Miscellaneous memory safety hazards (rv:34.0 / rv:31.3) — Mozilla

Mozilla developers and community identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of the...

XBL bindings accessible via improper CSS declarations — Mozilla

Security researcher Cody Crews reported a method to trigger chrome level XML Binding Language XBL bindings through web content. This was possible because some chrome accessible CSS stylesheets had their primary namespace improperly declared. When this occurred, it was possible to use these...

Bad casting from the BasicThebesLayer to BasicContainerLayer — Mozilla

Security researchers Byoungyoung Lee, Chengyu Song, and Taesoo Kim at the Georgia Tech Information Security Center GTISC reported a bad casting from the BasicThebesLayer to BasicContainerLayer, resulting in undefined behavior. This behavior is potentially exploitable with some compilers but no...

Buffer overflow while parsing media content — Mozilla

Security researcher Abhishek Arya Inferno of the Google Chrome Security Team used the Address Sanitizer tool to discover a buffer overflow during the parsing of media content. This leads to a potentially exploitable crash...

Apple CoreGraphics framework on OS X 10.10 logging input data to /tmp directory — Mozilla

Security researcher Kent Howard reported an Apple issue present in OS X 10.10 Yosemite where log files are created by the CoreGraphics framework of OS X in the /tmp local directory. These log files contain a record of all inputs into Mozilla programs during their operation. In versions of OS X fr...

Use-after-free during HTML5 parsing — Mozilla

Security researcher SkyLined reported a use-after-free created by triggering the creation of a second root element while parsing HTML written to a document created with document.open. This leads to a potentially exploitable crash...

CSP leaks redirect data via violation reports — Mozilla

Security researcher Muneaki Nishimura discovered that Content Security Policy CSP violation reports triggered by a redirect did not remove path information as required by the CSP specification. This potentially reveals information about the redirect that would not otherwise be known to the origin...

Miscellaneous memory safety hazards (rv:33.0 / rv:31.2) — Mozilla

Mozilla developers and community identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of the...

Key pinning bypasses — Mozilla

Mozilla developer Patrick McManus reported a method to use SPDY or HTTP/2 connection coalescing to bypass key pinning on different sites that resolve to the same IP address.This could allow the use of a fraudulent certificate when a saved pin for that subdomain should have prevented the connectio...

Accessing cross-origin objects via the Alarms API — Mozilla

Mozilla developer Boris Zbarsky reported that a malicious app could use the AlarmAPI to read the values of cross-origin references, such as an iframe's location object, as part of an alarm's JSON data. This allows a malicious app to bypass same-origin policy...

Inconsistent video sharing within iframe — Mozilla

Mozilla developers Eric Shepherd and Jan-Ivar Bruaroey reported issues with privacy and video sharing using WebRTC. Once video sharing has started within a WebRTC session running within an , video will continue to be shared even if the user selects the Stop Sharing" button in the controls. The...

Out-of-bounds write with WebM video — Mozilla

Using the Address Sanitizer tool, security researcher Abhishek Arya Inferno of the Google Chrome Security Team found an out-of-bounds write when buffering WebM format video containing frames with invalid tile sizes. This can lead to a potentially exploitable crash during WebM video playback...

Web Audio memory corruption issues with custom waveforms — Mozilla

Security researcher Holger Fuhrmannek used the used the Address Sanitizer tool to discover an out-of-bounds read issue with Web Audio when interacting with custom waveforms with invalid values. This results in a crash and could allow for the reading of random memory which may contain sensitive...

Buffer overflow during CSS manipulation — Mozilla

Using the Address Sanitizer tool, security researcher Atte Kettunen from OUSPG discovered a buffer overflow when making capitalization style changes during CSS parsing. This can cause a crash that is potentially exploitable...

Further uninitialized memory use during GIF rendering — Mozilla

Google security researcher Michal Zalewski reported that when a malformed GIF image is repeatedly rendered within a element, memory may not always be properly initialized. The resulting series of images then uses this uninitialized memory during rendering, allowing data to potentially leak to web...

Use-after-free interacting with text directionality — Mozilla

Security researcher regenrecht reported, via TippingPoint's Zero Day Initiative, a use-after-free during text layout when interacting with text direction. This results in a crash which can lead to arbitrary code execution...

RSA Signature Forgery in NSS — Mozilla

Antoine Delignat-Lavaud, security researcher at Inria Paris in team Prosecco, reported an issue in Network Security Services NSS libraries affecting all versions. He discovered that NSS is vulnerable to a variant of a signature forgery attack previously published by Daniel Bleichenbacher. This is...

