1574 matches found
Event manipulation in plugin handler to bypass same-origin policy — Mozilla
Mozilla security researcher Jesse Ruderman reported that events in the plugin handler can be manipulated by web content to bypass same-origin policy SOP restrictions. This can allow for clickjacking on malicious web pages...
AutoWrapperChanger fails to keep objects alive during garbage collection — Mozilla
Mozilla developer Olli Pettay discovered that the AutoWrapperChanger class fails to keep some javascript objects alive during garbage collection. This can lead to an exploitable crash allowing for arbitrary code execution...
Crash due to handling of SSL on threads — Mozilla
Mozilla community member Jerry Baker reported a crashing issue found through Thunderbird when downloading messages over a Secure Sockets Layer SSL connection. This was caused by a bug in the networking code assuming that secure connections were entirely handled on the socket transport thread when...
Use-after-free when displaying table with many columns and column groups — Mozilla
Using the Address Sanitizer tool, security researcher Atte Kettunen from OUSPG discovered that the combination of large numbers of columns and column groups in a table could cause the array containing the columns during rendering to overwrite itself. This can lead to a user-after-free causing a...
URL spoofing in addressbar during page loads — Mozilla
Security researcher Masato Kinugawa found a flaw in which the displayed URL values within the addressbar can be spoofed by a page during loading. This allows for phishing attacks where a malicious page can spoof the identify of another site...
Buffer Overflow in Canvas — Mozilla
Security researcher miaubiz used the Address Sanitizer tool to discover a buffer overflow in Canvas when specific bad height and width values were given through HTML. This could lead to a potentially exploitable crash...
Miscellaneous memory safety hazards (rv:18.0/ rv:10.0.12 / rv:17.0.2) — Mozilla
Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be...
Compartment mismatch with quickstubs returned values — Mozilla
Mozilla developer Boris Zbarsky reported reported a problem where jsval-returning quickstubs fail to wrap their return values, causing a compartment mismatch. This mismatch can cause garbage collection to occur incorrectly and lead to a potentially exploitable crash...
Use-after-free and buffer overflow issues found using Address Sanitizer — Mozilla
Security researcher Abhishek Arya Inferno of the Google Chrome Security Team discovered a series critically rated of use-after-free, out of bounds read, and buffer overflow issues using the Address Sanitizer tool in shipped software. These issues are potentially exploitable, allowing for remote...
Use-after-free in Javascript Proxy objects — Mozilla
...
Mis-issued TURKTRUST certificates — Mozilla
Google reported to Mozilla that TURKTRUST, a certificate authority in Mozilla’s root program, had mis-issued two intermediate certificates to customers. The issue was not specific to Firefox but there was evidence that one of the certificates was used for man-in-the-middle MITM traffic management...
Use-after-free in Vibrate — Mozilla
Security researcher regenrecht reported, via TippingPoint's Zero Day Initiative, a use-after-free using the domDoc pointer within Vibrate library. This can lead to arbitrary code execution when exploited...
Javascript: URLs run in privileged context on New Tab page — Mozilla
Security researcher [email protected] reported that if a javascript: URL is selected from the list of Firefox "new tab" page, the script will inherit the privileges of the privileged "new tab" page. This allows for the execution of locally installed programs if a user can be convinced to save a...
Memory corruption in str_unescape — Mozilla
Security researcher Scott Bell of Security-Assessment.com used the Address Sanitizer tool to discover a memory corruption in strunescape in the Javascript engine. This could potentially lead to arbitrary code execution...
evalInSanbox location context incorrectly applied — Mozilla
Mozilla security researcher mozbugra4 reported that if code executed by the evalInSandbox function sets location.href, it can get the wrong subject principal for the URL check, ignoring the sandbox's Javascript context and gaining the context of evalInSandbox object. This can lead to malicious we...
Crash when combining SVG text on path with CSS — Mozilla
Security researcher Jonathan Stephens discovered that combining SVG text on a path with the setting of CSS properties could lead to a potentially exploitable crash...
Miscellaneous memory safety hazards (rv:17.0/ rv:10.0.11) — Mozilla
Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be...
Buffer overflow while rendering GIF images — Mozilla
Security researcher Atte Kettunen from OUSPG used the Address Sanitizer tool to discover a buffer overflow while rendering GIF format images. This issue is potentially exploitable and could lead to arbitrary code execution...
