1574 matches found
Vulnerabilities found through code inspection — Mozilla
Security researcher Ronald Crane reported eight vulnerabilities affecting released code that were found through code inspection. These included several potential memory safety issues resulting from the use of snprintf, one use of unowned memory, one use of a string without overflow checks, and fi...
JavaScript immutable property enforcement can be bypassed — Mozilla
Mozilla developer Jeff Walden reported that in Gecko's implementation of ECMAScript 5 API's enforces non-configurable properties with logic specific to each API. Scripts that do not go through these APIs can bypass these protections and make changes to the immutable properties in violation of...
Buffer overflow while decoding WebM video — Mozilla
Using the Address Sanitizer tool, security researcher Atte Kettunen discovered a buffer overflow in the nestegg library when decoding a WebM format video with maliciously formatted headers. This leads to a potentially exploitable crash...
Scripted proxies can access inner window — Mozilla
Security researcher André Bargull reported that when a web page creates a scripted proxy for the window with a handler defined a certain way, a reference to the inner window will be passed, rather than that of the outer window in violation of the specification...
Out-of-bounds read during 2D canvas display on Linux 16-bit color depth systems — Mozilla
Security researcher Francisco Alonso of the NowSecure Research Team used the Address Sanitizer tool to discover an out-of-bounds read issue during 2D canvas rendering. This was due to an issue in the cairo graphics library when surfaces are created with 32-bit color depth but displayed on a 16-bi...
Use-after-free with shared workers and IndexedDB — Mozilla
Security researcher Looben Yang discovered a use-after-free vulnerability when using a shared worker with IndexedDB due to a race condition with the worker. This results in a potentially exploitable crash that can be triggered through web content...
Use-after-free while manipulating HTML media content — Mozilla
An anonymous researcher reported, via HP's Zero Day Initiative, a use-after-free vulnerability with HTML media elements on a page during script manipulation of the URI table of these elements. This results in a potentially exploitable crash...
Errors in the handling of CORS preflight request headers — Mozilla
Mozilla developer Ehsan Akhgari reported two issues with Cross-origin resource sharing CORS "preflight" requests...
Memory safety errors in libGLES in the ANGLE graphics library — Mozilla
Security researcher Ronald Crane reported two issues in the libGLES portions of the ANGLE graphics library, used for WebGL and OpenGL content on Windows systems. The first of these is a missing bounds check leading to memory safety errors when manipulating shaders which could result in the writin...
Use-after-free when resizing canvas element during restyling — Mozilla
Mozilla community member Jean-Max Reymond discovered a use-after-free vulnerability with a element on a page. This occurs when a resize event is triggered in concert with style changes but the canvas references have been recreated in the meantime, destroying the originally referenced context. Thi...
Add-on notification bypass through data URLs — Mozilla
Security researcher Bas Venis reported a mechanism where add-ons could be installed from a different source than user expectations. Normally, when a user enters the URL to an add-on directly in the addressbar, warning prompts are bypassed because it is the result of direct user action. He...
Integer overflows in libstagefright while processing MP4 video metadata — Mozilla
Security researcher Joshua Drake reported potential integer overflows in the libstagefright library while processing video sample metadata in MPEG4 video files. This can lead to a potentially exploitable crash...
Out-of-bounds read with malformed MP3 file — Mozilla
Security researcher Aki Helin used the Address Sanitizer tool to discover an out-of-bounds read during playback of a malformed MP3 format audio file which switches sample formats. This could trigger a potentially exploitable crash or the reading of out-of-bounds memory content in some circumstanc...
Heap overflow in gdk-pixbuf when scaling bitmap images — Mozilla
Security researcher Gustavo Grieco reported a heap overflow in gdk-pixbuf affecting Linux systems using Gnome. This issue is triggered by the scaling of a malformed bitmap format image and results in a potentially exploitable crash...
Crash when using shared memory in JavaScript — Mozilla
Security researcher Jukka Jylänki reported a crash that occurs because JavaScript, when using shared memory, does not properly gate access to Atomics or SharedArrayBuffer views in some contexts. This leads to a non-exploitable crash...
Mozilla Content Security Policy allows for asterisk wildcards in violation of CSP specification — Mozilla
Mozilla security engineer Christoph Kerschbaumer reported a discrepancy in Mozilla's implementation of Content Security Policy and the CSP specification. The specification states that blob:, data:, and filesystem: URLs should be excluded in case of a wildcard when matching source expressions but...
Vulnerabilities found through code inspection — Mozilla
Security researcher Ronald Crane reported three vulnerabilities affecting released code that were found through code inspection. These included one use of unowned memory, one use of a deleted object, and one memory safety bug. These do not all have clear mechanisms to be exploited through web...
