1574 matches found
Arbitrary code execution within Profiler — Mozilla
Security researcher Mariusz Mlynski reported that when a user examines the profiler output on a malicious website containing specially crafted code, it is possible for arbitrary code execution to occur. This occurs because the profiler user interface runs in a special iframe that parses data from...
Privileged content access and execution via XBL — Mozilla
Security researcher Mariusz Mlynski reported that it is possible to compile a user-defined function in the XBL scope of a specific element and then trigger an event within this scope to run code. In some circumstances, when this code is run, it can access content protected by System Only Wrappers...
Execution of unmapped memory through onreadystatechange event — Mozilla
Security researcher Nils reported that specially crafted web content using the onreadystatechange event and reloading of pages could sometimes cause a crash when unmapped memory is executed. This crash is potentially exploitable...
Data in the body of XHR HEAD requests leads to CSRF attacks — Mozilla
Security researcher Johnathan Kuskos reported that Firefox is sending data in the body of XMLHttpRequest XHR HEAD requests, which goes against the XHR specification. This can potentially be used for Cross-Site Request Forgery CSRF attacks against sites which do not distinguish between HEAD and PO...
Homograph domain spoofing in .com, .net and .name — Mozilla
Security researcher 3ric Johanson reported in discussions with Richard Newman and Holt Sorenson that Verisign's prevention measures for homograph attacks using Internationalized Domain Names IDN were insufficiently rigorous, and this led to a limited possibility for domain spoofing in Firefox...
XrayWrappers can be bypassed to run user defined methods in a privileged context — Mozilla
Mozilla security researcher mozbugra4 reported that XrayWrappers can be bypassed to call content-defined toString and valueOf methods through DefaultValue. This can lead to unexpected behavior when privileged code acts on the incorrect values...
PreserveWrapper has inconsistent behavior — Mozilla
Mozilla developer Boris Zbarsky found that when PreserveWrapper was used in cases where a wrapper is not set, the preserved-wrapper flag on the wrapper cache is cleared. This could potentially lead to an exploitable crash...
Inaccessible updater can lead to local privilege escalation — Mozilla
Security researcher Seb Patane reported an issue with the Mozilla Maintenance Service on Windows. He discovered that when the Mozilla Updater executable was inaccessible, the Maintenance Service will behave incorrectly and can be made to use an updater at an arbitrary location. This updater will...
Memory corruption found using Address Sanitizer — Mozilla
Security researcher Abhishek Arya Inferno of the Google Chrome Security Team used the Address Sanitizer tool to discover a series of use-after-free problems rated critical as security issues in shipped software. Some of these issues are potentially exploitable, allowing for remote code execution...
Miscellaneous memory safety hazards (rv:22.0 / rv:17.0.7) — Mozilla
Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be...
getUserMedia permission dialog incorrectly displays location — Mozilla
Mozilla engineer Matt Wobensmith discovered that when the getUserMedia permission dialog for an iframe appears in one domain, it will display its origin as that of the top-level document and not the calling framed page. This could lead to users incorrectly giving camera or microphone permissions...
SVG filters can lead to information disclosure — Mozilla
Security researcher Paul Stone of Context Information Security discovered that timing differences in the processing of SVG format images with filters could allow for pixel values to be read. This could potentially allow for text values to be read across domains, leading to information disclosure...
X-Frame-Options ignored when using server push with multi-part responses — Mozilla
Bugzilla developer Frédéric Buclin reported that the X-Frame-Options header is ignored when server push is used in multi-part responses. This can lead to potential clickjacking on sites that use X-Frame-Options as a protection...
Sandbox restrictions not applied to nested frame elements — Mozilla
Mozilla community member Bob Owen reported that restrictions are not applied to a frame element contained within a sandboxed iframe. As a result, content hosted within a sandboxed iframe could use a frame element to bypass the restrictions that should be applied...
Mozilla Updater fails to update some Windows Registry entries — Mozilla
Security researcher Robert Kugler discovered that in some instances the Mozilla Maintenance Service on Windows will be vulnerable to some previously fixed privilege escalation attacks that allowed for local privilege escalation. This was caused by the Mozilla Updater not updating Windows Registry...
Local privilege escalation through Mozilla Maintenance Service — Mozilla
Security researcher Seb Patane reported an issue with the Mozilla Maintenance Service on Windows. This issue allows unprivileged users to local privilege escalation through the system privileges used by the service when interacting with local malicious software. This allows the user to bypass...
