Miscellaneous memory safety hazards (rv:38.0 / rv:31.7) — Mozilla

Mozilla developers and community identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of the...

Buffer overflow when parsing compressed XML — Mozilla

Security researcher Ucha Gobejishvili used the Address Sanitizer tool to find a buffer overflow while parsing compressed XML content. This was due to an error in how buffer space is created and modified when handling large amounts of XML data. This results in a potentially exploitable crash...

Out-of-bounds read and write in asm.js validation — Mozilla

Security researcher Dougall Johnson reported an out-of-bounds read and write in asm.js during JavaScript validation due to an error in how heap lengths are defined. This results in a potentially exploitable crash and could allow for the reading of random memory which may contain sensitive data...

Memory corruption during failed plugin initialization — Mozilla

Mozilla developer Robert Kaiser Kairo reported that a race condition when initialization of a plugin fails led to a potentially exploitable use-after-free vulnerability...

Certificate verification bypass through the HTTP/2 Alt-Svc header — Mozilla

Security researcher Muneaki Nishimura discovered a flaw in the Mozilla's HTTP Alternative Services implementation. If an Alt-Svc header is specified in the HTTP/2 response, SSL certificate verification can be bypassed for the specified alternate server. As a result of this, warnings of invalid SS...

Loading privileged content through Reader mode — Mozilla

Security researcher Armin Ebert reported a flaw in Reader mode on Firefox for Android. Reader mode reformats web content for easy readability and operates as unprivileged content that is the equivalent of the formatted content. When Reader mode is unable to process content, it displays the origin...

Windows can retain access to privileged content on navigation to unprivileged pages — Mozilla

Mozilla developer Bobby Holley reported that windows created to hold privileged UI content retained access to privileged internal methods if later navigated to unprivileged content. If a separate flaw was found that allowed for web content to reference these privileged windows, an attacker could...

Same-origin bypass through anchor navigation — Mozilla

Mozilla developer Olli Pettay reported that while investigating Mozilla Foundation Security Advisory 2015-28, he and Mozilla developer Boris Zbarsky found an alternate way to trigger a similar vulnerability. The previously reported flaw used an issue with SVG content navigation to bypass...

Add-on lightweight theme installation approval bypassed through MITM attack — Mozilla

Security researcher Armin Ebert discovered that a man-in-the-middle MITM attacker spoofing a Mozilla sub-domain could bypass user approval messages to install a Firefox lightweight theme. This was possible because add-on installations of the lightweight themes do not require the use of HTTP over...

Out of bounds read in QCMS library — Mozilla

Security researcher Felix Gröbert of Google used the Address Sanitizer tool to discover an out of bounds read in the QCMS color management library while transforming images with certain parameters. This could lead to information disclosure...

resource:// documents can load privileged pages — Mozilla

Security researcher Mariusz Mlynski reported, through HP Zero Day Initiative's Pwn2Own contest, that documents loaded though a resource: URL, such as Mozilla's PDF.js PDF file viewer, were able to subsequently load privileged chrome pages. The privilege restrictions on resource: URLs was handled...

Use-after-free when using the Fluendo MP3 GStreamer plugin — Mozilla

Security researcher Aki Helin reported a use-after-free when playing certain MP3 format audio files on the web using the Fluendo MP3 plugin for GStreamer on Linux. This is due to a flaw in handling certain MP3 files by the plugin and its interaction with Mozilla code. This can lead to a potential...

Incorrect memory management for simple-type arrays in WebRTC — Mozilla

Security researcher Mitchell Harper used Valgrind to discover incorrect memory management for simple-type arrays in WebRTC. This was undefined behavior which is theoretically dangerous but was determined to be safe in this instance...

Use-after-free due to type confusion flaws — Mozilla

Security researcher Nils used the Address Sanitizer tool to discover two type confusion flaws. The first of these occurs while setting specific attributes of a source element resulting in incorrect object casting. The second flaw occurs when binding a source to a tree when the function fails to...

CORS requests should not follow 30x redirections after preflight — Mozilla

Mozilla developer Christoph Kerschbaumer discovered an issue while investigating Mozilla Foundation Security Advisory 2015-03, previously reported by security researcher Muneaki Nishimura. This flaw was that a cross-origin resource sharing CORS request should not follow 30x redirections after...

Cursor clickjacking with flash and images — Mozilla

Security researcher Jordi Chancel reported a mechanism that made cursor invisible through flash content and then replaced it through the layering of HTML content. This flaw can be in used in combination with an image of the cursor manipulated through JavaScript, leading to clickjacking during...

Miscellaneous memory safety hazards (rv:37.0 / rv:31.6) — Mozilla

Mozilla developers and community identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of the...

