Vulnerabilities found through code inspection — Mozilla

Security researcher Ronald Crane reported eight vulnerabilities affecting released code that were found through code inspection. These included several potential memory safety issues resulting from the use of snprintf, one use of unowned memory, one use of a string without overflow checks, and fi...

Use-after-free while manipulating HTML media content — Mozilla

An anonymous researcher reported, via HP's Zero Day Initiative, a use-after-free vulnerability with HTML media elements on a page during script manipulation of the URI table of these elements. This results in a potentially exploitable crash...

Dragging and dropping images exposes final URL after redirects — Mozilla

Security researcher Mario Gomes reported that when a previously loaded image on a page is drag and dropped into content after a redirect, the redirected URL is available to scripts. This is a violation of the Fetch specification's defined behavior for "Atomic HTTP redirect handling" which states...

Use-after-free when resizing canvas element during restyling — Mozilla

Mozilla community member Jean-Max Reymond discovered a use-after-free vulnerability with a element on a page. This occurs when a resize event is triggered in concert with style changes but the canvas references have been recreated in the meantime, destroying the originally referenced context. Thi...

Add-on notification bypass through data URLs — Mozilla

Security researcher Bas Venis reported a mechanism where add-ons could be installed from a different source than user expectations. Normally, when a user enters the URL to an add-on directly in the addressbar, warning prompts are bypassed because it is the result of direct user action. He...

Integer overflows in libstagefright while processing MP4 video metadata — Mozilla

Security researcher Joshua Drake reported potential integer overflows in the libstagefright library while processing video sample metadata in MPEG4 video files. This can lead to a potentially exploitable crash...

Out-of-bounds read with malformed MP3 file — Mozilla

Security researcher Aki Helin used the Address Sanitizer tool to discover an out-of-bounds read during playback of a malformed MP3 format audio file which switches sample formats. This could trigger a potentially exploitable crash or the reading of out-of-bounds memory content in some circumstanc...

Overflow issues in libstagefright — Mozilla

An anonymous researcher reported, via TippingPoint's Zero Day Initiative, two integer overflows in the libstagefright library that could be triggered by a malicious 'saio' chunk in an MPEG4 video. These overflows allowed for potential arbitrary code execution. This issue was independently reporte...

Vulnerabilities found through code inspection — Mozilla

Security researcher Ronald Crane reported three vulnerabilities affecting released code that were found through code inspection. These included one use of unowned memory, one use of a deleted object, and one memory safety bug. These do not all have clear mechanisms to be exploited through web...

Feed protocol with POST bypasses mixed content protections — Mozilla

Security researcher Masato Kinugawa reported that opening a target page using a POST to the url prefixed with the feed: protocol disables the mixed content blocker for that page. This could allow for the risk of a man-in-the-middle MITM scripting attack on pages that accidentally include insecure...

Redefinition of non-configurable JavaScript object properties — Mozilla

Security researcher André Bargull reported non-configurable properties on JavaScript objects can be redefined while parsing JSON in violation of the ECMAScript 6 standard. This allows malicious web content to bypass same-origin policy by editing these properties to arbitrary values...

Out-of-bounds write with Updater and malicious MAR file — Mozilla

Security researcher Holger Fuhrmannek reported that if the Updater opens a MAR format file with a specially crafted name, an out-of-bounds write will occur. This can lead to a potentially exploitable crash but requires that the malicious MAR format file be present on the local system and the...

Miscellaneous memory safety hazards (rv:40.0 / rv:38.2) — Mozilla

Mozilla developers and community identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of the...

Heap overflow in gdk-pixbuf when scaling bitmap images — Mozilla

Security researcher Gustavo Grieco reported a heap overflow in gdk-pixbuf affecting Linux systems using Gnome. This issue is triggered by the scaling of a malformed bitmap format image and results in a potentially exploitable crash...

Crash when using shared memory in JavaScript — Mozilla

Security researcher Jukka Jylänki reported a crash that occurs because JavaScript, when using shared memory, does not properly gate access to Atomics or SharedArrayBuffer views in some contexts. This leads to a non-exploitable crash...

Use-after-free in MediaStream playback — Mozilla

Security researcher SkyLined reported a use-after-free issue in how audio is handled through the Web Audio API during MediaStream playback through interactions with the Web Audio API. This results in a potentially exploitable crash...

Mozilla Content Security Policy allows for asterisk wildcards in violation of CSP specification — Mozilla

Mozilla security engineer Christoph Kerschbaumer reported a discrepancy in Mozilla's implementation of Content Security Policy and the CSP specification. The specification states that blob:, data:, and filesystem: URLs should be excluded in case of a wildcard when matching source expressions but...

Use-after-free in XMLHttpRequest with shared workers — Mozilla

Security researcher Looben Yang discovered a use-after-free vulnerability when recursively calling .open on an XMLHttpRequest in a SharedWorker...

