Linux file chooser crashes on malformed images due to flaws in Jasper library — Mozilla

Security researcher Gustavo Grieco reported that on Linux Gnome systems the dialog for choosing local files uses the operating system's gdk-pixbuf library to render thumbnails for image file types. This library supports various image decoders, and Grieco reported that the Jasper and TGA decoders...

Integer underflow and buffer overflow processing MP4 metadata in libstagefright — Mozilla

Mozilla developer Gerald Squelart fixed an integer underflow in the libstagefright library initially reported by Joshua Drake to Google. The issues occurred in MP4 format video file while parsing cover metadata, leading to a buffer overflow. This results in a potentially exploitable crash and can...

Crash with JavaScript variable assignment with unboxed objects — Mozilla

Security researcher Cajus Pollmeier reported that Firefox 41 was crashing during some Javascript variable assignments. The issue was caused by an implementation error with unboxed objects and property storing in the JavaScript engine. This error could result in a potentially exploitable crash whe...

Miscellaneous memory safety hazards (rv:43.0 / rv:38.5) — Mozilla

Mozilla developers and community identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of the...

Use-after-free in WebRTC when datachannel is used after being destroyed — Mozilla

Security researcher Looben Yang reported a use-after-free error in WebRTC that occurs due to timing issues in WebRTC when closing channels. WebRTC may still believe is has a datachannel open after another WebRTC function has closed it. This results in attempts to use the now destroyed datachannel...

DOS due to malformed frames in HTTP/2 — Mozilla

Security researcher Stuart Larsen reported two issues with HTTP/2 resulting in integer underflows that lead to intentional aborts when the errors are detected...

Same-origin policy violation using performance.getEntries and history navigation — Mozilla

Security researcher cgvwzq reported that it is possible to read cross-origin URLs following a redirect if performance.getEntries is used along with an iframe to host a page. Navigating back in history through script, content is pulled from the browser cache for the redirected location instead of...

Hash in data URI is incorrectly parsed — Mozilla

Security researcher Abdulrahman Alqabandi reported that when a data: URI is parsed, the hash '' symbol is incorrectly handled, allowing for spoofing attacks. This issue could result in the wrong URI being displayed as a location, which can mislead users to believe they are on a different site tha...

Integer overflow in MP4 playback in 64-bit versions — Mozilla

Security researcher Ronald Crane reported a vulnerability found through code inspection. This issue is an integer overflow while processing an MP4 format video file when an a erroneously-small buffer is allocated and then overrun, resulting in a potentially exploitable crash...

Buffer overflows found through code inspection — Mozilla

Security researcher Ronald Crane reported three buffer overflows affecting released code that were found through code inspection. They do not all have clear mechanisms to be exploited through web content but are vulnerable if a mechanism can be found to trigger them...

Integer overflow allocating extremely large textures — Mozilla

Security researcher Abhishek Arya Inferno of the Google Chrome Security Team used the Address Sanitizer tool to discover an integer overflow when when allocating textures of extremely larges sizes during graphics operations. This results in a potentially exploitable crash when triggered...

Cross-site reading attack through data and view-source URIs — Mozilla

Security researcher Tsubasa Iinuma reported a mechanism to violate same-origin policy to content using data: and view-source: URIs to confuse protections and bypass restrictions. This resulted in the ability to read data from cross-site URLs and local files...

Firefox allows for control characters to be set in cookies — Mozilla

Security researcher musicDespiteEverything reported an issue when ASCII code 11 for vertical tab is stored in a cookie in violation of RFC6265. This may result in incorrect cookie handling by servers, resulting in the potential ability to set cookie values and read cookie data from users in conce...

Cross-origin information leak through web workers error events — Mozilla

Security researcher Masato Kinugawa reported a cross-origin information leak through the error events in web workers. This violates same-origin policy and the leaked information could potentially be used by a malicious party to gather authentication tokens and other data from third-party websites...

Underflow through code inspection — Mozilla

Security researcher Ronald Crane reported an underflow found through code inspection. This does not all have a clear mechanism to be exploited through web content but could be vulnerable if a means can be found to trigger it...

Android intents can be used on Firefox for Android to open privileged files — Mozilla

Security researcher Muneaki Nishimura reported that on Firefox for Android, a search engine can be registered and used to launch Firefox through an Android intent. When Firefox for Android is launched, the URL can executed with Firefox's system privileges if the crash reporter is used. This allow...

Crash when accessing HTML tables with accessibility tools on OS X — Mozilla

Mozilla developer Frédéric Wang reported an issue affecting accessibility tools on OS X. This occurs when when an accessibility tool requests the index of a table row through the NSAccessibilityIndexAttribute value. This was caused by an error in how HTML tables are exposed to accessibility tools...

