1574 matches found
Sensitive URL encoded information written to Android logcat — Mozilla
Security researcher Muneaki Nishimura reported that Firefox for Android would write potentially sensitive data to the Android logcat that was encoded as part of logged URL strings. On Android 4.0 or earlier systems, logcat data is available to any application having READLOGS permission, leading t...
Out-of-bounds read and write in asm.js validation — Mozilla
Security researcher Dougall Johnson reported an out-of-bounds read and write in asm.js during JavaScript validation due to an error in how heap lengths are defined. This results in a potentially exploitable crash and could allow for the reading of random memory which may contain sensitive data...
Use-after-free during text processing with vertical text enabled — Mozilla
Security researcher Scott Bell used the Address Sanitizer tool to discover a use-after-free error during the processing of text when vertical text is enabled. This leads to a potentially exploitable crash...
Buffer overflow parsing H.264 video with Linux Gstreamer — Mozilla
Security researcher Aki Helin used the Address Sanitizer tool to find a buffer overflow during video playback on Linux systems. This was due to a problem in older versions of the Gstreamer plugin during the parsing of H.264 formatted video. This issue could be used to induce a possibly exploitabl...
Buffer overflow with SVG content and CSS — Mozilla
Using the Address Sanitizer tool, security researcher Atte Kettunen found a buffer overflow during the rendering of SVG format graphics when combined with specific CSS properties on a page. This results in a potentially exploitable crash...
Privilege escalation through IPC channel messages — Mozilla
Mozilla Developer Jed Davis and Mozilla security engineer Christoph Diehl reported that Mozilla had inherited a Inter-process Communication IPC vulnerability when IPC was introduced into Mozilla products through third-party code. This could allow for privilege escalation through IPC channels due ...
Untrusted site hosting trusted page can intercept webchannel responses — Mozilla
Mozilla developer Mark Hammond reported a flaw in how WebChannel.jsm handles message traffic. He found that when a trusted page is hosted within an on an untrusted third-party untrusted framing page, the untrusted page could intercept webchannel responses meant for the trusted page, bypassing...
Referrer policy ignored when links opened by middle-click and context menu — Mozilla
Security researcher Alex Verstak reported that is ignored when a link is opened through the context menu or a middle-click by mouse. This means that, in some situations, the referrer policy is ignored when opening links in new tabs and may cause some pages to open without an HTTP Referer header...
Buffer overflow when parsing compressed XML — Mozilla
Security researcher Ucha Gobejishvili used the Address Sanitizer tool to find a buffer overflow while parsing compressed XML content. This was due to an error in how buffer space is created and modified when handling large amounts of XML data. This results in a potentially exploitable crash...
Memory corruption during failed plugin initialization — Mozilla
Mozilla developer Robert Kaiser Kairo reported that a race condition when initialization of a plugin fails led to a potentially exploitable use-after-free vulnerability...
Certificate verification bypass through the HTTP/2 Alt-Svc header — Mozilla
Security researcher Muneaki Nishimura discovered a flaw in the Mozilla's HTTP Alternative Services implementation. If an Alt-Svc header is specified in the HTTP/2 response, SSL certificate verification can be bypassed for the specified alternate server. As a result of this, warnings of invalid SS...
Loading privileged content through Reader mode — Mozilla
Security researcher Armin Ebert reported a flaw in Reader mode on Firefox for Android. Reader mode reformats web content for easy readability and operates as unprivileged content that is the equivalent of the formatted content. When Reader mode is unable to process content, it displays the origin...
Windows can retain access to privileged content on navigation to unprivileged pages — Mozilla
Mozilla developer Bobby Holley reported that windows created to hold privileged UI content retained access to privileged internal methods if later navigated to unprivileged content. If a separate flaw was found that allowed for web content to reference these privileged windows, an attacker could...
PRNG weakness allows for DNS poisoning on Android — Mozilla
Mozilla developer Daniel Stenberg reported that the DNS resolver in Firefox for Android uses an insufficiently random algorithm when generating random numbers for the unique identifier. This was derived from an old version of the Bionic libc library and suffered from insufficient randomness in th...
Same-origin bypass through anchor navigation — Mozilla
Mozilla developer Olli Pettay reported that while investigating Mozilla Foundation Security Advisory 2015-28, he and Mozilla developer Boris Zbarsky found an alternate way to trigger a similar vulnerability. The previously reported flaw used an issue with SVG content navigation to bypass...
Add-on lightweight theme installation approval bypassed through MITM attack — Mozilla
Security researcher Armin Ebert discovered that a man-in-the-middle MITM attacker spoofing a Mozilla sub-domain could bypass user approval messages to install a Firefox lightweight theme. This was possible because add-on installations of the lightweight themes do not require the use of HTTP over...
