Trust settings for built-in roots ignored during EV certificate validation — Mozilla

Firefox user Sijie Xia reported that if a user explicitly removes the trust for extended validation EV capable root certificates in the certificate manager, the change is not properly used when validating EV certificates, causing the setting to be ignored. This removes the ability of users to...

Segmentation violation when replacing ordered list elements — Mozilla

Security researchers Tyson Smith and Jesse Schwartzentruber of the BlackBerry Security Automated Analysis Team used the Address Sanitizer tool while fuzzing to discover a mechanism where inserting an ordered list into a document through script could lead to a potentially exploitable crash that ca...

Mis-issued ANSSI/DCSSI certificate — Mozilla

Google notified Mozilla that an intermediate certificate, which chains up to a root included in Mozilla’s root store, was loaded into a man-in-the-middle MITM traffic management device. This certificate was issued by Agence nationale de la sécurité des systèmes d'information ANSSI, an agency of t...

Miscellaneous Network Security Services (NSS) vulnerabilities — Mozilla

Mozilla has updated the version of Network Security Services NSS library used in Mozilla projects to NSS 3.15.3 with the exception of ESR17-based releases, which have been updated to NSS 3.14.5. This addresses several moderate to critical rated networking security issues...

Improperly initialized memory and overflows in some JavaScript functions — Mozilla

Compiler Engineer Dan Gohman of Google discovered a flaw in the JavaScript engine where memory was being incorrectly allocated for some functions and the calls for allocations were not always properly checked for overflow, leading to potential buffer overflows. When combined with other...

Writing to cycle collected object during image decoding — Mozilla

Mozilla community member Ezra Pool reported a potentially exploitable crash on extremely large pages. This was caused when a cycle collected image object was released on the wrong thread during decoding, creating a race condition...

Spoofing addressbar though SELECT element — Mozilla

Security researcher Jordi Chancel discovered a method to put arbitrary HTML content within elements and place it in arbitrary locations. This can be used to spoof the displayed addressbar, leading to clickjacking and other spoofing attacks...

Access violation with XSLT and uninitialized data — Mozilla

Security researcher Abhishek Arya Inferno of the Google Chrome Security Team used the Address Sanitizer tool to discover an access violation due to uninitialized data during Extensible Stylesheet Language Transformation XSLT processing. This leads to a potentially exploitable crash...

Miscellaneous use-after-free issues found through ASAN fuzzing — Mozilla

Security researcher Nils used the Address Sanitizer tool while fuzzing to discover missing strong references in browsing engine leading to use-after-frees. This can lead to a potentially exploitable crash...

Miscellaneous memory safety hazards (rv:25.0 / rv:24.1 / rv:17.0.10) — Mozilla

Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be...

Memory corruption in workers — Mozilla

Security researcher Nils used the Address Sanitizer tool while fuzzing to discover a memory corruption issue with the JavaScript engine when using workers with direct proxies. This results in a potentially exploitable crash...

Security bypass of PDF.js checks using iframes — Mozilla

Security researcher Cody Crews discovered a method to append an iframe into an embedded PDF object rendered with the chrome privileged PDF.js. This can used to bypass security restrictions to load local or chrome privileged files and objects within the embedded PDF object. This can lead to...

Use-after-free when updating offline cache — Mozilla

Security researcher Byoungyoung Lee of Georgia Tech Information Security Center GTISC used the Address Sanitizer tool to discover a use-after-free during state change events while updating the offline cache. This leads to a potentially exploitable crash...

Use-after-free in HTML document templates — Mozilla

Security researcher Abhishek Arya Inferno of the Google Chrome Security Team used the Address Sanitizer tool to discover a user-after-free when interacting with HTML document templates. This leads to a potentially exploitable crash...

GC hazard with default compartments and frame chain restoration — Mozilla

Security researcher Nils reported a potentially exploitable use-after-free in an early test version of Firefox 25. Mozilla developer Bobby Holley found that the cause was an older garbage collection bug that a more recent change made easier to trigger...

User-defined properties on DOM proxies get the wrong "this" object — Mozilla

Mozilla developer Boris Zbarsky reported that user-defined getters on DOM proxies would incorrectly get the expando object as this. It is unlikely that this is directly exploitable but could lead to JavaScript client or add-on code making incorrect security sensitive decisions based on hacker...