Memory corruption crashes in Off Main Thread Compositing — Mozilla

Security researcher Abhishek Arya Inferno of the Google Chrome Security Team used the Address Sanitizer tool to discover two memory corruption crashes during 2D graphics rendering due to problems in Off Main Thread Compositing. These crashes are potentially exploitable...

PRNG weakness allows for DNS poisoning on Android — Mozilla

Mozilla developer Daniel Stenberg reported that the DNS resolver in Firefox for Android uses an insufficiently random algorithm when generating random numbers for the unique identifier. This was derived from an old version of the Bionic libc library and suffered from insufficient randomness in th...

Privilege escalation through SVG navigation — Mozilla

Security researcher Mariusz Mlynski reported, through HP Zero Day Initiative's Pwn2Own contest, a method to run arbitrary scripts in a privileged context. This bypassed the same-origin policy protections by using a flaw in the processing of SVG format content navigation...

Code execution through incorrect JavaScript bounds checking elimination — Mozilla

Security researcher ilxu1a reported, through HP Zero Day Initiative's Pwn2Own contest, a flaw in Mozilla's implementation of typed array bounds checking in JavaScript just-in-time compilation JIT and its management of bounds checking for heap access. This flaw can be leveraged into the reading an...

Caja Compiler JavaScript sandbox bypass — Mozilla

Mozilla developer Jan de Mooij reported an issue that affects web content that relies on the Caja Compiler for protection, or other similar sandboxing libraries. He found that some JavaScript objects marked as non-extensible within Caja and Secure EcmaScript could be made extensible again,...

UI Tour whitelisted sites in background tab can spoof foreground tabs — Mozilla

Mozilla developer Matthew Noorenberghe reported that whitelisted Mozilla domains could make UITour API calls while the UI Tour pages for Firefox are present in background tabs. If one of these Mozilla domains was compromised and open in another tab, an attacker could then use that tab to engage i...

Reading of local files through manipulation of form autocomplete — Mozilla

Security researcher Armin Ebert reported that a user readable file in a known local path could be uploaded to a malicious site. This was done by manipulating the autocomplete feature in a form and user interaction with it. While the local file is not visibly uploaded through the form, its content...

Buffer overflow in libstagefright during MP4 video playback — Mozilla

Security researcher Pantrombka reported a buffer overflow in the libstagefright library during video playback when certain invalid MP4 video files led to the allocation of a buffer that was too small for the content. This led to a potentially exploitable crash...

Out-of-bounds read and write while rendering SVG content — Mozilla

Security researcher Abhishek Arya Inferno of the Google Chrome Security Team used the Address Sanitizer tool to report an out-of-bounds read and an out-of-bounds write when rendering an improperly formatted SVG graphic. This could potentially allow the attacker to read uninitialized memory...

Double-free when using non-default memory allocators with a zero-length XHR — Mozilla

Security researcher Abhishek Arya Inferno of the Google Chrome Security Team and Mozilla security developer Gary Kwong used the Address Sanitizer tool to discover a double-free error when sending a zero-length XmlHttpRequest XHR. This was due to errors in memory allocation when using different...

Malicious WebGL content crash when writing strings — Mozilla

Security researcher Daniele Di Proietto discovered that when WebGL content crafted in a specific manner wrote strings, it would cause a crash when this content was run...

TLS TURN and STUN connections silently fail to simple TCP connections — Mozilla

Security researcher Alexander Kolesnik reported while the Mozilla platform does not yet support TLS connections to TURN and STUN servers, the WebRTC implementation would accept turns: and stuns: URIs and then attempt plaintext connections to the servers when these were used. This can lead to...

Buffer overflow during CSS restyling — Mozilla

Security researcher Atte Kettunen used the Address Sanitizer tool to discover an out-of-bounds read during the application of restyling and reflowing changes of web content using CSS. This results in a potentially exploitable crash...

Buffer underflow during MP3 playback — Mozilla

Security researcher Atte Kettunen used the Address Sanitizer tool to discover a buffer underflow during audio playback of a badly formatted MP3 audio files. Through memory allocation manipulation it may be possible to incorporate parts of Firefox memory into an MP3 stream accessible to scripts on...

Use-after-free in IndexedDB — Mozilla

Security researcher Paul Bandha used the used the Address Sanitizer tool to discover a use-after-free vulnerability when running specific web content with IndexedDB to create an index. This leads to a potentially exploitable crash...

Local files or privileged URLs in pages can be opened into new tabs — Mozilla

Security researcher Armin Ebert reported that opening hyperlinks on a page with the mouse and specific keyboard key combinations could allow a Chrome privileged URL to be opened without context restrictions being preserved. This could also allow for local files or resources from a known location ...

