Elevation of privilege with chrome.tabs.update API in web extensions — Mozilla

Security researcher Muneaki Nishimura nishimunea of Recruit Technologies Co., Ltd. reported that the chrome.tabs.update API for web extensions allows for navigation to javascript: URLs without additional permissions. This can used to elevate privilege for a universal cross-site scripting XSS atta...

Disclosure of user actions through JavaScript with motion and orientation sensors — Mozilla

Security researcher Maryam Mehrnezhad of Newcastle University, UK reported an issue discovered by their research team, which also includes Ehsan Toreini, Siamak F. Shahandashti, and Feng Hao. They found vulnerabilities in Firefox for Android using orientation data and motion sensors on a mobile...

Privilege escalation through file deletion by Maintenance Service updater — Mozilla

Security researcher Holger Fuhrmannek reported an issue where the Mozilla Maintenance Service updater on Windows can delete arbitrary files because of its privileged system access. This file deletion can then potentially be used for further privilege escalation. This flaw requires users to execut...

Buffer overflow in libstagefright with CENC offsets — Mozilla

Using Address Sanitizer, security researcher Sascha Just reported a buffer overflow in the libstagefright library due to issues with the handling of CENC offsets and the sizes table. This results in a potentially exploitable crash triggerable through web content...

Miscellaneous memory safety hazards (rv:46.0 / rv:45.1 / rv:38.8) — Mozilla

Mozilla developers fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run...

CSP not applied to pages sent with multipart/x-mixed-replace — Mozilla

Security researcher Muneaki Nishimura nishimunea of Recruit Technologies Co., Ltd. reported that Content Security Policy CSP is not applied correctly to web content sent with the multipart/x-mixed-replace MIME type. This allows for script to run in instances where CSP should block it, leading to ...

Content provider permission bypass allows malicious application to access data — Mozilla

Security researcher Ken Okuyama reported an issue on Firefox for Android where a previously installed malicious application can access content provider permissions for Firefox in order to read data. This data includes browser history and locally saved passwords. This issue occurs when a list of...

Memory corruption with malicious NPAPI plugin — Mozilla

The CESG, the Information Security Arm of GCHQ, reported a dangling pointer dereference within the Netscape Plugin Application Programming Interface NPAPI that could lead to the NPAPI subsystem crashing. This issue requires a maliciously crafted NPAPI plugin in concert with scripted web content,...

WebRTC and LibVPX vulnerabilities found through code inspection — Mozilla

Security researcher Ronald Crane reported five "moderate" rated vulnerabilities affecting released code that were found through code inspection. These included the following issues in WebRTC: an integer underflow, a missing status check, race condition, and a use of deleted pointers to create new...

Buffer overflow in Brotli decompression — Mozilla

Security researcher Luke Li reported a pointer underflow bug in the Brotli library's decompression that leads to a buffer overflow. This results in a potentially exploitable crash when triggered...

Use-after-free during XML transformations — Mozilla

Security researcher Nicolas Grégoire used the Address Sanitizer to find a use-after-free during XML transformation operations. This results in a potentially exploitable crash triggerable by web content...

Buffer overflow during ASN.1 decoding in NSS — Mozilla

Security researcher Francis Gabriel of Quarkslab reported a heap-based buffer overflow in the way the Network Security Services NSS libraries parsed certain ASN.1 structures. An attacker could create a specially-crafted certificate which, when parsed by NSS, would cause it to crash or execute...

Use-after-free in SetBody — Mozilla

Security researcher lokihardt, working with HP's Zero Day Initiative, reported a use-after-free issue in the SetBody function of HTMLDocument. This results in a potentially exploitable crash...

Memory corruption when modifying a file being read by FileReader — Mozilla

Security researcher Oriol reported memory corruption when local files are modified by either the user or another program at the same time being read using the FileReader API. This flaw requires that input be taken from a local file in order to be triggered and cannot be triggered by web content...

Use-after-free when using multiple WebRTC data channels — Mozilla

Security researcher Dominique Hazaël-Massieux reported a use-after-free issue when using multiple WebRTC data channel connections. This causes a potentially exploitable crash when a data channel connection is freed from within a call through it...

Use-after-free in HTML5 string parser — Mozilla

Security researcher ca0nguyen, working with HP's Zero Day Initiative, reported a use-after-free issue in the HTML5 string parser when parsing a particular set of table-related tags in a foreign fragment context such as SVG. This results in a potentially exploitable crash...

Displayed page address can be overridden — Mozilla

Security researcher Abdulrahman Alqabandi reported an issue where an attacker can load an arbitrary web page but the addressbar's displayed URL will be blank or filled with page defined content. This can be used to obfuscate which page is currently loaded and allows for an attacker to spoof an...

