1568 matches found
Firefox for Android addressbar suppression — Mozilla
Security researcher Juho Nurminen reported that on Firefox for Android, when the addressbar has been scrolled off screen, an attacker can prevent it from rendering again through the use of script interacting DOM events. This allows an attacker to present a fake addressbar to the user, possibly...
Out of bounds read while decoding JPG images — Mozilla
Security researcher Abhishek Arya Inferno of the Google Chrome Security Team used the Address Sanitizer tool to discover a fixed offset out of bounds read issue while decoding specifically formatted JPG format images. This causes a non-exploitable crash...
Web Audio memory corruption issues — Mozilla
Security researcher Ash reported an out of bounds read issue with Web Audio. This issue could allow for web content to trigger crashes that are potentially exploitable...
Use-after-free in nsHostResolver — Mozilla
Security researchers Tyson Smith and Jesse Schwartzentruber of the BlackBerry Security Automated Analysis Team used the Address Sanitizer tool while fuzzing to discover a use-after-free during host resolution in some circumstances. This leads to a potentially exploitable crash...
Debugger can bypass XrayWrappers with JavaScript — Mozilla
Mozilla developer Boris Zbarsky discovered that the debugger will work with some objects while bypassing XrayWrappers. This could lead to privilege escalation if the victim used the debugger to interact with a malicious page...
Incorrect IDNA domain name matching for wildcard certificates — Mozilla
Security researcher Christian Heimes reported that the Network Security Services NSS library does not handle IDNA domain prefixes according to RFC 6125 for wildcard certificates. This leads to improper wildcard matching of domains when they should not be matched in compliance with the...
File: protocol links downloaded to SD card by default — Mozilla
Security researcher Roee Hay reported that a hyperlink using the file: protocol on Firefox for Android could link to a local file in the Firefox profile directory. If a user selected this link on their device, the linked file would be copied to the SD card without prompting. This SD card location...
Miscellaneous memory safety hazards (rv:28.0 / rv:24.4) — Mozilla
Mozilla developers and community identified identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least...
Files extracted during updates are not always read only — Mozilla
Security researcher Ash reported an issue where the extracted files for updates to existing files are not read only during the update process. This allows for the potential replacement or modification of these files during the update process if a malicious application is present on the local syst...
Out of bounds read during WAV file decoding — Mozilla
Security researcher Atte Kettunen from OUSPG reported an out of bounds read during the decoding of WAV format audio files for playback. This could allow web content access to heap data as well as causing a crash...
WebGL content injection from one domain to rendering in another — Mozilla
Mozilla developer Jeff Gilbert discovered a mechanism where a malicious site with WebGL content could inject content from its context to that of another site's WebGL context, causing the second site to replace textures and similar content. This cannot be used to steal data but could be used to...
onbeforeunload and Javascript navigation DOS — Mozilla
Security researchers Tim Philipp Schäfers and Sebastian Neef, the team of Internetwache.org, reported a mechanism using JavaScript onbeforeunload events with page navigation to prevent users from closing a malicious page's tab and causing the browser to become unresponsive. This allows for a deni...
Content Security Policy for data: documents not preserved by session restore — Mozilla
Security researcher Nicolas Golubovic reported that the Content Security Policy CSP of data: documents was not saved as part of session restore. If an attacker convinced a victim to open a document from a data: URL injected onto a page, this can lead to a Cross-Site Scripting XSS attack. The targ...
Local file access via Open Link in new tab — Mozilla
Security researcher Alex Inführ reported that on Firefox for Android it is possible to open links to local files from web content by selecting "Open Link in New Tab" from the context menu using the file: protocol. The web content would have to know the precise location of a malicious local file i...
Spoofing attack on WebRTC permission prompt — Mozilla
Mozilla developer Ehsan Akhgari reported a spoofing attack where the permission prompt for a WebRTC session can appear to be from a different site than its actual originating site if a timed navigation occurs during the prompt generation. This allows an attacker to potentially gain access to the...
crypto.generateCRMFRequest does not validate type of key — Mozilla
Mozilla developer David Keeler reported that the crypto.generateCRFMRequest method did not correctly validate the key type of the KeyParams argument when generating ec-dual-use requests. This could lead to a crash and a denial of service DOS attack...
Use-after-free in TypeObject — Mozilla
Security research firm VUPEN, via TippingPoint's Pwn2Own contest, reported that memory pressure during Garbage Collection could lead to memory corruption of TypeObjects in the JS engine, resulting in an exploitable use-after-free condition...