CORS requests should not follow 30x redirections after preflight — Mozilla
Mozilla developer Christoph Kerschbaumer discovered an issue while investigating Mozilla Foundation Security Advisory 2015-03, previously reported by security researcher Muneaki Nishimura. This flaw was that a cross-origin resource sharing CORS request should not follow 30x redirections after...
Incorrect memory management for simple-type arrays in WebRTC — Mozilla
Security researcher Mitchell Harper used Valgrind to discover incorrect memory management for simple-type arrays in WebRTC. This was undefined behavior which is theoretically dangerous but was determined to be safe in this instance...
resource:// documents can load privileged pages — Mozilla
Security researcher Mariusz Mlynski reported, through HP Zero Day Initiative's Pwn2Own contest, that documents loaded though a resource: URL, such as Mozilla's PDF.js PDF file viewer, were able to subsequently load privileged chrome pages. The privilege restrictions on resource: URLs was handled...
Miscellaneous memory safety hazards (rv:37.0 / rv:31.6) — Mozilla
Mozilla developers and community identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of the...
Cursor clickjacking with flash and images — Mozilla
Security researcher Jordi Chancel reported a mechanism that made cursor invisible through flash content and then replaced it through the layering of HTML content. This flaw can be in used in combination with an image of the cursor manipulated through JavaScript, leading to clickjacking during...
Use-after-free when using the Fluendo MP3 GStreamer plugin — Mozilla
Security researcher Aki Helin reported a use-after-free when playing certain MP3 format audio files on the web using the Fluendo MP3 plugin for GStreamer on Linux. This is due to a flaw in handling certain MP3 files by the plugin and its interaction with Mozilla code. This can lead to a potential...
Use-after-free due to type confusion flaws — Mozilla
Security researcher Nils used the Address Sanitizer tool to discover two type confusion flaws. The first of these occurs while setting specific attributes of a source element resulting in incorrect object casting. The second flaw occurs when binding a source to a tree when the function fails to...
Memory corruption crashes in Off Main Thread Compositing — Mozilla
Security researcher Abhishek Arya Inferno of the Google Chrome Security Team used the Address Sanitizer tool to discover two memory corruption crashes during 2D graphics rendering due to problems in Off Main Thread Compositing. These crashes are potentially exploitable...
Out of bounds read in QCMS library — Mozilla
Security researcher Felix Gröbert of Google used the Address Sanitizer tool to discover an out of bounds read in the QCMS color management library while transforming images with certain parameters. This could lead to information disclosure...
Privilege escalation through SVG navigation — Mozilla
Security researcher Mariusz Mlynski reported, through HP Zero Day Initiative's Pwn2Own contest, a method to run arbitrary scripts in a privileged context. This bypassed the same-origin policy protections by using a flaw in the processing of SVG format content navigation...
Code execution through incorrect JavaScript bounds checking elimination — Mozilla
Security researcher ilxu1a reported, through HP Zero Day Initiative's Pwn2Own contest, a flaw in Mozilla's implementation of typed array bounds checking in JavaScript just-in-time compilation JIT and its management of bounds checking for heap access. This flaw can be leveraged into the reading an...
Miscellaneous memory safety hazards (rv:36.0 / rv:31.5) — Mozilla
Mozilla developers and community identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of the...
UI Tour whitelisted sites in background tab can spoof foreground tabs — Mozilla
Mozilla developer Matthew Noorenberghe reported that whitelisted Mozilla domains could make UITour API calls while the UI Tour pages for Firefox are present in background tabs. If one of these Mozilla domains was compromised and open in another tab, an attacker could then use that tab to engage i...
Caja Compiler JavaScript sandbox bypass — Mozilla
Mozilla developer Jan de Mooij reported an issue that affects web content that relies on the Caja Compiler for protection, or other similar sandboxing libraries. He found that some JavaScript objects marked as non-extensible within Caja and Secure EcmaScript could be made extensible again,...
Local files or privileged URLs in pages can be opened into new tabs — Mozilla
Security researcher Armin Ebert reported that opening hyperlinks on a page with the mouse and specific keyboard key combinations could allow a Chrome privileged URL to be opened without context restrictions being preserved. This could also allow for local files or resources from a known location ...
Reading of local files through manipulation of form autocomplete — Mozilla
Security researcher Armin Ebert reported that a user readable file in a known local path could be uploaded to a malicious site. This was done by manipulating the autocomplete feature in a form and user interaction with it. While the local file is not visibly uploaded through the form, its content...
Use-after-free in Developer Console date with OpenType Sanitiser — Mozilla
Using the Address Sanitizer tool, security researcher Atte Kettunen found a problem with OpenType Sanitiser OTS that resulted in a use-after-free while expanding macros in some circumstances. This use-after-free was only used for information displayed in the developer console and was not...