Linux video memory DOS with Intel drivers — Mozilla

Security researcher Ucha Gobejishvili reported a denial of service DOS attack when doing certain WebGL operations in a canvas requiring an unusually large amount buffer to be allocated from video memory. This resulted in memory resource exhaustion with some Intel video cards, requiring the comput...

Memory leak in libstagefright when deleting an array during MP4 processing — Mozilla

Security researchers Jose Martinez and Romina Santillan reported a memory leak in the libstagefright library when array destruction occurs during MPEG4 video file processing...

CSP reports fail to strip location information for embedded iframe pages — Mozilla

Security researcher Muneaki Nishimura nishimunea of Recruit Technologies Co.,Ltd. reported that Content Security Policy CSP violation reports contained full path information for cross-origin iframe navigations in violation of the CSP specification. This could result in information disclosure...

Local file overwriting and potential privilege escalation through CSP reports — Mozilla

Security researcher Nicolas Golubovic reported that a malicious page can overwrite files on the user's machine using Content Security Policy CSP violation reports. The file contents are restricted to the JSON format of the report. In many cases overwriting a local file may simply be destructive,...

Miscellaneous memory safety hazards (rv:45.0 / rv:38.7) — Mozilla

Mozilla developers fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run...

Use-after-free in GetStaticInstance in WebRTC — Mozilla

Security researcher Ronald Crane reported a race condition in GetStaticInstance in WebRTC which results in a use-after-free. This could result in a potentially exploitable crash. This issue was found through code inspection and does not have clear mechanism to be exploited through web content but...

Out-of-bounds read in HTML parser following a failed allocation — Mozilla

Security researcher Ronald Crane reported an out-of-bounds read following a failed allocation in the HTML parser while working with unicode strings. This can also affect the parsing of XML and SVG format data. This leads to a potentially exploitable crash...

Same-origin policy violation using performance.getEntries and history navigation with session restore — Mozilla

Security researcher Jordi Chancel discovered a variant of Mozilla Foundation Security Advisory 2015-136 which was fixed in Firefox 43. In the original bug, it was possible to read cross-origin URLs following a redirect if performance.getEntries was used along with an iframe to host a page...

Addressbar spoofing though history navigation and Location protocol property — Mozilla

Security researcher Tsubasa Iinuma reported a mechanism where the displayed addressbar can be spoofed to users. This issue involves using history navigation in concert with the Location protocol property. After navigating from a malicious page to another, if the user navigates back to the initial...

Out-of-bounds write with malicious font in Graphite 2 — Mozilla

Security researcher James Clawson used the Address Sanitizer tool to discover an out-of-bounds write in the Graphite 2 library when loading a crafted Graphite font file. This results in a potentially exploitable crash...

Use-after-free during processing of DER encoded keys in NSS — Mozilla

Mozilla developer Tim Taubert used the Address Sanitizer tool and software fuzzing to discover a use-after-free vulnerability while processing DER encoded keys in the Network Security Services NSS libraries. The vulnerability overwrites the freed memory with zeroes. This issue has been addressed ...

Font vulnerabilities in the Graphite 2 library — Mozilla

Security researcher Holger Fuhrmannek and Mozilla security engineer Tyson Smith reported a number of security vulnerabilities in the Graphite 2 library affecting version 1.3.5...

Service Worker Manager out-of-bounds read in Service Worker Manager — Mozilla

Security researcher Looben Yang reported a mechanism where the Clients API in Service Workers can be used to trigger an out-of-bounds read in ServiceWorkerManager. This results in a potentially exploitable crash...

Same-origin-policy violation using Service Workers with plugins — Mozilla

Jason Pang of OneSignal reported that service workers intercept responses to plugin network requests made through the browser. Plugins which make security decisions based on the content of network requests can have these decisions subverted if a service worker forges responses to those requests...

Vulnerabilities in Graphite 2 — Mozilla

Security researcher Holger Fuhrmannek reported that a malicious Graphite "smart font" could circumvent the validation of internal instruction parameters in the Graphite 2 library using special CNTXTITEM instructions. This could result in arbitrary code execution...

Use-after-free in NSS during SSL connections in low memory — Mozilla

Mozilla developer Eric Rescorla reported that a failed allocation during DHE and ECDHE handshakes would lead to a use-after-free vulnerability...

Application Reputation service disabled in Firefox 43 — Mozilla

Mozilla developer François Marier reported that the Firefox was unable to reach the Application Reputation service due to a bug introduced in Firefox 43, disabling the ability to warn against potentially malicious downloads. Other parts of the Safe Browsing feature, for example the warnings about...