Out-of-bounds read/write through neutering ArrayBuffer objects — Mozilla
Security researcher Jüri Aedla, via TippingPoint's Pwn2Own contest, reported that TypedArrayObject does not handle the case where ArrayBuffer objects are neutered, setting their length to zero while still in use. This leads to out-of-bounds reads and writes into the JavaScript heap, allowing for...
Firefox OS DeviceStorageFile object vulnerable to relative path escape — Mozilla
Mozlla developer Ben Turner discovered that the protection against Directory Traversal through the DeviceStorage API was implemented in the wrong process on Firefox OS. If a Firefox OS application with any device-storage permissions were compromised an attacker could escape the media sandbox and...
Privilege escalation using WebIDL-implemented APIs — Mozilla
Security researcher Mariusz Mlynski, via TippingPoint's Pwn2Own contest, reported that it is possible for untrusted web content to load a chrome-privileged page by getting JavaScript-implemented WebIDL to call window.open. A second bug allowed the bypassing of the popup-blocker without user...
Memory corruption in Cairo during PDF font rendering — Mozilla
Security researcher John Thomson discovered a memory corruption in the Cairo graphics library during font rendering of a PDF file for display. This memory corruption leads to a potentially exploitable crash and to a denial of service DOS. This issues is not able to be triggered in a default...
SVG filters information disclosure through feDisplacementMap — Mozilla
Mozilla developer Robert O'Callahan reported a mechanism for timing attacks involving SVG filters and displacements input to feDisplacementMap. This allows displacements to potentially be correlated with values derived from content. This is similar to the previously reported techniques used for S...
Android Crash Reporter open to manipulation — Mozilla
Firefox for Android includes a Crash Reporter which sends crash data to Mozilla for analysis. Security researcher Roee Hay reported that third party Android applications could launch the crash reporter with their own arguments. Normally applications cannot read the private files of another...
Out-of-bounds write through TypedArrayObject after neutering — Mozilla
Security researcher George Hotz, via TippingPoint's Pwn2Own contest, discovered an issue where values are copied from an array into a second, neutered array. This allows for an out-of-bounds write into memory, causing an exploitable crash leading to arbitrary code execution...
Information disclosure through polygon rendering in MathML — Mozilla
Security researcher Tyson Smith and Jesse Schwartzentruber of the BlackBerry Security Automated Analysis Team used the Address Sanitizer tool while fuzzing to discover an out-of-bounds read during polygon rendering in MathML. This can allow web content to potentially read protected memory...
Script execution in HTML mail replies — Mozilla
Security researcher Fabián Cuchietti discovered that it was possible to bypass the restriction on JavaScript execution in mail by embedding an with a data: URL within a message. If the victim replied or forwarded the mail after receiving it, quoting it "in-line" using Thunderbird's HTML mail...
UI selection timeout missing on download prompts — Mozilla
Security researcher Jordi Chancel reported that the dialog for saving downloaded files did not implement a security timeout before button selections were processed. This could be used in concert with spoofing to convince users to select a different option than intended, causing downloaded files t...
Information disclosure with *FromPoint on iframes — Mozilla
Security researcher Jordan Milne reported an information leak where document.caretPositionFromPoint and document.elementFromPoint functions could be used on a cross-origin iframe to gain information on the iframe's DOM and other attributes through a timing attack, violating same-origin policy...
Incorrect use of discarded images by RasterImage — Mozilla
Fredrik 'Flonka' Lönnqvist discovered an issue with image decoding in RasterImage caused by continued use of discarded images. This could allow for the writing to unowned memory and a potentially exploitable crash...
Clone protected content with XBL scopes — Mozilla
Security researcher Cody Crews reported a method to bypass System Only Wrappers SOW by using XML Binding Language XBL content scopes to clone protected XUL elements. This could be used to clone anonymous nodes, making trusted XUL content web accessible...
Miscellaneous memory safety hazards (rv:27.0 / rv:24.3) — Mozilla
Mozilla developers and community identified identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least...
NSS ticket handling issues — Mozilla
Mozilla developer Brian Smith and security researchers Antoine Delignat-Lavaud and Karthikeyan Bhargavan of the Prosecco research team at INRIA Paris reported issues with ticket handling in the Network Security Services NSS libraries. These have been addressed in the NSS 3.15.4 release, shipping ...
Firefox default start page UI content invocable by script — Mozilla
Yazan Tommalieh discovered a flaw that once users have viewed the default Firefox start page about:home, subsequent pages they navigate to in that same tab could use script to activate the buttons that were on the about:home page. Most of these simply open Firefox dialogs such as Settings or...