File input control has access to full path — Mozilla
Mozilla security researcher mozbugra4 reported a mechanism to exploit the control when set to the file type in order to get the full path. This can lead to information leakage and could be combined with other exploits to target attacks on the local file system...
Memory corruption found using Address Sanitizer — Mozilla
Security researcher Abhishek Arya Inferno of the Google Chrome Security Team used the Address Sanitizer tool to discover a series of use-after-free, out of bounds read, and invalid write problems rated as moderate to critical as security issues in shipped software. Some of these issues are...
Miscellaneous memory safety hazards (rv:21.0 / rv:17.0.6) — Mozilla
Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be...
Use-after-free with video and onresize event — Mozilla
Security researcher Nils reported a use-after-free when resizing video while playing. This could allow for arbitrary code execution...
Uninitialized functions in DOMSVGZoomEvent — Mozilla
Mozilla community member Ms2ger discovered that some DOMSVGZoomEvent functions are used without being properly initialized, causing uninitialized memory to be used when they are called by web content. This could lead to a information leakage to sites depending on the contents of this uninitialize...
Privileged access for content level constructor — Mozilla
Security researcher Cody Crews reported a method to call a content level constructor that allows for this constructor to have chrome privileged access. This affects chrome object wrappers COW and allows for write actions on objects when only read actions should be allowed. This can lead to...
Out-of-bounds write in Cairo library — Mozilla
Security researcher Abhishek Arya Inferno of the Google Chrome Security Team used the Address Sanitizer tool to discover an out-of-bounds write in Cairo graphics library. When certain values are passed to it during rendering, Cairo attempts to use negative boundaries or sizes for boxes, leading t...
Out-of-bounds array read in CERT_DecodeCertPackage — Mozilla
Mozilla community member Ambroz Bizjak reported an out-of-bounds array read in the CERTDecodeCertPackage function of the Network Security Services NSS library when decoding a certificate. When this occurs, it will lead to memory corruption and a non-exploitable crash...
WebGL crash with Mesa graphics driver on Linux — Mozilla
Security researcher miaubiz used the Address Sanitizer tool to discover a crash in WebGL rendering when memory is freed that has not previously been allocated. This issue only affects Linux users who have Intel Mesa graphics drivers. The resulting crash could be potentially exploitable...
Privilege escalation through Mozilla Updater — Mozilla
Security researcher Ash reported an issue with the Mozilla Updater. The Mozilla Updater can be made to load a malicious local DLL file in a privileged context through either the Mozilla Maintenance Service or independently on systems that do not use the service. This occurs when the DLL file is...
Privilege escalation through Mozilla Maintenance Service — Mozilla
Security researcher Frédéric Hoguin discovered that the Mozilla Maintenance Service on Windows was vulnerable to a buffer overflow. This system is used to update software without invoking the User Account Control UAC prompt. The Mozilla Maintenance Service is configured to allow unprivileged user...
Bypass of SOW protections allows cloning of protected nodes — Mozilla
Security researcher Cody Crews reported a mechanism to use the cloneNode method to bypass System Only Wrappers SOW and clone a protected node. This allows violation of the browser's same origin policy and could also lead to privilege escalation and the execution of arbitrary code...
Miscellaneous memory safety hazards (rv:20.0 / rv:17.0.5) — Mozilla
Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be...
World read and write access to app_tmp directory on Android — Mozilla
Security researcher Shuichiro Suzuki of the Fourteenforty Research Institute reported the apptmp directory is set to be world readable and writeable by Firefox for Android. This potentially allows for third party applications to replace or alter Firefox add-ons when downloaded because they are...
Cross-site scripting (XSS) using timed history navigations — Mozilla
Security researcher Mariusz Mlynski reported a method to use browser navigations through history to load an arbitrary website with that page's baseURI property pointing to another site instead of the seemingly loaded one. The user will continue to see the incorrect site in the addressbar of the...
Memory corruption while rendering grayscale PNG images — Mozilla
Mozilla community member Tobias Schula reported that if gfx.colormanagement.enablev4 preference is enabled manually in about:config, some grayscale PNG images will be rendered incorrectly and cause memory corruption during PNG decoding when certain color profiles are in use. A crafted PNG image...
Bypass of tab-modal dialog origin disclosure — Mozilla
Security researcher shutdown reported a method for removing the origin indication on tab-modal dialog boxes in combination with browser navigation. This could allow an attacker's dialog to overlay a page and show another site's content. This can be used for phishing by allowing users to enter dat...