Reading sensitive profile files through local HTML file on Android — Mozilla

Security researcher Jordi Chancel reported an issue in Firefox for Android where a locally saved HTML file could use file: URIs to trigger the download of additional files or opening of cached profile data without user awareness...

Firefox for Android addressbar can be removed after fullscreen mode — Mozilla

Security researcher Jordi Chancel reported when Firefox for Android exits fullscreen mode, it can be induce through script to not restore the addressbar when the window is redrawn in normal mode. This could allow an attacker to spoof the addressbar with their own content...

Disabling scripts in Add-on SDK panels has no effect — Mozilla

Add-on authors Jason Hamilton and Peter Arremann with AMO editor Sylvain Giroux reported a vulnerability when a panel is created using the Add-on SDK in a browser extension. Defining a panel with script: false is supposed to disable script execution but it was found that inline script would still...

XSS attack through intents on Firefox for Android — Mozilla

Security researcher Muneaki Nishimura reported that on Firefox for Android that it is possible to create a cross-site script XSS attack through the use of Android intents and fallback navigation. This issue is caused by improper sterilization of opened addresses sent to Firefox through intents...

JavaScript garbage collection crash with Java applet — Mozilla

Mozilla community member Vytautas Staraitis reported an issue with the interaction of Java applets and JavaScript. The Java plugin can deallocate a JavaScript wrapper when it is still in use, which leads to a JavaScript garbage collection crash. This crash is potentially exploitable...

Information disclosure through NTLM authentication — Mozilla

Security researcher Tim Brown reported that Firefox discloses the hostname and possibly the Windows domain through NTLM-based HTTP authentication when sending type 3 messages as part of the authentication exchange. This is because the Workstation field is populated with the hostname of the system...

NSS and NSPR memory corruption issues — Mozilla

Mozilla engineers Tyson Smith and David Keeler reported a use-after-poison and buffer overflow in the ASN.1 decoder in Network Security Services NSS. These issues were in octet string parsing and were found through fuzzing and code inspection. If these issues were triggered, they would lead to a...

Certain escaped characters in host of Location-header are being treated as non-escaped — Mozilla

Security researcher Frans Rosén reported that URLs with certain escaped characters in hostnames are parsed incorrectly. This leads to parsing being abandoned when an effected escaped character is encountered followed by a navigation to the previously parsed version of the URL. When combined with ...

CSP bypass due to permissive Reader mode whitelist — Mozilla

Security researcher Mario Heiderich reported an issue where the security protections of Reader mode in Firefox can be bypassed, allowing scripts to be run. Mozilla developer Frederik Braun independently discovered and reported this same issue as well. This issue happens even though Reader View...

Trailing whitespace in IP address hostnames can bypass same-origin policy — Mozilla

Security researcher Michał Bentkowski reported that adding white-space characters to hostnames that are IP addresses can bypass same-origin policy. This flaw was caused by trailing whitespaces being evaluated differently when parsing IP addresses instead of alphanumeric hostnames. This could lead...

Memory corruption in libjar through zip files — Mozilla

Security researcher Gustavo Grieco reported a buffer underflow in libjar triggered through a maliciously crafted ZIP format file. This results in a potentially exploitable crash...

Buffer overflow during image interactions in canvas — Mozilla

Security researcher Looben Yang reported a buffer overflow in the JPEGEncoder function during script interactions with a canvas element. This is caused by a race condition and incorrectly matched sizes following image interactions. This leads to a potentially exploitable crash...

CORS preflight is bypassed when non-standard Content-Type headers are received — Mozilla

Security researcher Shinto K Anto reported an issue with cross-origin resource sharing CORS "preflight" requests when receiving certain Content-Type headers. This is due to an error in implementation resulting in trying to process multiple media types when they are returned in the Content-Type...

Miscellaneous memory safety hazards (rv:42.0 / rv:38.4) — Mozilla

Mozilla developers and community identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of the...

Vulnerabilities found through code inspection — Mozilla

Security researcher Ronald Crane reported three vulnerabilities affecting released code that were found through code inspection. These included a buffer overflow in the ANGLE graphics library and two issues of missing status checks in SVG rendering and during cryptographic key manipulation. These...

Mixed content WebSocket policy bypass through workers — Mozilla

Mozilla developer Ehsan Akhgari reported a mechanism through which a web worker could be used to bypass secure requirements for WebSockets when workers are used to create WebSockets. This allows for the bypassing of mixed content WebSocket policy...