Use-after-free in Developer Console date with OpenType Sanitiser — Mozilla

Using the Address Sanitizer tool, security researcher Atte Kettunen found a problem with OpenType Sanitiser OTS that resulted in a use-after-free while expanding macros in some circumstances. This use-after-free was only used for information displayed in the developer console and was not...

Miscellaneous memory safety hazards (rv:36.0 / rv:31.5) — Mozilla

Mozilla developers and community identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of the...

Invoking Mozilla updater will load locally stored DLL files — Mozilla

Security researcher Holger Fuhrmannek reported that when the Mozilla updater is run directly, the updater will load binary DLL format files from the local working directory or from the Windows temporary directories. This occurs when it is run without the Mozilla Maintenance Service on Windows...

Appended period to hostnames can bypass HPKP and HSTS protections — Mozilla

Security researcher Muneaki Nishimura reported that when certificate pinning is set to "strict" mode, a period '.' appended to a hostname in the address of a site allowed the bypass key pinning HPKP and HTTP Strict Transport Security HSTS. Sites with a period appended were treated as having a...

Crash using DrawTarget in Cairo graphics library — Mozilla

Security researcher Atte Kettunen used the Address Sanitizer tool to discover a crash while drawing images through the Cairo graphics library while using the DrawTarget function. This can result in a segmentation fault due to zero-ing out of memory outside the bounds of the image...

Update OpenH264 plugin to version 1.3 — Mozilla

Mozilla and Cisco developers as well as security researcher Nils reported security and stability bugs affecting the OpenH264 plugin version 1.1. This plugin was available to Desktop Firefox 34 and 35 users as an on-demand download as needed. Security researchers Nils and Hanno Böck also reported...

Read of uninitialized memory in Web Audio — Mozilla

Security researcher Holger Fuhrmannek used the used the Address Sanitizer tool to discover a crash in Web Audio while manipulating timelines. This allowed for the a small block of memory with an uninitialized pointer to be read. The crash it not exploitable...

Miscellaneous memory safety hazards (rv:35.0 / rv:31.4) — Mozilla

Mozilla developers and community identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of the...

Cookie injection through Proxy Authenticate responses — Mozilla

Security researcher Xiaofeng Zheng of the Blue Lotus Team at Tsinghua University reported reported that a Web Proxy returning a 407 Proxy Authentication response with a Set-Cookie header could inject cookies into the originally requested domain. This could be used for session-fixation attacks. Th...

Uninitialized memory use during bitmap rendering — Mozilla

Google security researcher Michal Zalewski reported that when a malformed bitmap image is rendered by the bitmap decoder within a element, memory may not always be properly initialized. The resulting image then uses this uninitialized memory during rendering, allowing data to potentially leak to...

Delegated OCSP responder certificates failure with id-pkix-ocsp-nocheck extension — Mozilla

Brian Smith reported that delegated Online Certificate Status Protocol OCSP responder certificates fail to recognize the id-pkix-ocsp-nocheck extension. If this extension is present in a delegated OCSP response signing certificate, it will be discarded if it is signed by such a certificate. This...

XrayWrapper bypass through DOM objects — Mozilla

Mozilla developer Bobby Holley reported that Document Object Model DOM objects with some specific properties can bypass XrayWrappers. This can allow web content to confuse privileged code, potentially enabling privilege escalation...

Gecko Media Plugin sandbox escape — Mozilla

Security researcher Nils discovered a mechanism to break out of the Gecko Media Plugin GMP sandbox on Windows systems. The GMP sandbox is currently only used to host h.264 video playback using the OpenH264 plugin but is being developed to host other other media plugins. This bug would allow an...

sendBeacon requests lack an Origin header — Mozilla

Security researcher Muneaki Nishimura reported that navigator.sendBeacon does not follow the cross-origin resource sharing CORS specification. This results in the request from sendBeacon lacking an origin header in violation of the W3C Beacon specification and not being treated as a CORS request...

Read-after-free in WebRTC — Mozilla

Security researcher Mitchell Harper discovered a read-after-free in WebRTC due to the way tracks are handled. This results in a either a potentially exploitable crash or incorrect WebRTC behavior...

XBL bindings accessible via improper CSS declarations — Mozilla

Security researcher Cody Crews reported a method to trigger chrome level XML Binding Language XBL bindings through web content. This was possible because some chrome accessible CSS stylesheets had their primary namespace improperly declared. When this occurred, it was possible to use these...

Bad casting from the BasicThebesLayer to BasicContainerLayer — Mozilla

Security researchers Byoungyoung Lee, Chengyu Song, and Taesoo Kim at the Georgia Tech Information Security Center GTISC reported a bad casting from the BasicThebesLayer to BasicContainerLayer, resulting in undefined behavior. This behavior is potentially exploitable with some compilers but no...