Compartment mismatch re-attaching XBL-backed nodes — Mozilla

Security researcher Sachin Shinde reported that moving certain XBL-backed nodes from a document into the replacement document created by document.open can cause a JavaScript compartment mismatch which can often lead to exploitable conditions...

Mozilla Updater does not lock MAR file after signature verification — Mozilla

Security researcher Seb Patane reported that the Mozilla Updater does not write-lock the MAR update file when it is in use by the Updater. This leaves open the possibility of altering the contents of the MAR file after the signature on the file has been verified as valid but before it has been...

Same-origin bypass through symbolic links — Mozilla

Security researcher Takeshi Terada reported a mechanism to violate same-origin policy for local files using file:// through the use of symbolic links. This problem only affects web pages loaded from the local filesystem. This could allow for cross-site scripting XSS and access to locally stored...

Calling scope for new Javascript objects can lead to memory corruption — Mozilla

Mozilla community member Ms2ger found a mechanism where a new Javascript object with a compartment is uninitialized could be entered through web content. When the scope for this object is called, it leads to a potentially exploitable crash...

Use-after-free with select element — Mozilla

Security researcher Scott Bell used the Address Sanitizer tool to discover a use-after-free when using a element in a form after it has been destroyed. This could lead to a potentially exploitable crash...

Use-after-free in Animation Manager during stylesheet cloning — Mozilla

Security researcher Abhishek Arya Inferno of the Google Chrome Security Team used the Address Sanitizer tool to discover a use-after-free problem in the Animation Manager during the cloning of stylesheets. This can lead to a potentially exploitable crash...

NativeKey continues handling key messages after widget is destroyed — Mozilla

Mozilla developer Masayuki Nakano discovered that the NativeKey widget continues handling key messages even when it is destroyed by dispatched event listeners. This could result in some key events being applied to other objects or plugins if the widget memory is reallocated to them, leading to a...

Integer overflow in ANGLE library — Mozilla

Security researcher Alex Chapman reported that the Almost Native Graphics Layer Engine ANGLE library used by Mozilla is vulnerable to an integer overflow. This vulnerability is present because of insufficient bounds checking in the drawLineLoop function, which can be driven by web content to...

Improper state in HTML5 Tree Builder with templates — Mozilla

Using the Address Sanitizer tool, security researcher Atte Kettunen from OUSPG found that the HTML5 Tree Builder does not properly store state when interacting with template elements. Because some stack information is incorrectly stored, the template insertion mode stack can be used when it is...

Miscellaneous memory safety hazards (rv:24.0 / rv:17.0.9) — Mozilla

Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be...

Shared object library loading from writable location — Mozilla

Mozilla developer Vladimir Vukicevic reported that Firefox for Android will optionally load a shared object .so library in order to enable GL tracing. When this is occurs, it can be from a world writable location, allowing for it to be replaced by malicious third party applications before it is...

Buffer overflow with multi-column, lists, and floats — Mozilla

Security researcher Aki Helin reported that combining lists, floats, and multiple columns could trigger a potentially exploitable buffer overflow...

Memory corruption involving scrolling — Mozilla

Security researcher Nils reported two potentially exploitable memory corruption bugs involving scrolling. The first was a use-after-free condition due to scrolling an image document. The second was due to nodes in a range request being added as children of two different parents...

WebGL Information disclosure through OS X NVIDIA graphic drivers — Mozilla

Mozilla developer Victor Porof reported a flaw in the NVIDIA OS X graphic drivers that would allow portions of a user's desktop or other visible applications to be incorporated into WebGL canvases. This could result in personal information becoming available to web content...

Uninitialized data in IonMonkey — Mozilla

Software developer Dan Gohman of Google reported uninitialized data and variables in the IonMonkey Javascript engine when running the engine in Valgrind mode. This could be combined with additional exploits to allow the reading and use of previously allocated memory in some circumstances...

Further Privilege escalation through Mozilla Updater — Mozilla

Security researcher Ash reported an issue with the Mozilla Updater on Windows 7 and later versions of Windows. On vulnerable platforms, the Mozilla Updater can be made to load a specific malicious DLL file from the local system. This DLL file can run in a privileged context through the Mozilla...

Wrong principal used for validating URI for some Javascript components — Mozilla

Security researcher Cody Crews reported that some Javascript components will perform checks against the wrong uniform resource identifier URI before performing security sensitive actions. This will return an incorrect location for the originator of the call. This could be used to bypass same-orig...

Miscellaneous memory safety hazards (rv:23.0 / rv:17.0.8) — Mozilla

Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be...

