1574 matches found
Use-after-free with SMIL Animation Controller — Mozilla
Security researcher Nils used the Address Sanitizer to discover a use-after-free problem with the SMIL Animation Controller when interacting with and rendering improperly formed web content. This causes a potentially exploitable crash...
Use-after-free with video and onresize event — Mozilla
Security researcher Nils reported a use-after-free when resizing video while playing. This could allow for arbitrary code execution...
Use-after-free issues found using Address Sanitizer — Mozilla
Security researcher Abhishek Arya Inferno of the Google Chrome Security Team discovered a series of use-after-free issues using the Address Sanitizer tool. Many of these issues are potentially exploitable, allowing for remote code execution...
Incorrect URL displayed in addressbar through drag and drop — Mozilla
Security researcher Mario Gomes andresearch firm Code Audit Labs reported a mechanism to short-circuit page loads through drag and drop to the addressbar by canceling the page load. This causes the address of the previously site entered to be displayed in the addressbar instead of the currently...
Potential site identity spoofing when loading RSS and Atom feeds — Mozilla
Security researcher Jeroen van der Gun reported that if RSS or Atom XML invalid content is loaded over HTTPS, the addressbar updates to display the new location of the loaded resource, including SSL indicators, while the main window still displays the previously loaded content. This allows for...
Overly permissive IPv6 literal syntax — Mozilla
For historical reasons Firefox has been generous in its interpretation of web addresses containing square brackets around the host. If this host was not a valid IPv6 literal address, Firefox attempted to interpret the host as a regular domain name. Gregory Fleischer reported that requests made...
Cross-origin data theft using canvas and Windows D2D — Mozilla
Mozilla developer Bas Schouten reported that the introduction of the "Azure" graphics back-end on Windows in Firefox 7 re-introduced the cross-origin data theft issue reported by nasalislarvatus3000 as described in MFSA 2011-29...
Security vulnerabilities fixed in Thunderbird 45.6 — Mozilla
Use-after-free while manipulating DOM events and removing audio elements due to errors in the handling of node adoption. Event handlers on marquee elements were executed despite a strict Content Security Policy CSP that disallowed inline JavaScript. Memory corruption resulting in a potentially...
Miscellaneous memory safety hazards (rv:48.0 / rv:45.3) — Mozilla
Mozilla developers and community members reported several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these...
Out-of-bounds write with WebM video — Mozilla
Using the Address Sanitizer tool, security researcher Abhishek Arya Inferno of the Google Chrome Security Team found an out-of-bounds write when buffering WebM format video containing frames with invalid tile sizes. This can lead to a potentially exploitable crash during WebM video playback...
Cross-site scripting (XSS) using history navigations — Mozilla
Mozilla security researcher mozbugra4 reported a method to use browser navigations through history to load a website with that page's baseURI property pointing to that of another site instead of the seemingly loaded one. The user will continue to see the incorrect site in the addressbar of the...
Phishing on HTTPS connection through malicious proxy — Mozilla
Google security researcher Michal Zalewski reported an issue where the browser displayed the content of a proxy's 407 response if a user canceled the proxy's authentication prompt. In this circumstance, the addressbar will continue to show the requested site's address, including HTTPS addresses...
Use-after-free and buffer overflow issues found using Address Sanitizer — Mozilla
Security researcher Abhishek Arya Inferno of the Google Chrome Security Team discovered a series critically rated of use-after-free and buffer overflow issues using the Address Sanitizer tool in shipped software. These issues are potentially exploitable, allowing for remote code execution. We wou...
Fixes for Location object issues — Mozilla
Mozilla has fixed a number of issues related to the Location object in order to enhance overall security. Details for each of the current fixed issues are below...
Miscellaneous memory safety hazards (rv:14.0/ rv:10.0.6) — Mozilla
Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be...
loadSubScript unwraps XPCNativeWrapper scope parameter — Mozilla
David Rees reported that the JSSubScriptLoader a feature used by some add-ons was "unwrapping" XPCNativeWrappers when they were used as the scope parameter to loadSubScript. Without the protection of the wrappers the add-on could be vulnerable to privilege escalation attacks from malicious web...
Security Vulnerabilities fixed in Thunderbird 78 — Mozilla
When %2F was present in a manifest URL, Thunderbird's AppCache behavior may have become confused and allowed a manifest to be served from a subdirectory. This could cause the appcache to be used to service requests for the top level directory. A VideoStreamEncoder may have been freed in a race...
