1574 matches found
Out of Memory crash when parsing GIF format images — Mozilla
Security researcher Gustavo Grieco reported an out of memory crash when loading maliciously crafted GIF format images. Investigation of the issue determined that the root cause was an error in image parsing code during deinterlacing, leading to a potential integer overflow...
HTML injection in homescreen app bypassing DOM sanitizer — Mozilla
Mozilla fixed a bug in the l10n localization of the default homescreen app of Firefox OS reported by security researcher Muneaki Nishimura. Exploiting this issue requires tricking the user into bookmarking a specially crafted web page via the 'Add to home screen' functionality. As a result, an...
Lockscreen delay bypass in Firefox OS — Mozilla
Frederik Braun of Mozilla discovered a bug in the lockscreen state logic that allows an attacker to bypass the lockscreen delay. The delay was introduced to make it harder to brute-force the passcode lock of a Firefox OS device when an attacker has gained physical access. A successful attack woul...
Lockscreen passcode bypass due to race condition — Mozilla
Shally Li was first to report a race condition in the lockscreen of Firefox OS that can be used to bypass the passcode lock of a Firefox OS device. Under certain circumstances on a locked device, the user will be dropped directly to the homescreen instead of being presented with the passcode inpu...
MD5 signatures accepted within TLS 1.2 ServerKeyExchange in server signature — Mozilla
Security researcher Karthikeyan Bhargavan reported an issue in Network Security Services NSS where MD5 signatures in the server signature within the TLS 1.2 ServerKeyExchange message are still accepted. This is an issue since NSS has officially disallowed the accepting MD5 as a hash algorithm in...
Same-origin policy violation using performance.getEntries and history navigation — Mozilla
Security researcher cgvwzq reported that it is possible to read cross-origin URLs following a redirect if performance.getEntries is used along with an iframe to host a page. Navigating back in history through script, content is pulled from the browser cache for the redirected location instead of...
Linux file chooser crashes on malformed images due to flaws in Jasper library — Mozilla
Security researcher Gustavo Grieco reported that on Linux Gnome systems the dialog for choosing local files uses the operating system's gdk-pixbuf library to render thumbnails for image file types. This library supports various image decoders, and Grieco reported that the Jasper and TGA decoders...
DOS due to malformed frames in HTTP/2 — Mozilla
Security researcher Stuart Larsen reported two issues with HTTP/2 resulting in integer underflows that lead to intentional aborts when the errors are detected...
Integer overflow in MP4 playback in 64-bit versions — Mozilla
Security researcher Ronald Crane reported a vulnerability found through code inspection. This issue is an integer overflow while processing an MP4 format video file when an a erroneously-small buffer is allocated and then overrun, resulting in a potentially exploitable crash...
Miscellaneous memory safety hazards (rv:43.0 / rv:38.5) — Mozilla
Mozilla developers and community identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of the...
Integer overflow allocating extremely large textures — Mozilla
Security researcher Abhishek Arya Inferno of the Google Chrome Security Team used the Address Sanitizer tool to discover an integer overflow when when allocating textures of extremely larges sizes during graphics operations. This results in a potentially exploitable crash when triggered...
Firefox allows for control characters to be set in cookies — Mozilla
Security researcher musicDespiteEverything reported an issue when ASCII code 11 for vertical tab is stored in a cookie in violation of RFC6265. This may result in incorrect cookie handling by servers, resulting in the potential ability to set cookie values and read cookie data from users in conce...
Integer underflow and buffer overflow processing MP4 metadata in libstagefright — Mozilla
Mozilla developer Gerald Squelart fixed an integer underflow in the libstagefright library initially reported by Joshua Drake to Google. The issues occurred in MP4 format video file while parsing cover metadata, leading to a buffer overflow. This results in a potentially exploitable crash and can...
Cross-site reading attack through data and view-source URIs — Mozilla
Security researcher Tsubasa Iinuma reported a mechanism to violate same-origin policy to content using data: and view-source: URIs to confuse protections and bypass restrictions. This resulted in the ability to read data from cross-site URLs and local files...
Buffer overflows found through code inspection — Mozilla
Security researcher Ronald Crane reported three buffer overflows affecting released code that were found through code inspection. They do not all have clear mechanisms to be exploited through web content but are vulnerable if a mechanism can be found to trigger them...
Underflow through code inspection — Mozilla
Security researcher Ronald Crane reported an underflow found through code inspection. This does not all have a clear mechanism to be exploited through web content but could be vulnerable if a means can be found to trigger it...
Cross-origin information leak through web workers error events — Mozilla
Security researcher Masato Kinugawa reported a cross-origin information leak through the error events in web workers. This violates same-origin policy and the leaked information could potentially be used by a malicious party to gather authentication tokens and other data from third-party websites...