Use-after-free in HTML Editor — Mozilla
VUPEN Security, via TippingPoint's Zero Day Initiative, reported a use-after-free within the HTML editor when content script is run by the document.execCommand function while internal editor operations are occurring. This could allow for arbitrary code execution...
Wrapped WebIDL objects can be wrapped again — Mozilla
Mozilla developer Boris Zbarsky reported that in some circumstances a wrapped WebIDL object can be wrapped multiple times, overwriting the existing wrapped state. This could lead to an exploitable condition in rare cases...
Out-of-bounds read in image rendering — Mozilla
Using the Address Sanitizer tool, security researcher Atte Kettunen from OUSPG found an out-of-bounds read while rendering GIF format images. This could cause a non-exploitable crash and could also attempt to render normally inaccessible data as part of the image...
Use-after-free, out of bounds read, and buffer overflow issues found using Address Sanitizer — Mozilla
Security researcher Abhishek Arya Inferno of the Google Chrome Security Team used the Address Sanitizer tool to discover a series of use-after-free, out of bounds read, and buffer overflow problems rated as low to critical security issues in shipped software. Some of these issues are potentially...
Miscellaneous memory safety hazards (rv:19.0 / rv:17.0.3) — Mozilla
Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be...
Phishing on HTTPS connection through malicious proxy — Mozilla
Google security researcher Michal Zalewski reported an issue where the browser displayed the content of a proxy's 407 response if a user canceled the proxy's authentication prompt. In this circumstance, the addressbar will continue to show the requested site's address, including HTTPS addresses...
Use-after-free in nsImageLoadingContent — Mozilla
Security researcher Nils reported a use-after-free in nsImageLoadingContent when content script is executed. This could allow for arbitrary code execution...
Privacy leak in JavaScript Workers — Mozilla
Mozilla security researcher Frederik Braun discovered that since Firefox 15 the file system location of the active browser profile was available to JavaScript workers. While not dangerous by itself, this could potentially be combined with other vulnerabilities to target the profile in an attack...
Web content bypass of COW and SOW security wrappers — Mozilla
Mozilla developer Bobby Holley discovered that it was possible to bypass some protections in Chrome Object Wrappers COW and System Only Wrappers SOW, making their prototypes mutable by web content. This could be used leak information from chrome objects and possibly allow for arbitrary code...
Touch events are shared across iframes — Mozilla
Mozilla developer Wesley Johnston reported that when there are two or more iframes on the same HTML page, an iframe is able to see the touch events and their targets that occur within the other iframes on the page. If the iframes are from the same origin, they can also access the properties and...
Memory corruption in XBL with XML bindings containing SVG — Mozilla
Security researcher Sviatoslav Chagaev reported that when using an XBL file containing multiple XML bindings with SVG content, a memory corruption can occur. In concern with remote XUL, this can lead to an exploitable crash...
Buffer overflow in Javascript string concatenation — Mozilla
Security researcher pakt reported a flaw via TippingPoint's Zero Day Initiative that an integer overflow is possible when calculating the length for a Javascript string concatenation, which is then used for memory allocation. This results in a buffer overflow, leading to a potentially exploitable...
Use-after-free in serializeToStream — Mozilla
Security researcher regenrecht reported, via TippingPoint's Zero Day Initiative, a use-after-free in XMLSerializer by the exposing of serializeToStream to web content. This can lead to arbitrary code execution when exploited...
Privilege escalation through plugin objects — Mozilla
Security researcher Mariusz Mlynski reported that it is possible to open a chrome privileged web page through plugin objects through interaction with SVG elements. This could allow for arbitrary code execution...
Use-after-free in ListenerManager — Mozilla
Security researcher regenrecht reported, via TippingPoint's Zero Day Initiative, a use-after-free within the ListenerManager when garbage collection is forced after data in listener objects have been allocated in some circumstances. This results in a use-after-free which can lead to arbitrary cod...
Chrome Object Wrapper (COW) bypass through changing prototype — Mozilla
Security researcher Mariusz Mlynski reported that it is possible to change the prototype of an object and bypass Chrome Object Wrappers COW to gain access to chrome privileged functions. This could allow for arbitrary code execution...
Address space layout leaked in XBL objects — Mozilla
Mozilla security researcher Jesse Ruderman discovered that using the toString function of XBL objects can lead to inappropriate information leakage by revealing the address space layout instead of just the ID of the object. This layout information could potentially be used to bypass ASLR and othe...