Arbitrary file overwriting through Mozilla Maintenance Service with hard links — Mozilla

Security researcher James Forshaw, security researcher with Google Project Zero, reported that the Mozilla Maintenance Service on Windows can be made to write its log file in a restricted location with an arbitrary file name through the use of a hard link by means of a race condition. This can...

Buffer overflows on Libvpx when decoding WebM video — Mozilla

Security researcher Abhishek Arya Inferno of the Google Chrome Security Team used the Address Sanitizer tool to discover two buffer overflow issues in the Libvpx library used for WebM video when decoding a malformed WebM video file. These buffer overflows result in potentially exploitable crashes...

Upper bound check bypass due to signed compare in SharedBufferManagerParent::RecvAllocateGrallocBuffer — Mozilla

Mozilla intern Julian Hector discovered a regression in the graphics buffer management of Firefox OS's graphics layer that would lead to graphics memory corruption by providing negative size parameters. JavaScript can not access the graphics layer in a way required to trigger this vulnerability,...

Wifi direct system messages don't require a permission — Mozilla

Paul Theriault of Mozilla discovered a privacy issue with a WiFi-related system message that wasn't properly restricted to apps with the "wifi-manage" permission. As a result, even unprivileged apps could have received those messages, allowing them to extract limited information from a vulnerable...

UMS (USB) mounting after reboot even without unlocking — Mozilla

Clement Lefevre reported a bug in USB Mass Storage handling of Firefox OS that would allow unauthorized access to device data through the USB interface. The logic error would under certain circumstances expose USB media volumes to USB hosts while the device is locked with a pass code, for example...

Remote HTML tag injection in Gaia System app — Mozilla

Security researcher Muneaki Nishimura reported an issue with Gaia's System app which allows an attacker to inject HTML code into the System app's context via specially-crafted search links. The injection occurs when the user opens such malicious link in the browser and then presses the HOME butto...

Remote HTML tag injection in Gaia Search app — Mozilla

Security researcher Muneaki Nishimura reported an issue with Gaia's Search app which allows an attacker to inject HTML code into the System app's context via specially-crafted search links. The injection occurs when the user opens such malicious link in the browser and then re-opens the browser o...

COPPA error screen in FxAccounts signup allows loading arbitrary web content into B2G root process — Mozilla

Kartikaya Gupta of Mozilla reported an issue within the Firefox Accounts setup dialog that would embed content from a static external URI into the System process. An attacker in a position to control a vulnerable device's network connection could use this to inject arbitrary web content into the...

Same origin violation and local file stealing via PDF reader — Mozilla

Security researcher Cody Crews reported on a way to violate the same origin policy and inject script into a non-privileged part of the built-in PDF Viewer. This would allow an attacker to read and steal sensitive local files on the victim's computer...

Use-after-free in workers while using XMLHttpRequest — Mozilla

Security researcher Looben Yang used the Address Sanitizer tool to discover two related use-after-free vulnerabilities that occur when using XMLHttpRequest in concert with either shared or dedicated workers. These errors occur when the XMLHttpRequest object is attached to a worker but that object...

Key pinning is ignored when overridable errors are encountered — Mozilla

Mozilla security engineer David Keeler reported that when an overridable error is encountered, such as those for expired certificates or a host name does not match a certificate, pinning checks can be be skipped. This would allow for a user to override a pinned certificate when they should not be...

NSS accepts export-length DHE keys with regular DHE cipher suites — Mozilla

Security researcher Matthew Green reported a Diffie–Hellman DHE key processing issue in Network Security Services NSS where a man-in-the-middle MITM attacker can force a server to downgrade TLS connections to 512-bit export-grade cryptography by modifying client requests to include only...

Miscellaneous memory safety hazards (rv:39.0 / rv:31.8 / rv:38.1) — Mozilla

Mozilla developers and community identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of the...

OS X crash reports may contain entered key press information — Mozilla

Mozilla developer David Parks discovered while reviewing Firefox crash reports that personal data can sometimes be contained in reports from OS X systems. This is because these OS X crash reports will contain the native key that triggered the crash and this can sometimes contain key press...

Privilege escalation through internal workers — Mozilla

Mozilla community member Jonas Jenwald reported broken behavior in Mozilla's PDF.js PDF file viewer which led to the discovery that internal Workers were incorrectly executed with high privilege. If this flaw were combined with a separate vulnerability allowing for same-origin policy violation, i...

ECDSA signature validation fails to handle some signatures correctly — Mozilla

Mozilla community member Watson Ladd reported that the implementation of Elliptical Curve Cryptography ECC multiplication for Elliptic Curve Digital Signature Algorithm ECDSA signature validation in Network Security Services NSS did not handle exceptional cases correctly. This could potentially...

