1568 matches found
Inaccessible updater can lead to local privilege escalation — Mozilla
Security researcher Seb Patane reported an issue with the Mozilla Maintenance Service on Windows. He discovered that when the Mozilla Updater executable was inaccessible, the Maintenance Service will behave incorrectly and can be made to use an updater at an arbitrary location. This updater will...
Homograph domain spoofing in .com, .net and .name — Mozilla
Security researcher 3ric Johanson reported in discussions with Richard Newman and Holt Sorenson that Verisign's prevention measures for homograph attacks using Internationalized Domain Names IDN were insufficiently rigorous, and this led to a limited possibility for domain spoofing in Firefox...
getUserMedia permission dialog incorrectly displays location — Mozilla
Mozilla engineer Matt Wobensmith discovered that when the getUserMedia permission dialog for an iframe appears in one domain, it will display its origin as that of the top-level document and not the calling framed page. This could lead to users incorrectly giving camera or microphone permissions...
Arbitrary code execution within Profiler — Mozilla
Security researcher Mariusz Mlynski reported that when a user examines the profiler output on a malicious website containing specially crafted code, it is possible for arbitrary code execution to occur. This occurs because the profiler user interface runs in a special iframe that parses data from...
Privileged content access and execution via XBL — Mozilla
Security researcher Mariusz Mlynski reported that it is possible to compile a user-defined function in the XBL scope of a specific element and then trigger an event within this scope to run code. In some circumstances, when this code is run, it can access content protected by System Only Wrappers...
Miscellaneous memory safety hazards (rv:22.0 / rv:17.0.7) — Mozilla
Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be...
Memory corruption found using Address Sanitizer — Mozilla
Security researcher Abhishek Arya Inferno of the Google Chrome Security Team used the Address Sanitizer tool to discover a series of use-after-free problems rated critical as security issues in shipped software. Some of these issues are potentially exploitable, allowing for remote code execution...
PreserveWrapper has inconsistent behavior — Mozilla
Mozilla developer Boris Zbarsky found that when PreserveWrapper was used in cases where a wrapper is not set, the preserved-wrapper flag on the wrapper cache is cleared. This could potentially lead to an exploitable crash...
Privileged access for content level constructor — Mozilla
Security researcher Cody Crews reported a method to call a content level constructor that allows for this constructor to have chrome privileged access. This affects chrome object wrappers COW and allows for write actions on objects when only read actions should be allowed. This can lead to...
Uninitialized functions in DOMSVGZoomEvent — Mozilla
Mozilla community member Ms2ger discovered that some DOMSVGZoomEvent functions are used without being properly initialized, causing uninitialized memory to be used when they are called by web content. This could lead to a information leakage to sites depending on the contents of this uninitialize...
Memory corruption found using Address Sanitizer — Mozilla
Security researcher Abhishek Arya Inferno of the Google Chrome Security Team used the Address Sanitizer tool to discover a series of use-after-free, out of bounds read, and invalid write problems rated as moderate to critical as security issues in shipped software. Some of these issues are...
Miscellaneous memory safety hazards (rv:21.0 / rv:17.0.6) — Mozilla
Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be...
Local privilege escalation through Mozilla Maintenance Service — Mozilla
Security researcher Seb Patane reported an issue with the Mozilla Maintenance Service on Windows. This issue allows unprivileged users to local privilege escalation through the system privileges used by the service when interacting with local malicious software. This allows the user to bypass...
Use-after-free with video and onresize event — Mozilla
Security researcher Nils reported a use-after-free when resizing video while playing. This could allow for arbitrary code execution...
File input control has access to full path — Mozilla
Mozilla security researcher mozbugra4 reported a mechanism to exploit the control when set to the file type in order to get the full path. This can lead to information leakage and could be combined with other exploits to target attacks on the local file system...
Mozilla Updater fails to update some Windows Registry entries — Mozilla
Security researcher Robert Kugler discovered that in some instances the Mozilla Maintenance Service on Windows will be vulnerable to some previously fixed privilege escalation attacks that allowed for local privilege escalation. This was caused by the Mozilla Updater not updating Windows Registry...
Memory corruption while rendering grayscale PNG images — Mozilla
Mozilla community member Tobias Schula reported that if gfx.colormanagement.enablev4 preference is enabled manually in about:config, some grayscale PNG images will be rendered incorrectly and cause memory corruption during PNG decoding when certain color profiles are in use. A crafted PNG image...