Feed protocol with POST bypasses mixed content protections — Mozilla
Security researcher Masato Kinugawa reported that opening a target page using a POST to the url prefixed with the feed: protocol disables the mixed content blocker for that page. This could allow for the risk of a man-in-the-middle MITM scripting attack on pages that accidentally include insecure...
Use-after-free in XMLHttpRequest with shared workers — Mozilla
Security researcher Looben Yang discovered a use-after-free vulnerability when recursively calling .open on an XMLHttpRequest in a SharedWorker...
Buffer overflows on Libvpx when decoding WebM video — Mozilla
Security researcher Abhishek Arya Inferno of the Google Chrome Security Team used the Address Sanitizer tool to discover two buffer overflow issues in the Libvpx library used for WebM video when decoding a malformed WebM video file. These buffer overflows result in potentially exploitable crashes...
Use-after-free in MediaStream playback — Mozilla
Security researcher SkyLined reported a use-after-free issue in how audio is handled through the Web Audio API during MediaStream playback through interactions with the Web Audio API. This results in a potentially exploitable crash...
Overflow issues in libstagefright — Mozilla
An anonymous researcher reported, via TippingPoint's Zero Day Initiative, two integer overflows in the libstagefright library that could be triggered by a malicious 'saio' chunk in an MPEG4 video. These overflows allowed for potential arbitrary code execution. This issue was independently reporte...
Redefinition of non-configurable JavaScript object properties — Mozilla
Security researcher André Bargull reported non-configurable properties on JavaScript objects can be redefined while parsing JSON in violation of the ECMAScript 6 standard. This allows malicious web content to bypass same-origin policy by editing these properties to arbitrary values...
Out-of-bounds write with Updater and malicious MAR file — Mozilla
Security researcher Holger Fuhrmannek reported that if the Updater opens a MAR format file with a specially crafted name, an out-of-bounds write will occur. This can lead to a potentially exploitable crash but requires that the malicious MAR format file be present on the local system and the...
Arbitrary file overwriting through Mozilla Maintenance Service with hard links — Mozilla
Security researcher James Forshaw, security researcher with Google Project Zero, reported that the Mozilla Maintenance Service on Windows can be made to write its log file in a restricted location with an arbitrary file name through the use of a hard link by means of a race condition. This can...
Miscellaneous memory safety hazards (rv:40.0 / rv:38.2) — Mozilla
Mozilla developers and community identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of the...
Remote HTML tag injection in Gaia Search app — Mozilla
Security researcher Muneaki Nishimura reported an issue with Gaia's Search app which allows an attacker to inject HTML code into the System app's context via specially-crafted search links. The injection occurs when the user opens such malicious link in the browser and then re-opens the browser o...
Same origin violation and local file stealing via PDF reader — Mozilla
Security researcher Cody Crews reported on a way to violate the same origin policy and inject script into a non-privileged part of the built-in PDF Viewer. This would allow an attacker to read and steal sensitive local files on the victim's computer...
COPPA error screen in FxAccounts signup allows loading arbitrary web content into B2G root process — Mozilla
Kartikaya Gupta of Mozilla reported an issue within the Firefox Accounts setup dialog that would embed content from a static external URI into the System process. An attacker in a position to control a vulnerable device's network connection could use this to inject arbitrary web content into the...
Upper bound check bypass due to signed compare in SharedBufferManagerParent::RecvAllocateGrallocBuffer — Mozilla
Mozilla intern Julian Hector discovered a regression in the graphics buffer management of Firefox OS's graphics layer that would lead to graphics memory corruption by providing negative size parameters. JavaScript can not access the graphics layer in a way required to trigger this vulnerability,...
UMS (USB) mounting after reboot even without unlocking — Mozilla
Clement Lefevre reported a bug in USB Mass Storage handling of Firefox OS that would allow unauthorized access to device data through the USB interface. The logic error would under certain circumstances expose USB media volumes to USB hosts while the device is locked with a pass code, for example...
Remote HTML tag injection in Gaia System app — Mozilla
Security researcher Muneaki Nishimura reported an issue with Gaia's System app which allows an attacker to inject HTML code into the System app's context via specially-crafted search links. The injection occurs when the user opens such malicious link in the browser and then presses the HOME butto...
Wifi direct system messages don't require a permission — Mozilla
Paul Theriault of Mozilla discovered a privacy issue with a WiFi-related system message that wasn't properly restricted to apps with the "wifi-manage" permission. As a result, even unprivileged apps could have received those messages, allowing them to extract limited information from a vulnerable...
NSS accepts export-length DHE keys with regular DHE cipher suites — Mozilla
Security researcher Matthew Green reported a Diffie–Hellman DHE key processing issue in Network Security Services NSS where a man-in-the-middle MITM attacker can force a server to downgrade TLS connections to 512-bit export-grade cryptography by modifying client requests to include only...