Miscellaneous memory safety hazards (rv:32.0 / rv:31.1 / rv:24.8) — Mozilla

Mozilla developers and community identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of the...

Use-after-free setting text directionality — Mozilla

Security researcher regenrecht reported, via TippingPoint's Zero Day Initiative, a use-after-free during text layout when interacting with the setting of text direction. This results in a use-after-free which can lead to arbitrary code execution...

Use-after-free during DOM interactions with SVG — Mozilla

Security researcher Abhishek Arya Inferno of the Google Chrome Security Team used the Address Sanitizer tool to discover a use-after-free during cycle collection. This was found in interactions with the SVG content through the document object model DOM with animating SVG content. This leads to a...

Uninitialized memory use during GIF rendering — Mozilla

Google security researcher Michal Zalewski discovered that when a malformated GIF image is rendered in certain circumstances, memory is not properly initialized before use. The resulting image then uses this memory during rendering. This could allow for the a script in web content to access this...

Profile directory file access through file: protocol — Mozilla

Security researcher Yu Dongsong reported on Firefox for Android that a file: protocol hyperlink could link to a local file in the Firefox profile directory, bypassing access restrictions. This issue was previously addressed in Mozilla Foundation Security Advisory 2014-33 but not completely...

Out-of-bounds read in Web Audio audio timeline — Mozilla

Security researcher Holger Fuhrmannek discovered an out-of-bounds read during the creation of an audio timeline in Web Audio. This results in a crash and could allow for the reading of random memory values...

Toolbar dialog customization event spoofing — Mozilla

Mozilla developers David Chan and Gijs Kruitbosch reported that it is possible to create a drag and drop event in web content which mimics the behavior of a chrome customization event. This can occur when a user is customizing a page or panel. This results in a limited ability to move UI icons...

Use-after-free with FireOnStateChange event — Mozilla

Security researcher Jethro Beekman of the University of California, Berkeley reported a crash when the FireOnStateChange event is triggered in some circumstances. This leads to a use-after-free and a potentially exploitable crash when it occurs...

Use-after-free in DirectWrite font handling — Mozilla

Mozilla community member James Kitchener reported a crash in DirectWrite when rendering MathML content with specific fonts due to an error in how font resources and tables are handled. This leads to use-after-free of a DirectWrite font-face object, resulting in a potentially exploitable crash...

Buffer overflow during Web Audio buffering for playback — Mozilla

Using the Address Sanitizer tool, security researcher Atte Kettunen from OUSPG discovered a buffer overflow during interaction with the Web Audio buffer for playback because of an error in the the amount of allocated memory for buffers. This leads to a potentially exploitable crash with some audi...

Use-after-free in Web Audio due to incorrect control message ordering — Mozilla

Using the Address Sanitizer tool, security researcher Atte Kettunen from OUSPG discovered a use-after-free in Web Audio due to an issue with how control messages for Web Audio are ordered and processed. This leads to a potentially exploitable crash...

Crash in Skia library when scaling high quality images — Mozilla

Mozilla community member John reported a crash in the Skia library when scaling high quality images if the scaling operation takes too long. This is caused by the image data being discarded while still in use by the scaling operation. This crash is potentially exploitable on some systems...

Exploitable WebGL crash with Cesium JavaScript library — Mozilla

Developer Patrick Cozzi reported a crash in some circumstances when using the Cesium JavaScript library to generate WebGL content. Mozilla developers determined that this crash is potentially exploitable...

Use-after-free while when manipulating certificates in the trusted cache — Mozilla

Security researchers Tyson Smith and Jesse Schwartzentruber used the Address Sanitizer tool while fuzzing to discover a use-after-free error resulting in a crash. This is a result of a pair of NSSCertificate structures being added to a trust domain and then one of them is removed while they are...

IFRAME sandbox same-origin access through redirect — Mozilla

Mozilla developer Boris Zbarsky discovered an issue where network-level redirects cause an sandbox to forget its unique origin and behave as if the allow-same-origin keyword were applied. This allows the sandboxed content to access other content from the same origin without explicit approval...

Miscellaneous memory safety hazards (rv:31.0 / rv:24.7) — Mozilla

Mozilla developers and community identified identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least...