Cross-site scripting (XSS) using timed history navigations — Mozilla
Security researcher Mariusz Mlynski reported a method to use browser navigations through history to load an arbitrary website with that page's baseURI property pointing to another site instead of the seemingly loaded one. The user will continue to see the incorrect site in the addressbar of the...
Bypass of SOW protections allows cloning of protected nodes — Mozilla
Security researcher Cody Crews reported a mechanism to use the cloneNode method to bypass System Only Wrappers SOW and clone a protected node. This allows violation of the browser's same origin policy and could also lead to privilege escalation and the execution of arbitrary code...
Privilege escalation through Mozilla Updater — Mozilla
Security researcher Ash reported an issue with the Mozilla Updater. The Mozilla Updater can be made to load a malicious local DLL file in a privileged context through either the Mozilla Maintenance Service or independently on systems that do not use the service. This occurs when the DLL file is...
World read and write access to app_tmp directory on Android — Mozilla
Security researcher Shuichiro Suzuki of the Fourteenforty Research Institute reported the apptmp directory is set to be world readable and writeable by Firefox for Android. This potentially allows for third party applications to replace or alter Firefox add-ons when downloaded because they are...
Out-of-bounds write in Cairo library — Mozilla
Security researcher Abhishek Arya Inferno of the Google Chrome Security Team used the Address Sanitizer tool to discover an out-of-bounds write in Cairo graphics library. When certain values are passed to it during rendering, Cairo attempts to use negative boundaries or sizes for boxes, leading t...
Privilege escalation through Mozilla Maintenance Service — Mozilla
Security researcher Frédéric Hoguin discovered that the Mozilla Maintenance Service on Windows was vulnerable to a buffer overflow. This system is used to update software without invoking the User Account Control UAC prompt. The Mozilla Maintenance Service is configured to allow unprivileged user...
Miscellaneous memory safety hazards (rv:20.0 / rv:17.0.5) — Mozilla
Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be...
Bypass of tab-modal dialog origin disclosure — Mozilla
Security researcher shutdown reported a method for removing the origin indication on tab-modal dialog boxes in combination with browser navigation. This could allow an attacker's dialog to overlay a page and show another site's content. This can be used for phishing by allowing users to enter dat...
WebGL crash with Mesa graphics driver on Linux — Mozilla
Security researcher miaubiz used the Address Sanitizer tool to discover a crash in WebGL rendering when memory is freed that has not previously been allocated. This issue only affects Linux users who have Intel Mesa graphics drivers. The resulting crash could be potentially exploitable...
Out-of-bounds array read in CERT_DecodeCertPackage — Mozilla
Mozilla community member Ambroz Bizjak reported an out-of-bounds array read in the CERTDecodeCertPackage function of the Network Security Services NSS library when decoding a certificate. When this occurs, it will lead to memory corruption and a non-exploitable crash...
Use-after-free in HTML Editor — Mozilla
VUPEN Security, via TippingPoint's Zero Day Initiative, reported a use-after-free within the HTML editor when content script is run by the document.execCommand function while internal editor operations are occurring. This could allow for arbitrary code execution...
Phishing on HTTPS connection through malicious proxy — Mozilla
Google security researcher Michal Zalewski reported an issue where the browser displayed the content of a proxy's 407 response if a user canceled the proxy's authentication prompt. In this circumstance, the addressbar will continue to show the requested site's address, including HTTPS addresses...
Web content bypass of COW and SOW security wrappers — Mozilla
Mozilla developer Bobby Holley discovered that it was possible to bypass some protections in Chrome Object Wrappers COW and System Only Wrappers SOW, making their prototypes mutable by web content. This could be used leak information from chrome objects and possibly allow for arbitrary code...
Out-of-bounds read in image rendering — Mozilla
Using the Address Sanitizer tool, security researcher Atte Kettunen from OUSPG found an out-of-bounds read while rendering GIF format images. This could cause a non-exploitable crash and could also attempt to render normally inaccessible data as part of the image...
Miscellaneous memory safety hazards (rv:19.0 / rv:17.0.3) — Mozilla
Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be...
Use-after-free in nsImageLoadingContent — Mozilla
Security researcher Nils reported a use-after-free in nsImageLoadingContent when content script is executed. This could allow for arbitrary code execution...