Cross-origin restriction bypass using Fetch — Mozilla

Security researcher Abdulrahman Alqabandi reported that the fetch API did not correctly implement the Cross-Origin Resource Sharing CORS specification, allowing a malicious page to access private data from other origins. Mozilla developer Ben Kelly independently reported the same issue...

Vulnerabilities found through code inspection — Mozilla

Security researcher Ronald Crane reported eight vulnerabilities affecting released code that were found through code inspection. These included several potential memory safety issues resulting from the use of snprintf, one use of unowned memory, one use of a string without overflow checks, and fi...

Information disclosure via the High Resolution Time API — Mozilla

Security researchers Yossef Oren, Vasileios P. Kemerlis, Simha Sethumadhavan, Angelos D. Keromytis of Columbia University's Network Security Lab reported a method of using the High Resolution Time API for side channel attacks. This attack uses JavaScript loaded through a hostile web page to track...

Errors in the handling of CORS preflight request headers — Mozilla

Mozilla developer Ehsan Akhgari reported two issues with Cross-origin resource sharing CORS "preflight" requests...

URL spoofing in reader mode — Mozilla

Security researcher Juho Nurminen reported a mechanism to spoof the URL displayed in the addressbar in reader mode by manipulating the loaded URL. This flaw allows for the URL displayed to be different than that the web content rendered. This allows for potential spoofing but the effects are...

Buffer overflow in libvpx while parsing vp9 format video — Mozilla

Security researcher Khalil Zhani reported that a maliciously crafted vp9 format video could be used to trigger a buffer overflow while parsing the file. This leads to a potentially exploitable crash due to a flaw in the libvpx library...

Crash when using debugger with SavedStacks in JavaScript — Mozilla

Security researcher Spandan Veggalam reported a crash while using the debugger API with SavedStacks in JavaScript. This crash can only occurs when the debugger is in use but may be potentially exploitable...

Arbitrary file manipulation by local user through Mozilla updater — Mozilla

Security researcher Holger Fuhrmannek reported that when the Mozilla updater is run, the updater can be manipulated to load the updated files from a working directory under user control in concert with junctions. When the updates are run by the Mozilla Maintenance Service on Windows, these...

Memory safety errors in libGLES in the ANGLE graphics library — Mozilla

Security researcher Ronald Crane reported two issues in the libGLES portions of the ANGLE graphics library, used for WebGL and OpenGL content on Windows systems. The first of these is a missing bounds check leading to memory safety errors when manipulating shaders which could result in the writin...

JavaScript immutable property enforcement can be bypassed — Mozilla

Mozilla developer Jeff Walden reported that in Gecko's implementation of ECMAScript 5 API's enforces non-configurable properties with logic specific to each API. Scripts that do not go through these APIs can bypass these protections and make changes to the immutable properties in violation of...

Scripted proxies can access inner window — Mozilla

Security researcher André Bargull reported that when a web page creates a scripted proxy for the window with a handler defined a certain way, a reference to the inner window will be passed, rather than that of the outer window in violation of the specification...

Out-of-bounds read during 2D canvas display on Linux 16-bit color depth systems — Mozilla

Security researcher Francisco Alonso of the NowSecure Research Team used the Address Sanitizer tool to discover an out-of-bounds read issue during 2D canvas rendering. This was due to an issue in the cairo graphics library when surfaces are created with 32-bit color depth but displayed on a 16-bi...

Buffer overflow while decoding WebM video — Mozilla

Using the Address Sanitizer tool, security researcher Atte Kettunen discovered a buffer overflow in the nestegg library when decoding a WebM format video with maliciously formatted headers. This leads to a potentially exploitable crash...

Use-after-free with shared workers and IndexedDB — Mozilla

Security researcher Looben Yang discovered a use-after-free vulnerability when using a shared worker with IndexedDB due to a race condition with the worker. This results in a potentially exploitable crash that can be triggered through web content...

Site attribute spoofing on Android by pasting URL with unknown scheme — Mozilla

Security researcher Jordi Chancel reported that on Firefox for Android, when a URL is pasted with an unknown protocol, such as secure: or httpz:, the pasted URL is shown in the addressbar but no navigation occurs. Other addressbar attributes present before this pasted URL is entered will continue...

Use-after-free while manipulating HTML media content — Mozilla

An anonymous researcher reported, via HP's Zero Day Initiative, a use-after-free vulnerability with HTML media elements on a page during script manipulation of the URI table of these elements. This results in a potentially exploitable crash...

Dragging and dropping images exposes final URL after redirects — Mozilla

Security researcher Mario Gomes reported that when a previously loaded image on a page is drag and dropped into content after a redirect, the redirected URL is available to scripts. This is a violation of the Fetch specification's defined behavior for "Atomic HTTP redirect handling" which states...