NSS incorrectly permits skipping of ServerKeyExchange — Mozilla
Security researcher Karthikeyan Bhargavan reported an issue in Network Security Services NSS where the client allows for a ECDHEECDSA exchange where the server does not send its ServerKeyExchange message instead of aborting the handshake. Instead, the NSS client will take the EC key from the ECDS...
Key pinning is ignored when overridable errors are encountered — Mozilla
Mozilla security engineer David Keeler reported that when an overridable error is encountered, such as those for expired certificates or a host name does not match a certificate, pinning checks can be be skipped. This would allow for a user to override a pinned certificate when they should not be...
Use-after-free in workers while using XMLHttpRequest — Mozilla
Security researcher Looben Yang used the Address Sanitizer tool to discover two related use-after-free vulnerabilities that occur when using XMLHttpRequest in concert with either shared or dedicated workers. These errors occur when the XMLHttpRequest object is attached to a worker but that object...
Privilege escalation through internal workers — Mozilla
Mozilla community member Jonas Jenwald reported broken behavior in Mozilla's PDF.js PDF file viewer which led to the discovery that internal Workers were incorrectly executed with high privilege. If this flaw were combined with a separate vulnerability allowing for same-origin policy violation, i...
OS X crash reports may contain entered key press information — Mozilla
Mozilla developer David Parks discovered while reviewing Firefox crash reports that personal data can sometimes be contained in reports from OS X systems. This is because these OS X crash reports will contain the native key that triggered the crash and this can sometimes contain key press...
Vulnerabilities found through code inspection — Mozilla
Security researcher Ronald Crane reported seven vulnerabilities affecting released code that he found through code inspection. These included three uses of uninitialized memory, one poor validation leading to an exploitable crash, one read of unowned memory in zip files, and two buffer overflows...
ECDSA signature validation fails to handle some signatures correctly — Mozilla
Mozilla community member Watson Ladd reported that the implementation of Elliptical Curve Cryptography ECC multiplication for Elliptic Curve Digital Signature Algorithm ECDSA signature validation in Network Security Services NSS did not handle exceptional cases correctly. This could potentially...
Use-after-free in Content Policy due to microtask execution error — Mozilla
Security researcher Herre reported a use-after-free vulnerability when a Content Policy modifies the Document Object Model to remove a DOM object, which is then used afterwards due to an error in microtask implementation. This leads to an exploitable crash...
Type confusion in Indexed Database Manager — Mozilla
Security researcher Paul Bandha reported a type confusion error where part of IDBDatabase is read by the Indexed Database Manager and incorrectly used as a pointer when it shouldn't be used as such. This leads to memory corruption and the possibility of an exploitable crash...
Out-of-bound read while computing an oscillator rendering range in Web Audio — Mozilla
Security researcher Holger Fuhrmannek used the Address Sanitizer tool to discover an out-of-bound read while computing an oscillator rendering range in Web Audio. This could allow an attacker to infer the contents of four bytes of memory...
Miscellaneous memory safety hazards (rv:39.0 / rv:31.8 / rv:38.1) — Mozilla
Mozilla developers and community identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of the...
Local files or privileged URLs in pages can be opened into new tabs — Mozilla
Security researcher Jann Horn reported that when Mozilla Foundation Security Advisory 2015-25 was fixed in Firefox 37, an error was made that caused the fix to not be applied to Firefox 38, effectively causing the bug to be unfixed in Firefox 38 and Firefox ESR38 once it shipped. As Armin Ebert...
Buffer overflow when parsing compressed XML — Mozilla
Security researcher Ucha Gobejishvili used the Address Sanitizer tool to find a buffer overflow while parsing compressed XML content. This was due to an error in how buffer space is created and modified when handling large amounts of XML data. This results in a potentially exploitable crash...
Mozilla Windows updater can be run outside of application directory — Mozilla
Security researcher Holger Fuhrmannek previously reported CVE-2015-0833, which was fixed in MFSA2015-12. That flaw allowed for the updater to load binary DLL format files from the local working directory or from the Windows temporary directories. During the fixing of CVE-2015-0833, the need to...
Use-after-free due to Media Decoder Thread creation during shutdown — Mozilla
Security researchers Tyson Smith and Jesse Schwartzentruber reported a use-after-free during the shutdown process. This was caused by a race condition when media decoder threads are created during the shutdown process in some circumstances. This leads to a potentially exploitable crash when...
Sensitive URL encoded information written to Android logcat — Mozilla
Security researcher Muneaki Nishimura reported that Firefox for Android would write potentially sensitive data to the Android logcat that was encoded as part of logged URL strings. On Android 4.0 or earlier systems, logcat data is available to any application having READLOGS permission, leading t...