Use-after-free in WebRTC when datachannel is used after being destroyed — Mozilla
Security researcher Looben Yang reported a use-after-free error in WebRTC that occurs due to timing issues in WebRTC when closing channels. WebRTC may still believe is has a datachannel open after another WebRTC function has closed it. This results in attempts to use the now destroyed datachannel...
Privilege escalation vulnerabilities in WebExtension APIs — Mozilla
Mozilla developer Kris Maglione reported a mechanism where WebExtension APIs could be used to escalate privilege. This could allow arbitrary web content to execute code with the privileges of a particular WebExtension when using these API calls. Depending on the privileges of the extension used,...
Hash in data URI is incorrectly parsed — Mozilla
Security researcher Abdulrahman Alqabandi reported that when a data: URI is parsed, the hash '' symbol is incorrectly handled, allowing for spoofing attacks. This issue could result in the wrong URI being displayed as a location, which can mislead users to believe they are on a different site tha...
Crash with JavaScript variable assignment with unboxed objects — Mozilla
Security researcher Cajus Pollmeier reported that Firefox 41 was crashing during some Javascript variable assignments. The issue was caused by an implementation error with unboxed objects and property storing in the JavaScript engine. This error could result in a potentially exploitable crash whe...
Crash when accessing HTML tables with accessibility tools on OS X — Mozilla
Mozilla developer Frédéric Wang reported an issue affecting accessibility tools on OS X. This occurs when when an accessibility tool requests the index of a table row through the NSAccessibilityIndexAttribute value. This was caused by an error in how HTML tables are exposed to accessibility tools...
Android intents can be used on Firefox for Android to open privileged files — Mozilla
Security researcher Muneaki Nishimura reported that on Firefox for Android, a search engine can be registered and used to launch Firefox through an Android intent. When Firefox for Android is launched, the URL can executed with Firefox's system privileges if the crash reporter is used. This allow...
Reading sensitive profile files through local HTML file on Android — Mozilla
Security researcher Jordi Chancel reported an issue in Firefox for Android where a locally saved HTML file could use file: URIs to trigger the download of additional files or opening of cached profile data without user awareness...
Disabling scripts in Add-on SDK panels has no effect — Mozilla
Add-on authors Jason Hamilton and Peter Arremann with AMO editor Sylvain Giroux reported a vulnerability when a panel is created using the Add-on SDK in a browser extension. Defining a panel with script: false is supposed to disable script execution but it was found that inline script would still...
Firefox for Android addressbar can be removed after fullscreen mode — Mozilla
Security researcher Jordi Chancel reported when Firefox for Android exits fullscreen mode, it can be induce through script to not restore the addressbar when the window is redrawn in normal mode. This could allow an attacker to spoof the addressbar with their own content...
Certain escaped characters in host of Location-header are being treated as non-escaped — Mozilla
Security researcher Frans Rosén reported that URLs with certain escaped characters in hostnames are parsed incorrectly. This leads to parsing being abandoned when an effected escaped character is encountered followed by a navigation to the previously parsed version of the URL. When combined with ...
Memory corruption in libjar through zip files — Mozilla
Security researcher Gustavo Grieco reported a buffer underflow in libjar triggered through a maliciously crafted ZIP format file. This results in a potentially exploitable crash...
Mixed content WebSocket policy bypass through workers — Mozilla
Mozilla developer Ehsan Akhgari reported a mechanism through which a web worker could be used to bypass secure requirements for WebSockets when workers are used to create WebSockets. This allows for the bypassing of mixed content WebSocket policy...
Vulnerabilities found through code inspection — Mozilla
Security researcher Ronald Crane reported three vulnerabilities affecting released code that were found through code inspection. These included a buffer overflow in the ANGLE graphics library and two issues of missing status checks in SVG rendering and during cryptographic key manipulation. These...
JavaScript garbage collection crash with Java applet — Mozilla
Mozilla community member Vytautas Staraitis reported an issue with the interaction of Java applets and JavaScript. The Java plugin can deallocate a JavaScript wrapper when it is still in use, which leads to a JavaScript garbage collection crash. This crash is potentially exploitable...
CORS preflight is bypassed when non-standard Content-Type headers are received — Mozilla
Security researcher Shinto K Anto reported an issue with cross-origin resource sharing CORS "preflight" requests when receiving certain Content-Type headers. This is due to an error in implementation resulting in trying to process multiple media types when they are returned in the Content-Type...