Use-after-free, out of bounds read, and buffer overflow issues found using Address Sanitizer — Mozilla
Security researcher Abhishek Arya Inferno of the Google Chrome Security Team used the Address Sanitizer tool to discover a series of use-after-free, out of bounds read, and buffer overflow problems rated as low to critical security issues in shipped software. Some of these issues are potentially...
Privacy leak in JavaScript Workers — Mozilla
Mozilla security researcher Frederik Braun discovered that since Firefox 15 the file system location of the active browser profile was available to JavaScript workers. While not dangerous by itself, this could potentially be combined with other vulnerabilities to target the profile in an attack...
Wrapped WebIDL objects can be wrapped again — Mozilla
Mozilla developer Boris Zbarsky reported that in some circumstances a wrapped WebIDL object can be wrapped multiple times, overwriting the existing wrapped state. This could lead to an exploitable condition in rare cases...
Use-after-free in Vibrate — Mozilla
Security researcher regenrecht reported, via TippingPoint's Zero Day Initiative, a use-after-free using the domDoc pointer within Vibrate library. This can lead to arbitrary code execution when exploited...
Use-after-free in Javascript Proxy objects — Mozilla
...
Chrome Object Wrapper (COW) bypass through changing prototype — Mozilla
Security researcher Mariusz Mlynski reported that it is possible to change the prototype of an object and bypass Chrome Object Wrappers COW to gain access to chrome privileged functions. This could allow for arbitrary code execution...
Memory corruption in XBL with XML bindings containing SVG — Mozilla
Security researcher Sviatoslav Chagaev reported that when using an XBL file containing multiple XML bindings with SVG content, a memory corruption can occur. In concern with remote XUL, this can lead to an exploitable crash...
Crash due to handling of SSL on threads — Mozilla
Mozilla community member Jerry Baker reported a crashing issue found through Thunderbird when downloading messages over a Secure Sockets Layer SSL connection. This was caused by a bug in the networking code assuming that secure connections were entirely handled on the socket transport thread when...
URL spoofing in addressbar during page loads — Mozilla
Security researcher Masato Kinugawa found a flaw in which the displayed URL values within the addressbar can be spoofed by a page during loading. This allows for phishing attacks where a malicious page can spoof the identify of another site...
Use-after-free when displaying table with many columns and column groups — Mozilla
Using the Address Sanitizer tool, security researcher Atte Kettunen from OUSPG discovered that the combination of large numbers of columns and column groups in a table could cause the array containing the columns during rendering to overwrite itself. This can lead to a user-after-free causing a...
Buffer Overflow in Canvas — Mozilla
Security researcher miaubiz used the Address Sanitizer tool to discover a buffer overflow in Canvas when specific bad height and width values were given through HTML. This could lead to a potentially exploitable crash...
Use-after-free and buffer overflow issues found using Address Sanitizer — Mozilla
Security researcher Abhishek Arya Inferno of the Google Chrome Security Team discovered a series critically rated of use-after-free, out of bounds read, and buffer overflow issues using the Address Sanitizer tool in shipped software. These issues are potentially exploitable, allowing for remote...
Compartment mismatch with quickstubs returned values — Mozilla
Mozilla developer Boris Zbarsky reported reported a problem where jsval-returning quickstubs fail to wrap their return values, causing a compartment mismatch. This mismatch can cause garbage collection to occur incorrectly and lead to a potentially exploitable crash...
Miscellaneous memory safety hazards (rv:18.0/ rv:10.0.12 / rv:17.0.2) — Mozilla
Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be...
Mis-issued TURKTRUST certificates — Mozilla
Google reported to Mozilla that TURKTRUST, a certificate authority in Mozilla’s root program, had mis-issued two intermediate certificates to customers. The issue was not specific to Firefox but there was evidence that one of the certificates was used for man-in-the-middle MITM traffic management...
Event manipulation in plugin handler to bypass same-origin policy — Mozilla
Mozilla security researcher Jesse Ruderman reported that events in the plugin handler can be manipulated by web content to bypass same-origin policy SOP restrictions. This can allow for clickjacking on malicious web pages...
AutoWrapperChanger fails to keep objects alive during garbage collection — Mozilla
Mozilla developer Olli Pettay discovered that the AutoWrapperChanger class fails to keep some javascript objects alive during garbage collection. This can lead to an exploitable crash allowing for arbitrary code execution...