Certificate parsing broken by non-standard character encoding — Mozilla

Mozilla security researcher Christian Holler discovered several issues while fuzzing the parsing of SSL certificates. Two of these issues were a result of using characters that are not UTF-8 in certificates when various functions expected all strings to be UTF-8 format. The third issue was a resu...

Miscellaneous memory safety hazards (rv:30.0 / rv:24.6) — Mozilla

Mozilla developers and community identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of the...

Buffer overflow in Gamepad API — Mozilla

Security researcher Looben Yang reported a buffer overflow in Gamepad API when it is exercised with a gamepad device with non-contiguous axes. This can be either an actual physical device or by the installation of a virtual gamepad. This results in a potentially exploitable crash. The Gamepad API...

Out of bounds write in NSPR — Mozilla

Security researcher Abhishek Arya Inferno of the Google Chrome Security Team reported an out of bounds write in the Netscape Portable Runtime NSPR leading to a potentially exploitable crash or code execution. This issue is fixed in NSPR version 4.10.6...

Use-after-free in Event Listener Manager — Mozilla

Security researchers Tyson Smith and Jesse Schwartzentruber of the BlackBerry Security Automated Analysis Team used the Address Sanitizer tool while fuzzing to discover a use-after-free in the event listener manager. This can be triggered by web content and leads to a potentially exploitable cras...

Clickjacking through cursor invisibility after Flash interaction — Mozilla

Security researcher Jordi Chancel reported a mechanism where the cursor can be rendered invisible after it has been used on an embedded flash object when used outside of the object. This flaw can be in used in combination with an image of the cursor manipulated through JavaScript, leading to...

Use-after-free and out of bounds issues found using Address Sanitizer — Mozilla

Security researcher Abhishek Arya Inferno of the Google Chrome Security Team discovered a number of use-after-free and out of bounds read issues using the Address Sanitizer tool. These issues are potentially exploitable, allowing for remote code execution...

Buffer overflow in Web Audio Speex resampler — Mozilla

Security researcher Holger Fuhrmannek used the used the Address Sanitizer tool to discover a buffer overflow with the Speex resampler in Web Audio when working with audio content that exceeds expected bounds. This leads to a potentially exploitable crash...

Use-after-free with SMIL Animation Controller — Mozilla

Security researcher Nils used the Address Sanitizer to discover a use-after-free problem with the SMIL Animation Controller when interacting with and rendering improperly formed web content. This causes a potentially exploitable crash...

Use-after-free in imgLoader while resizing images — Mozilla

Security researcher Nils discovered a use-after-free error in which the imgLoader object is freed while an image is being resized. This results in a potentially exploitable crash...

Use-after-free in the Text Track Manager for HTML video — Mozilla

Using the Address Sanitizer tool, security researcher Abhishek Arya Inferno of the Google Chrome Security Team found a use-after-free in the Text Track Manager while processing HTML video. This was caused by inconsistent garbage collection of Text Track Manager variables and results in a...

Cross-site scripting (XSS) using history navigations — Mozilla

Mozilla security researcher mozbugra4 reported a method to use browser navigations through history to load a website with that page's baseURI property pointing to that of another site instead of the seemingly loaded one. The user will continue to see the incorrect site in the addressbar of the...

Buffer overflow when using non-XBL object as XBL — Mozilla

Security researcher Abhishek Arya Inferno of the Google Chrome Security Team used the Address Sanitizer tool to discover a buffer overflow when a script uses a non-XBL object as an XBL object because the XBL status of the object is not properly validated. The resulting memory corruption is...

Privilege escalation through Mozilla Maintenance Service Installer — Mozilla

Security researcher Ash reported an issue affected the Mozilla Maintenance Service on Windows systems. The Mozilla Maintenance Service installer writes to a temporary directory created during the update process which is writable by users. If malicious DLL files are placed within this directory...

Miscellaneous memory safety hazards (rv:29.0 / rv:24.5) — Mozilla

Mozilla developers and community identified identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least...

Privilege escalation through Web Notification API — Mozilla

Security researcher Mariusz Mlynski discovered an issue where sites that have been given notification permissions by a user can bypass security checks on source components for the Web Notification API. This allows for script to be run in a privileged context through notifications, leading to...

Out-of-bounds write in Cairo — Mozilla

Security researcher Jukka Jylänki reported a crash in the the Cairo graphics library. This happens when Cairo paints out-of-bounds to the destination buffer in the compositing function when working with canvas in certain circumstances. This issue allows malicious web content to cause a potentiall...