Crash when using web workers with asm.js — Mozilla
Soeren Balko reported a crash when terminating a web worker running asm.js code after passing an object between threads. This crash is potentially exploitable...
Inconsistent JavaScript handling of access to Window objects — Mozilla
Mozilla developer Boris Zbarsky reported an inconsistency with the different JavaScript engines in how JavaScript native getters on window objects are handled by these engines. This inconsistency can lead to different behaviors in JavaScript code, allowing for a potential security issue with wind...
Cross-origin information leak through web workers — Mozilla
Security researcher Masato Kinugawa reported a cross-origin information leak through web workers' error messages. This violates same-origin policy and the leaked information could potentially be used to gather authentication tokens and other data from third-party websites...
Use-after-free with imgRequestProxy and image processing — Mozilla
Security researcher Arthur Gerkis, via TippingPoint's Zero Day Initiative, reported a use-after-free during image processing from sites with specific content types in concert with the imgRequestProxy function. This causes a potentially exploitable crash...
XSLT stylesheets treated as styles in Content Security Policy — Mozilla
Mozilla security engineer Frederik Braun reported an issue where the implementation of Content Security Policy CSP is not in compliance with the specification. XSLT stylesheets must be subject to script-src directives but Mozilla's implementation of CSP treats them as styles. This could lead to...
Profile path leaks to Android system log — Mozilla
Mozilla developer Roee Hay reported that Firefox for Android profile paths leak to the Android system log. When running on Android 4.2 or earlier, other applications are able to read these log files, leading to information disclosure from the user's profile directory. This issue was also...
Miscellaneous memory safety hazards (rv:26.0 / rv:24.2) — Mozilla
Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be...
JPEG information leak — Mozilla
Google security researcher Michal Zalewski reported issues with JPEG format image processing with Start Of Scan SOS and Define Huffman Table DHT markers in the libjpeg library. This could allow for the possible reading of arbitrary memory content as well as cross-domain image theft...
Potential overflow in JavaScript binary search algorithms — Mozilla
Compiler Engineer Dan Gohman of Google reported that binary search algorithms in the SpiderMonkey JavaScript engine were prone to overflow in several places, leading to potential out-of-bounds array access. While none of these are known to be directly exploitable, they are unsafe in theory and ha...
GetElementIC typed array stubs can be generated outside observed typesets — Mozilla
Mozilla developer Eric Faust reported that during JavaScript compilation GetElementIC typed array stubs can be generated outside observed typesets. This could lead to unpredictable behavior with a potential security impact...
Use-after-free in event listeners — Mozilla
Security researchers Tyson Smith and Jesse Schwartzentruber of the BlackBerry Security Automated Analysis Team used the Address Sanitizer tool while fuzzing to discover a user-after-free when interacting with event listeners from the mListeners array. This leads to a potentially exploitable crash...
Sandbox restrictions not applied to nested object elements — Mozilla
Mozilla security developer Daniel Veditz discovered that restrictions are not applied to an element contained within a sandboxed iframe. This could allow content hosted within a sandboxed iframe to use element to bypass the sandbox restrictions that should be applied...
Application Installation doorhanger persists on navigation — Mozilla
Mozilla developer Myk Melez reported that with specifically timed page navigation, the doorhanger notification for Web App installation could persist from one site to another without being dismissed by the navigation. This could be used by a malicious site to trick a user into installing an...
Character encoding cross-origin XSS attack — Mozilla
Security researcher Masato Kinugawa discovered that if a web page is missing character set encoding information it can inherit character encodings across navigations into another domain from an earlier site. Only same-origin inheritance is allowed according to the HTML5 specification. This issue...
Use-after-free in synthetic mouse movement — Mozilla
Security researchers Tyson Smith and Jesse Schwartzentruber of the BlackBerry Security Automated Analysis Team used the Address Sanitizer tool while fuzzing to discover a user-after-free in the functions for synthetic mouse movement handling. Security researcher Atte Kettunen from OUSPG also...
Use-after-free during Table Editing — Mozilla
Security researcher Nils used the Address Sanitizer tool while fuzzing to discover a use-after-free problem in the table editing user interface of the editor during garbage collection. This leads to a potentially exploitable crash...
Trust settings for built-in roots ignored during EV certificate validation — Mozilla
Firefox user Sijie Xia reported that if a user explicitly removes the trust for extended validation EV capable root certificates in the certificate manager, the change is not properly used when validating EV certificates, causing the setting to be ignored. This removes the ability of users to...