Buffer underflow during MP3 playback — Mozilla
Security researcher Atte Kettunen used the Address Sanitizer tool to discover a buffer underflow during audio playback of a badly formatted MP3 audio files. Through memory allocation manipulation it may be possible to incorporate parts of Firefox memory into an MP3 stream accessible to scripts on...
Crash using DrawTarget in Cairo graphics library — Mozilla
Security researcher Atte Kettunen used the Address Sanitizer tool to discover a crash while drawing images through the Cairo graphics library while using the DrawTarget function. This can result in a segmentation fault due to zero-ing out of memory outside the bounds of the image...
Out-of-bounds read and write while rendering SVG content — Mozilla
Security researcher Abhishek Arya Inferno of the Google Chrome Security Team used the Address Sanitizer tool to report an out-of-bounds read and an out-of-bounds write when rendering an improperly formatted SVG graphic. This could potentially allow the attacker to read uninitialized memory...
Double-free when using non-default memory allocators with a zero-length XHR — Mozilla
Security researcher Abhishek Arya Inferno of the Google Chrome Security Team and Mozilla security developer Gary Kwong used the Address Sanitizer tool to discover a double-free error when sending a zero-length XmlHttpRequest XHR. This was due to errors in memory allocation when using different...
Malicious WebGL content crash when writing strings — Mozilla
Security researcher Daniele Di Proietto discovered that when WebGL content crafted in a specific manner wrote strings, it would cause a crash when this content was run...
TLS TURN and STUN connections silently fail to simple TCP connections — Mozilla
Security researcher Alexander Kolesnik reported while the Mozilla platform does not yet support TLS connections to TURN and STUN servers, the WebRTC implementation would accept turns: and stuns: URIs and then attempt plaintext connections to the servers when these were used. This can lead to...
Use-after-free in IndexedDB — Mozilla
Security researcher Paul Bandha used the used the Address Sanitizer tool to discover a use-after-free vulnerability when running specific web content with IndexedDB to create an index. This leads to a potentially exploitable crash...
Appended period to hostnames can bypass HPKP and HSTS protections — Mozilla
Security researcher Muneaki Nishimura reported that when certificate pinning is set to "strict" mode, a period '.' appended to a hostname in the address of a site allowed the bypass key pinning HPKP and HTTP Strict Transport Security HSTS. Sites with a period appended were treated as having a...
Buffer overflow in libstagefright during MP4 video playback — Mozilla
Security researcher Pantrombka reported a buffer overflow in the libstagefright library during video playback when certain invalid MP4 video files led to the allocation of a buffer that was too small for the content. This led to a potentially exploitable crash...
Buffer overflow during CSS restyling — Mozilla
Security researcher Atte Kettunen used the Address Sanitizer tool to discover an out-of-bounds read during the application of restyling and reflowing changes of web content using CSS. This results in a potentially exploitable crash...
Invoking Mozilla updater will load locally stored DLL files — Mozilla
Security researcher Holger Fuhrmannek reported that when the Mozilla updater is run directly, the updater will load binary DLL format files from the local working directory or from the Windows temporary directories. This occurs when it is run without the Mozilla Maintenance Service on Windows...
Update OpenH264 plugin to version 1.3 — Mozilla
Mozilla and Cisco developers as well as security researcher Nils reported security and stability bugs affecting the OpenH264 plugin version 1.1. This plugin was available to Desktop Firefox 34 and 35 users as an on-demand download as needed. Security researchers Nils and Hanno Böck also reported...
XrayWrapper bypass through DOM objects — Mozilla
Mozilla developer Bobby Holley reported that Document Object Model DOM objects with some specific properties can bypass XrayWrappers. This can allow web content to confuse privileged code, potentially enabling privilege escalation...
Delegated OCSP responder certificates failure with id-pkix-ocsp-nocheck extension — Mozilla
Brian Smith reported that delegated Online Certificate Status Protocol OCSP responder certificates fail to recognize the id-pkix-ocsp-nocheck extension. If this extension is present in a delegated OCSP response signing certificate, it will be discarded if it is signed by such a certificate. This...
Gecko Media Plugin sandbox escape — Mozilla
Security researcher Nils discovered a mechanism to break out of the Gecko Media Plugin GMP sandbox on Windows systems. The GMP sandbox is currently only used to host h.264 video playback using the OpenH264 plugin but is being developed to host other other media plugins. This bug would allow an...
Read-after-free in WebRTC — Mozilla
Security researcher Mitchell Harper discovered a read-after-free in WebRTC due to the way tracks are handled. This results in a either a potentially exploitable crash or incorrect WebRTC behavior...
Read of uninitialized memory in Web Audio — Mozilla
Security researcher Holger Fuhrmannek used the used the Address Sanitizer tool to discover a crash in Web Audio while manipulating timelines. This allowed for the a small block of memory with an uninitialized pointer to be read. The crash it not exploitable...