Errors in mp_div and mp_exptmod cryptographic functions in NSS — Mozilla

Security researcher Hanno Böck reported that calculations with mpdiv and mpexptmod in Network Security Services NSS can produce wrong results in some circumstances. These functions are used within NSS for a variety of cryptographic division functions, leading to potential cryptographic weaknesses...

Buffer overflow in WebGL after out of memory allocation — Mozilla

Security researcher Aki Helin used the Address Sanitizer tool to find a buffer overflow write when rendering some WebGL content. This leads to a potentially exploitable crash...

Firefox allows for control characters to be set in cookie names — Mozilla

Security researcher musicDespiteEverything previously reported an issue where illegal control characters were stored in as cookie values in violation of RFC6265. While fixing this issue, Mozilla developer Nicholas Hurley realized that the same issue applied to the names of cookies. These characte...

Addressbar spoofing through stored data url shortcuts on Firefox for Android — Mozilla

Security researcher Muneaki Nishimura reported an issue with displayed URLs and bookmarks on Firefox for Android. If a data: URL is opened from a stored shortcut on the homescreen or from a BOOKMARK intent from another installed Android application, the addressbar continues to show the data: url...

Out of Memory crash when parsing GIF format images — Mozilla

Security researcher Gustavo Grieco reported an out of memory crash when loading maliciously crafted GIF format images. Investigation of the issue determined that the root cause was an error in image parsing code during deinterlacing, leading to a potential integer overflow...

Miscellaneous memory safety hazards (rv:44.0 / rv:38.6) — Mozilla

Mozilla developers and community identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of the...

Delay following click events in file download dialog too short on OS X — Mozilla

Security researcher Jordi Chancel reported an issue on OS X where the delay between the download dialog getting focus and the button getting enabled was too short. If an attacker is able to induce the user to double-click in a specific location, they can then pass the second click through to the...

Addressbar spoofing attacks — Mozilla

Security researcher Jordi Chancel reported two issues involving addressbar spoofing...

Unsafe memory manipulation found through code inspection — Mozilla

Security researcher Ronald Crane reported three vulnerabilities affecting released code that were found through code inspection. These include a high rated memory safety issue in the ANGLE graphics library, a moderate rated potential wild pointer flaw when handling zip files, and a critical rated...

Missing delay following user click events in protocol handler dialog — Mozilla

Security researcher window reported an issue where the protocol handler dialog appears, double click events are treated as two single click events. This was caused by the lack of a delay following the initial focus in the file download dialog. This could cause a second dialog to be sent the secon...

Lightweight themes on Firefox for Android do not verify a secure connection — Mozilla

Mozilla developer Margaret Leibovic reported when Firefox for Android installs lightweight themes, it does not check to verify that they are served over an HTTPS connection. Instead, themes can be installed over an unencrypted connection, which could allow for a man-in-the-middle MITM attack by...

Lockscreen delay bypass in Firefox OS — Mozilla

Frederik Braun of Mozilla discovered a bug in the lockscreen state logic that allows an attacker to bypass the lockscreen delay. The delay was introduced to make it harder to brute-force the passcode lock of a Firefox OS device when an attacker has gained physical access. A successful attack woul...

HTML injection in homescreen app bypassing DOM sanitizer — Mozilla

Mozilla fixed a bug in the l10n localization of the default homescreen app of Firefox OS reported by security researcher Muneaki Nishimura. Exploiting this issue requires tricking the user into bookmarking a specially crafted web page via the 'Add to home screen' functionality. As a result, an...

Lockscreen passcode bypass due to race condition — Mozilla

Shally Li was first to report a race condition in the lockscreen of Firefox OS that can be used to bypass the passcode lock of a Firefox OS device. Under certain circumstances on a locked device, the user will be dropped directly to the homescreen instead of being presented with the passcode inpu...

MD5 signatures accepted within TLS 1.2 ServerKeyExchange in server signature — Mozilla

Security researcher Karthikeyan Bhargavan reported an issue in Network Security Services NSS where MD5 signatures in the server signature within the TLS 1.2 ServerKeyExchange message are still accepted. This is an issue since NSS has officially disallowed the accepting MD5 as a hash algorithm in...

Linux file chooser crashes on malformed images due to flaws in Jasper library — Mozilla

Security researcher Gustavo Grieco reported that on Linux Gnome systems the dialog for choosing local files uses the operating system's gdk-pixbuf library to render thumbnails for image file types. This library supports various image decoders, and Grieco reported that the Jasper and TGA decoders...