Network Security Services (NSS) vulnerabilities — Mozilla
Mozilla has updated the version of Network Security Services NSS library used in Firefox to NSS 3.23. This addresses four moderate rated networking security issues reported by Mozilla engineers Tyson Smith and Jed Davis...
Vulnerabilities found through code inspection — Mozilla
Security researcher Ronald Crane reported eight vulnerabilities affecting released code that were found through code inspection. These included several potential memory safety issues resulting from the use of snprintf, one use of unowned memory, one use of a string without overflow checks, and fi...
Inconsistent video sharing within iframe — Mozilla
Mozilla developers Eric Shepherd and Jan-Ivar Bruaroey reported issues with privacy and video sharing using WebRTC. Once video sharing has started within a WebRTC session running within an , video will continue to be shared even if the user selects the Stop Sharing" button in the controls. The...
Out of bounds read while decoding JPG images — Mozilla
Security researcher Abhishek Arya Inferno of the Google Chrome Security Team used the Address Sanitizer tool to discover a fixed offset out of bounds read issue while decoding specifically formatted JPG format images. This causes a non-exploitable crash...
Inconsistent JavaScript handling of access to Window objects — Mozilla
Mozilla developer Boris Zbarsky reported an inconsistency with the different JavaScript engines in how JavaScript native getters on window objects are handled by these engines. This inconsistency can lead to different behaviors in JavaScript code, allowing for a potential security issue with wind...
Trust settings for built-in roots ignored during EV certificate validation — Mozilla
Firefox user Sijie Xia reported that if a user explicitly removes the trust for extended validation EV capable root certificates in the certificate manager, the change is not properly used when validating EV certificates, causing the setting to be ignored. This removes the ability of users to...
Use-after-free in synthetic mouse movement — Mozilla
Security researchers Tyson Smith and Jesse Schwartzentruber of the BlackBerry Security Automated Analysis Team used the Address Sanitizer tool while fuzzing to discover a user-after-free in the functions for synthetic mouse movement handling. Security researcher Atte Kettunen from OUSPG also...
SVG filters can lead to information disclosure — Mozilla
Security researcher Paul Stone of Context Information Security discovered that timing differences in the processing of SVG format images with filters could allow for pixel values to be read. This could potentially allow for text values to be read across domains, leading to information disclosure...
Execution of unmapped memory through onreadystatechange event — Mozilla
Security researcher Nils reported that specially crafted web content using the onreadystatechange event and reloading of pages could sometimes cause a crash when unmapped memory is executed. This crash is potentially exploitable...
Use-after-free in nsImageLoadingContent — Mozilla
Security researcher Nils reported a use-after-free in nsImageLoadingContent when content script is executed. This could allow for arbitrary code execution...
Chrome Object Wrapper (COW) bypass through changing prototype — Mozilla
Security researcher Mariusz Mlynski reported that it is possible to change the prototype of an object and bypass Chrome Object Wrappers COW to gain access to chrome privileged functions. This could allow for arbitrary code execution...
SPDY information disclosure — Mozilla
Security researchers Thai Duong and Juliano Rizzo reported that SPDY's request header compression leads to information leakage, which can allow the extraction of private data such as session cookies, even over an encrypted SSL connection...
XSS through data: URLs — Mozilla
Mozilla security researcher mozbugra4 reported a cross-site scripting XSS attack through the context menu using a data: URL. In this issue, context menu functionality "View Image", "Show only this frame", and "View background image" are disallowed in a javascript: URL but allowed in a data: URL,...
Use-after-free while replacing/inserting a node in a document — Mozilla
Security researcher Arthur Gerkis used the Address Sanitizer tool to find a use-after-free while replacing/inserting a node in a document. This use-after-free could possibly allow for remote code execution...
Dangling pointer vulnerability in nsTreeSelection — Mozilla
Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that there was a remaining dangling pointer issue leftover from the fix to CVE-2010-2753. Under certain circumstances one of the pointers held by a XUL tree selection could be freed and then later reused, potentially...
Crashes with evidence of memory corruption (rv:1.9.0.11) — Mozilla
Mozilla developers and community members identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some ...
Arbitrary code execution in mozIJSSubScriptLoader.loadSubScript() — Mozilla
Mozilla security researcher mozbugra4 reported that mozIJSSubScriptLoader.LoadScript only applied XPCNativeWrappers to scripts loaded from standard chrome: URIs. Add-ons using this feature to load scripts from other schemes such as file: or data: typically dynamically generated scripts and chrome...