CSS and HTML injection through Style Inspector — Mozilla
Security researcher Mariusz Mlynski reported that when a maliciously crafted stylesheet is inspected in the Style Inspector, HTML and CSS can run in a chrome privileged context without being properly sanitized first. This can lead to arbitrary code execution...
Use-after-free and buffer overflow issues found using Address Sanitizer — Mozilla
Security researcher Abhishek Arya Inferno of the Google Chrome Security Team discovered a series critically rated of use-after-free and buffer overflow issues using the Address Sanitizer tool in shipped software. These issues are potentially exploitable, allowing for remote code execution. We wou...
Improper character decoding in HZ-GB-2312 charset — Mozilla
Security researcher Masato Kinugawa found when HZ-GB-2312 charset encoding is used for text, the "" character will destroy another character near the chunk delimiter. This can lead to a cross-site scripting XSS attack in pages encoded in HZ-GB-2312...
Use-after-free, buffer overflow, and memory corruption issues found using Address Sanitizer — Mozilla
Security researcher miaubiz used the Address Sanitizer tool to discover a series critically rated of use-after-free, buffer overflow, and memory corruption issues in shipped software. These issues are potentially exploitable, allowing for remote code execution. We would also like to thank miaubiz...
Frames can shadow top.location — Mozilla
Security researcher Mariusz Mlynski reported that the location property can be accessed by binary plugins through top.location with a frame whose name attribute's value is set to "top". This can allow for possible cross-site scripting XSS attacks through plugins...
Script entered into Developer Toolbar runs with chrome privileges — Mozilla
Security researcher Masato Kinugawa reported that when script is entered into the Developer Toolbar, it runs in a chrome privileged context. This allows for arbitrary code execution or cross-site scripting XSS if a user can be convinced to paste malicious code into the Developer Toolbar...
Improper security filtering for cross-origin wrappers — Mozilla
Mozilla developer Bobby Holley reported that security wrappers filter at the time of property access, but once a function is returned, the caller can use this function without further security checks. This affects cross-origin wrappers, allowing for write actions on objects when only read actions...
XrayWrappers exposes chrome-only properties when not in chrome compartment — Mozilla
Mozilla developer Peter Van der Beken discovered that same-origin XrayWrappers expose chrome-only properties even when not in a chrome compartment. This can allow web content to get properties of DOM objects that are intended to be chrome-only...
Firefox installer DLL hijacking — Mozilla
Security researcher Robert Kugler reported that when a specifically named DLL file on a Windows computer is placed in the default downloads directory with the Firefox installer, the Firefox installer will load this DLL when it is launched. In circumstances where the installer is run by an...
XMLHttpRequest inherits incorrect principal within sandbox — Mozilla
Mozilla developer Gabor Krizsanits discovered that XMLHttpRequest objects created within sandboxes have the system principal instead of the sandbox principal. This can lead to cross-site request forgery CSRF or information theft via an add-on running untrusted code in a sandbox...
Fixes for Location object issues — Mozilla
Mozilla has fixed a number of issues related to the Location object in order to enhance overall security. Details for each of the current fixed issues are below...
Miscellaneous memory safety hazards (rv:16.0.1) — Mozilla
Mozilla developers identified and fixed two top crashing bugs in the browser engine used in Firefox and other Mozilla-based products. These bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to ru...
defaultValue security checks not applied — Mozilla
Mozilla security researcher mozbugra4 reported a regression where security wrappers are unwrapped without doing a security check in defaultValue. This can allow for improper access to the Location object. In versions 15 and earlier of affected products, there was also the potential for arbitrary...
Miscellaneous memory safety hazards (rv:16.0/ rv:10.0.8) — Mozilla
Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be...
Use-after-free in the IME State Manager — Mozilla
Security researcher miaubiz used the Address Sanitizer tool to discover a use-after-free in the IME State Manager code. This could lead to a potentially exploitable crash...
GetProperty function can bypass security checks — Mozilla
Mozilla community member Alice White reported that when the GetProperty function is invoked through JSAPI, security checking can be bypassed when getting cross-origin properties. This potentially allowed for arbitrary code execution...