Buffer overflow during image interactions in canvas — Mozilla
Security researcher Looben Yang reported a buffer overflow in the JPEGEncoder function during script interactions with a canvas element. This is caused by a race condition and incorrectly matched sizes following image interactions. This leads to a potentially exploitable crash...
Miscellaneous memory safety hazards (rv:42.0 / rv:38.4) — Mozilla
Mozilla developers and community identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of the...
CSP bypass due to permissive Reader mode whitelist — Mozilla
Security researcher Mario Heiderich reported an issue where the security protections of Reader mode in Firefox can be bypassed, allowing scripts to be run. Mozilla developer Frederik Braun independently discovered and reported this same issue as well. This issue happens even though Reader View...
Information disclosure through NTLM authentication — Mozilla
Security researcher Tim Brown reported that Firefox discloses the hostname and possibly the Windows domain through NTLM-based HTTP authentication when sending type 3 messages as part of the authentication exchange. This is because the Workstation field is populated with the hostname of the system...
XSS attack through intents on Firefox for Android — Mozilla
Security researcher Muneaki Nishimura reported that on Firefox for Android that it is possible to create a cross-site script XSS attack through the use of Android intents and fallback navigation. This issue is caused by improper sterilization of opened addresses sent to Firefox through intents...
NSS and NSPR memory corruption issues — Mozilla
Mozilla engineers Tyson Smith and David Keeler reported a use-after-poison and buffer overflow in the ASN.1 decoder in Network Security Services NSS. These issues were in octet string parsing and were found through fuzzing and code inspection. If these issues were triggered, they would lead to a...
Trailing whitespace in IP address hostnames can bypass same-origin policy — Mozilla
Security researcher Michał Bentkowski reported that adding white-space characters to hostnames that are IP addresses can bypass same-origin policy. This flaw was caused by trailing whitespaces being evaluated differently when parsing IP addresses instead of alphanumeric hostnames. This could lead...
Cross-origin restriction bypass using Fetch — Mozilla
Security researcher Abdulrahman Alqabandi reported that the fetch API did not correctly implement the Cross-Origin Resource Sharing CORS specification, allowing a malicious page to access private data from other origins. Mozilla developer Ben Kelly independently reported the same issue...
URL spoofing in reader mode — Mozilla
Security researcher Juho Nurminen reported a mechanism to spoof the URL displayed in the addressbar in reader mode by manipulating the loaded URL. This flaw allows for the URL displayed to be different than that the web content rendered. This allows for potential spoofing but the effects are...
Crash when using debugger with SavedStacks in JavaScript — Mozilla
Security researcher Spandan Veggalam reported a crash while using the debugger API with SavedStacks in JavaScript. This crash can only occurs when the debugger is in use but may be potentially exploitable...
Arbitrary file manipulation by local user through Mozilla updater — Mozilla
Security researcher Holger Fuhrmannek reported that when the Mozilla updater is run, the updater can be manipulated to load the updated files from a working directory under user control in concert with junctions. When the updates are run by the Mozilla Maintenance Service on Windows, these...
Buffer overflow in libvpx while parsing vp9 format video — Mozilla
Security researcher Khalil Zhani reported that a maliciously crafted vp9 format video could be used to trigger a buffer overflow while parsing the file. This leads to a potentially exploitable crash due to a flaw in the libvpx library...
Site attribute spoofing on Android by pasting URL with unknown scheme — Mozilla
Security researcher Jordi Chancel reported that on Firefox for Android, when a URL is pasted with an unknown protocol, such as secure: or httpz:, the pasted URL is shown in the addressbar but no navigation occurs. Other addressbar attributes present before this pasted URL is entered will continue...
Out of bounds read in QCMS library with ICC V4 profile attributes — Mozilla
Security researcher Felix Gröbert of Google discovered an out of bounds read in the QCMS color management library while manipulating an image with specific attributes in its ICC V4 profile. This causes a crash and could lead to information disclosure...
Memory leak in mozTCPSocket to servers — Mozilla
Security researcher David Chan reported that Mozilla's mozTCPSocket implementation could leak data past the end of an array, allowing for the potential exposure of memory or private data to malicious servers...
Miscellaneous memory safety hazards (rv:41.0 / rv:38.3) — Mozilla
Mozilla developers and community identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of the...
Errors in the handling of CORS preflight request headers — Mozilla
Mozilla developer Ehsan Akhgari reported two issues with Cross-origin resource sharing CORS "preflight" requests...
Memory safety errors in libGLES in the ANGLE graphics library — Mozilla
Security researcher Ronald Crane reported two issues in the libGLES portions of the ANGLE graphics library, used for WebGL and OpenGL content on Windows systems. The first of these is a missing bounds check leading to memory safety errors when manipulating shaders which could result in the writin...