Out-of-bound read while computing an oscillator rendering range in Web Audio — Mozilla

Security researcher Holger Fuhrmannek used the Address Sanitizer tool to discover an out-of-bound read while computing an oscillator rendering range in Web Audio. This could allow an attacker to infer the contents of four bytes of memory...

NSS incorrectly permits skipping of ServerKeyExchange — Mozilla

Security researcher Karthikeyan Bhargavan reported an issue in Network Security Services NSS where the client allows for a ECDHEECDSA exchange where the server does not send its ServerKeyExchange message instead of aborting the handshake. Instead, the NSS client will take the EC key from the ECDS...

Vulnerabilities found through code inspection — Mozilla

Security researcher Ronald Crane reported seven vulnerabilities affecting released code that he found through code inspection. These included three uses of uninitialized memory, one poor validation leading to an exploitable crash, one read of unowned memory in zip files, and two buffer overflows...

Use-after-free in Content Policy due to microtask execution error — Mozilla

Security researcher Herre reported a use-after-free vulnerability when a Content Policy modifies the Document Object Model to remove a DOM object, which is then used afterwards due to an error in microtask implementation. This leads to an exploitable crash...

Type confusion in Indexed Database Manager — Mozilla

Security researcher Paul Bandha reported a type confusion error where part of IDBDatabase is read by the Indexed Database Manager and incorrectly used as a pointer when it shouldn't be used as such. This leads to memory corruption and the possibility of an exploitable crash...

Local files or privileged URLs in pages can be opened into new tabs — Mozilla

Security researcher Jann Horn reported that when Mozilla Foundation Security Advisory 2015-25 was fixed in Firefox 37, an error was made that caused the fix to not be applied to Firefox 38, effectively causing the bug to be unfixed in Firefox 38 and Firefox ESR38 once it shipped. As Armin Ebert...

Privilege escalation through IPC channel messages — Mozilla

Mozilla Developer Jed Davis and Mozilla security engineer Christoph Diehl reported that Mozilla had inherited a Inter-process Communication IPC vulnerability when IPC was introduced into Mozilla products through third-party code. This could allow for privilege escalation through IPC channels due ...

Untrusted site hosting trusted page can intercept webchannel responses — Mozilla

Mozilla developer Mark Hammond reported a flaw in how WebChannel.jsm handles message traffic. He found that when a trusted page is hosted within an on an untrusted third-party untrusted framing page, the untrusted page could intercept webchannel responses meant for the trusted page, bypassing...

Mozilla Windows updater can be run outside of application directory — Mozilla

Security researcher Holger Fuhrmannek previously reported CVE-2015-0833, which was fixed in MFSA2015-12. That flaw allowed for the updater to load binary DLL format files from the local working directory or from the Windows temporary directories. During the fixing of CVE-2015-0833, the need to...

Use-after-free due to Media Decoder Thread creation during shutdown — Mozilla

Security researchers Tyson Smith and Jesse Schwartzentruber reported a use-after-free during the shutdown process. This was caused by a race condition when media decoder threads are created during the shutdown process in some circumstances. This leads to a potentially exploitable crash when...

Use-after-free during text processing with vertical text enabled — Mozilla

Security researcher Scott Bell used the Address Sanitizer tool to discover a use-after-free error during the processing of text when vertical text is enabled. This leads to a potentially exploitable crash...

Sensitive URL encoded information written to Android logcat — Mozilla

Security researcher Muneaki Nishimura reported that Firefox for Android would write potentially sensitive data to the Android logcat that was encoded as part of logged URL strings. On Android 4.0 or earlier systems, logcat data is available to any application having READLOGS permission, leading t...

Referrer policy ignored when links opened by middle-click and context menu — Mozilla

Security researcher Alex Verstak reported that is ignored when a link is opened through the context menu or a middle-click by mouse. This means that, in some situations, the referrer policy is ignored when opening links in new tabs and may cause some pages to open without an HTTP Referer header...

Buffer overflow parsing H.264 video with Linux Gstreamer — Mozilla

Security researcher Aki Helin used the Address Sanitizer tool to find a buffer overflow during video playback on Linux systems. This was due to a problem in older versions of the Gstreamer plugin during the parsing of H.264 formatted video. This issue could be used to induce a possibly exploitabl...

Buffer overflow and out-of-bounds read while parsing MP4 video metadata — Mozilla

Security researcher laf.intel reported a buffer overflow and out-of-bounds read in the libstagefright library while parsing invalid metadata in MPEG4 video files. This can lead to a potentially exploitable crash...

Buffer overflow with SVG content and CSS — Mozilla

Using the Address Sanitizer tool, security researcher Atte Kettunen found a buffer overflow during the rendering of SVG format graphics when combined with specific CSS properties on a page. This results in a potentially exploitable crash...