Heap memory corruption issues found using Address Sanitizer — Mozilla
Security researcher Atte Kettunen from OUSPG reported several heap memory corruption issues found using the Address Sanitizer tool. These issues are potentially exploitable, allowing for remote code execution...
Use-after-free, buffer overflow, and out of bounds read issues found using Address Sanitizer — Mozilla
Security researcher Abhishek Arya Inferno of the Google Chrome Security Team discovered a series of use-after-free, buffer overflow, and out of bounds read issues using the Address Sanitizer tool in shipped software. These issues are potentially exploitable, allowing for remote code execution. We...
Spoofing and script injection through location.hash — Mozilla
Security researcher Mariusz Mlynski reported an issue with spoofing of the location property. In this issue, writes to location.hash can be used in concert with scripted history navigation to cause a specific website to be loaded into the history object. The baseURI can then be changed to this...
Chrome Object Wrapper (COW) does not disallow access to privileged functions or properties — Mozilla
Security researcher Mariusz Mlynski reported that when InstallTrigger fails, it throws an error wrapped in a Chrome Object Wrapper COW that fails to specify exposed properties. These can then be added to the resulting object by an attacker, allowing access to chrome privileged functions through...
DOS and crash with full screen and history navigation — Mozilla
Security researcher Soroush Dalili reported that a combination of invoking full screen mode and navigating backwards in history could, in some circumstances, cause a hang or crash due to a timing dependent use-after-free pointer reference. This crash may be potentially exploitable...
Reader Mode pages have chrome privileges — Mozilla
Security researcher Warren He reported that when a page is transitioned into Reader Mode in Firefox for Android, the resulting page has chrome privileges and its content is not thoroughly sanitized. A successful attack requires user enabling of reader mode for a malicious page, which could then...
Some DOMWindowUtils methods bypass security checks — Mozilla
Mozilla developer Johnny Stenback discovered that several methods of a feature used for testing DOMWindowUtils are not protected by existing security checks, allowing these methods to be called through script by web pages. This was addressed by adding the existing security checks to these methods...
select element persistence allows for attacks — Mozilla
Security researcher David Bloom of Cue discovered that elements are always-on-top chromeless windows and that navigation away from a page with an active menu does not remove this window.When another menu is opened programmatically on a new page, the original menu can be retained and arbitrary HTM...
top object and location property accessible by plugins — Mozilla
Security researcher Mariusz Mlynski reported that the location property can be accessed by binary plugins through top.location and top can be shadowed by Object.defineProperty as well. This can allow for possible cross-site scripting XSS attacks through plugins...
Continued access to initial origin after setting document.domain — Mozilla
Security researcher Collin Jackson reported a violation of the HTML5 specifications for document.domain behavior. Specified behavior requires pages to only have access to windows in a new document.domain but the observed violation allowed pages to retain access to windows from the page's initial...
Crash with invalid cast when using instanceof operator — Mozilla
Mozilla community member Ms2ger reported a crash due to an invalid cast when using the instanceof operator on certain types of JavaScript objects. This can lead to a potentially exploitable crash...
SPDY information disclosure — Mozilla
Security researchers Thai Duong and Juliano Rizzo reported that SPDY's request header compression leads to information leakage, which can allow the extraction of private data such as session cookies, even over an encrypted SSL connection...
Web console eval capable of executing chrome-privileged code — Mozilla
Security researcher Colby Russell discovered that eval in the web console can execute injected code with chrome privileges, leading to the running of malicious code in a privileged context. This allows for arbitrary code execution through a malicious web page if the web console is invoked by the...
Incorrect site SSL certificate data display — Mozilla
Security researcher Mark Poticha reported an issue where incorrect SSL certificate information can be displayed on the addressbar, showing the SSL data for a previous site while another has been loaded. This is caused by two onLocationChange events being fired out of the expected order, leading t...
Location object security checks bypassed by chrome code — Mozilla
Mozilla security researcher mozbugra4 reported that certain security checks in the location object can be bypassed if chrome code is called content in a specific manner. This allowed for the loading of restricted content. This can be combined with other issues to become potentially exploitable...
DOMParser loads linked resources in extensions when parsing text/html — Mozilla
Security researcher vsemozhetbyt reported that when the DOMParser is used to parse text/html data in a Firefox extension, linked resources within this HTML data will be loaded. If the data being parsed in the extension is untrusted, it could lead to information leakage and can potentially be...