection from an HTTP connection to a data: URL assigns the referring site's origin to the data: URL in some circumstances. This can result in same-origin violations against a domain if it loads resources from malicious sites. Cross-origin setting of cookies has been demonstrated without the...

Out-of-bounds read during XML parsing in Expat library — Mozilla

Security researcher Gustavo Grieco reported a potential out-of-bounds read parsing malformed XML data during character conversion. This is due to a bug in the Expat library, which is used in Firefox. This could allow an attacker to read other inaccessible memory...

Miscellaneous memory safety hazards (rv:48.0 / rv:45.3) — Mozilla

Mozilla developers and community members reported several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these...

Network Security Services (NSS) vulnerabilities — Mozilla

Mozilla has updated the version of Network Security Services NSS library used in Firefox to NSS 3.23. This addresses four moderate rated networking security issues reported by Mozilla engineers Tyson Smith and Jed Davis...

Buffer overflow during ASN.1 decoding in NSS — Mozilla

Security researcher Francis Gabriel of Quarkslab reported a heap-based buffer overflow in the way the Network Security Services NSS libraries parsed certain ASN.1 structures. An attacker could create a specially-crafted certificate which, when parsed by NSS, would cause it to crash or execute...

Mixed content WebSocket policy bypass through workers — Mozilla

Mozilla developer Ehsan Akhgari reported a mechanism through which a web worker could be used to bypass secure requirements for WebSockets when workers are used to create WebSockets. This allows for the bypassing of mixed content WebSocket policy...