Security Vulnerabilities fixed in Thunderbird 115.12 — Mozilla
Memory corruption in the networking stack could have led to a potentially exploitable crash. If a garbage collection was triggered at the right time, a use-after-free could have occurred during object transplant. By monitoring the time certain operations take, an attacker could have guessed which...
Security vulnerabilities fixed in Firefox ESR 45.8 — Mozilla
JIT-spray targeting asm.js combined with a heap spray allows for a bypass of ASLR and DEP protections leading to potential memory corruption attacks. A crash triggerable by web content in which an ErrorResult references unassigned memory due to a logic error. The resulting crash may be exploitabl...
Scripts on marquee tag can execute in sandboxed iframes — Mozilla
Security researcher Nikita Arykov reported that JavaScript event handler attributes on a tag will execute inside a sandboxed iframe that does not have the allow-scripts flag set. This could result in a cross-site scripting XSS vulnerability in a site that depends on the iframe sandbox for...
Cross-site reading attack through data and view-source URIs — Mozilla
Security researcher Tsubasa Iinuma reported a mechanism to violate same-origin policy to content using data: and view-source: URIs to confuse protections and bypass restrictions. This resulted in the ability to read data from cross-site URLs and local files...
CORS preflight is bypassed when non-standard Content-Type headers are received — Mozilla
Security researcher Shinto K Anto reported an issue with cross-origin resource sharing CORS "preflight" requests when receiving certain Content-Type headers. This is due to an error in implementation resulting in trying to process multiple media types when they are returned in the Content-Type...
CORS requests should not follow 30x redirections after preflight — Mozilla
Mozilla developer Christoph Kerschbaumer discovered an issue while investigating Mozilla Foundation Security Advisory 2015-03, previously reported by security researcher Muneaki Nishimura. This flaw was that a cross-origin resource sharing CORS request should not follow 30x redirections after...
Caja Compiler JavaScript sandbox bypass — Mozilla
Mozilla developer Jan de Mooij reported an issue that affects web content that relies on the Caja Compiler for protection, or other similar sandboxing libraries. He found that some JavaScript objects marked as non-extensible within Caja and Secure EcmaScript could be made extensible again,...
Double-free when using non-default memory allocators with a zero-length XHR — Mozilla
Security researcher Abhishek Arya Inferno of the Google Chrome Security Team and Mozilla security developer Gary Kwong used the Address Sanitizer tool to discover a double-free error when sending a zero-length XmlHttpRequest XHR. This was due to errors in memory allocation when using different...
Read-after-free in WebRTC — Mozilla
Security researcher Mitchell Harper discovered a read-after-free in WebRTC due to the way tracks are handled. This results in a either a potentially exploitable crash or incorrect WebRTC behavior...
Use-after-free during DOM interactions with SVG — Mozilla
Security researcher Abhishek Arya Inferno of the Google Chrome Security Team used the Address Sanitizer tool to discover a use-after-free during cycle collection. This was found in interactions with the SVG content through the document object model DOM with animating SVG content. This leads to a...
Certificate parsing broken by non-standard character encoding — Mozilla
Mozilla security researcher Christian Holler discovered several issues while fuzzing the parsing of SSL certificates. Two of these issues were a result of using characters that are not UTF-8 in certificates when various functions expected all strings to be UTF-8 format. The third issue was a resu...
Spoofing attack on WebRTC permission prompt — Mozilla
Mozilla developer Ehsan Akhgari reported a spoofing attack where the permission prompt for a WebRTC session can appear to be from a different site than its actual originating site if a timed navigation occurs during the prompt generation. This allows an attacker to potentially gain access to the...
Miscellaneous use-after-free issues found through ASAN fuzzing — Mozilla
Security researcher Nils used the Address Sanitizer tool while fuzzing to discover missing strong references in browsing engine leading to use-after-frees. This can lead to a potentially exploitable crash...
Document URI misrepresentation and masquerading — Mozilla
Mozilla security researcher mozbugra4 reported that through an interaction of frames and browser history it was possible to make the browser believe attacker-supplied content came from the location of a previous page in browser history. This allows for cross-site scripting XSS attacks by loading...
GetProperty function can bypass security checks — Mozilla
Mozilla community member Alice White reported that when the GetProperty function is invoked through JSAPI, security checking can be bypassed when getting cross-origin properties. This potentially allowed for arbitrary code execution...
Out of bounds read in QCMS — Mozilla
Google developer Tony Payne reported an out of bounds OOB read in QCMS, Mozilla’s color management library. With a carefully crafted color profile portions of a user's memory could be incorporated into a transformed image and possibly deciphered...