Document URI misrepresentation and masquerading — Mozilla

Mozilla security researcher mozbugra4 reported that through an interaction of frames and browser history it was possible to make the browser believe attacker-supplied content came from the location of a previous page in browser history. This allows for cross-site scripting XSS attacks by loading...

Crash during WAV audio file decoding — Mozilla

Security researcher Aki Helin from OUSPG used the Address Sanitizer tool to discover a crash during the decoding of WAV format audio files in some instances. This crash is not exploitable but could be used for a denial of service DOS attack by malicious parties...

Buffer underflow when generating CRMF requests — Mozilla

Security researcher Nils used the Address Sanitizer to discover a use-after-free problem when generating a Certificate Request Message Format CRMF request with certain parameters. This causes a potentially exploitable crash...

Use after free mutating DOM during SetBody — Mozilla

Security researcher Nils used the Address Sanitizer to discover a use-after-free problem when the Document Object Model is modified during a SetBody mutation event. This causes a potentially exploitable crash...

CRMF requests allow for code execution and XSS attacks — Mozilla

Mozilla security researcher mozbugra4 reported a mechanism to execute arbitrary code or a cross-site scripting XSS attack when Certificate Request Message Format CRMF request is generated in certain circumstances...

Bypass of XrayWrappers using XBL Scopes — Mozilla

Mozilla Developer Bobby Holley and Mozilla security researcher mozbugra4 discovered a mechanism where XBL scopes can be be used to circumvent XrayWrappers from within the Chrome on unprivileged objects. This allows web content to potentially confuse privileged code and weaken invariants and can...

Buffer overflow in Mozilla Maintenance Service and Mozilla Updater — Mozilla

Security researcher Seb Patane reported stack buffer overflows in both the Maintenance Service and the Mozilla Updater when unexpectedly long paths were encountered. A local attacker could pass these as command-line arguments to the Maintenance Service to crash either program and potentially lead...

Firefox full and stub installer DLL hijacking — Mozilla

Security researcher Robert Kugler reported in 2012 that when a specifically named DLL file on a Windows computer is placed in the default downloads directory with the Firefox installer, the Firefox installer will load this DLL file when it is launched. Mozilla developers Brian Bondy and Robert...

Same-origin bypass with web workers and XMLHttpRequest — Mozilla

Mozilla community member Federico Lanusse reported a mechanism where a web worker can violate same-origin policy and bypass cross-origin checks through XMLHttpRequest. This could allow for cross-site scripting XSS attacks by web workers...

Local Java applets may read contents of local file system — Mozilla

Security researcher Georgi Guninski reported an issue with Java applets where in some circumstances the applet could access files on the local system when loaded using the a file:/// URI and violate file origin policy due to interaction with the codebase parameter. This affects applets running on...

XrayWrappers can be bypassed to run user defined methods in a privileged context — Mozilla

Mozilla security researcher mozbugra4 reported that XrayWrappers can be bypassed to call content-defined toString and valueOf methods through DefaultValue. This can lead to unexpected behavior when privileged code acts on the incorrect values...

X-Frame-Options ignored when using server push with multi-part responses — Mozilla

Bugzilla developer Frédéric Buclin reported that the X-Frame-Options header is ignored when server push is used in multi-part responses. This can lead to potential clickjacking on sites that use X-Frame-Options as a protection...

Sandbox restrictions not applied to nested frame elements — Mozilla

Mozilla community member Bob Owen reported that restrictions are not applied to a frame element contained within a sandboxed iframe. As a result, content hosted within a sandboxed iframe could use a frame element to bypass the restrictions that should be applied...

SVG filters can lead to information disclosure — Mozilla

Security researcher Paul Stone of Context Information Security discovered that timing differences in the processing of SVG format images with filters could allow for pixel values to be read. This could potentially allow for text values to be read across domains, leading to information disclosure...

Data in the body of XHR HEAD requests leads to CSRF attacks — Mozilla

Security researcher Johnathan Kuskos reported that Firefox is sending data in the body of XMLHttpRequest XHR HEAD requests, which goes against the XHR specification. This can potentially be used for Cross-Site Request Forgery CSRF attacks against sites which do not distinguish between HEAD and PO...

Execution of unmapped memory through onreadystatechange event — Mozilla

Security researcher Nils reported that specially crafted web content using the onreadystatechange event and reloading of pages could sometimes cause a crash when unmapped memory is executed. This crash is potentially exploitable...