Memory corruption in XBL with XML bindings containing SVG — Mozilla

Security researcher Sviatoslav Chagaev reported that when using an XBL file containing multiple XML bindings with SVG content, a memory corruption can occur. In concern with remote XUL, this can lead to an exploitable crash...

Event manipulation in plugin handler to bypass same-origin policy — Mozilla

Mozilla security researcher Jesse Ruderman reported that events in the plugin handler can be manipulated by web content to bypass same-origin policy SOP restrictions. This can allow for clickjacking on malicious web pages...

Touch events are shared across iframes — Mozilla

Mozilla developer Wesley Johnston reported that when there are two or more iframes on the same HTML page, an iframe is able to see the touch events and their targets that occur within the other iframes on the page. If the iframes are from the same origin, they can also access the properties and...

Use-after-free when displaying table with many columns and column groups — Mozilla

Using the Address Sanitizer tool, security researcher Atte Kettunen from OUSPG discovered that the combination of large numbers of columns and column groups in a table could cause the array containing the columns during rendering to overwrite itself. This can lead to a user-after-free causing a...

URL spoofing in addressbar during page loads — Mozilla

Security researcher Masato Kinugawa found a flaw in which the displayed URL values within the addressbar can be spoofed by a page during loading. This allows for phishing attacks where a malicious page can spoof the identify of another site...

AutoWrapperChanger fails to keep objects alive during garbage collection — Mozilla

Mozilla developer Olli Pettay discovered that the AutoWrapperChanger class fails to keep some javascript objects alive during garbage collection. This can lead to an exploitable crash allowing for arbitrary code execution...

Buffer overflow while rendering GIF images — Mozilla

Security researcher Atte Kettunen from OUSPG used the Address Sanitizer tool to discover a buffer overflow while rendering GIF format images. This issue is potentially exploitable and could lead to arbitrary code execution...

Crash when combining SVG text on path with CSS — Mozilla

Security researcher Jonathan Stephens discovered that combining SVG text on a path with the setting of CSS properties could lead to a potentially exploitable crash...

Miscellaneous memory safety hazards (rv:17.0/ rv:10.0.11) — Mozilla

Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be...

Improper character decoding in HZ-GB-2312 charset — Mozilla

Security researcher Masato Kinugawa found when HZ-GB-2312 charset encoding is used for text, the "" character will destroy another character near the chunk delimiter. This can lead to a cross-site scripting XSS attack in pages encoded in HZ-GB-2312...

XrayWrappers exposes chrome-only properties when not in chrome compartment — Mozilla

Mozilla developer Peter Van der Beken discovered that same-origin XrayWrappers expose chrome-only properties even when not in a chrome compartment. This can allow web content to get properties of DOM objects that are intended to be chrome-only...

XMLHttpRequest inherits incorrect principal within sandbox — Mozilla

Mozilla developer Gabor Krizsanits discovered that XMLHttpRequest objects created within sandboxes have the system principal instead of the sandbox principal. This can lead to cross-site request forgery CSRF or information theft via an add-on running untrusted code in a sandbox...

Javascript: URLs run in privileged context on New Tab page — Mozilla

Security researcher [email protected] reported that if a javascript: URL is selected from the list of Firefox "new tab" page, the script will inherit the privileges of the privileged "new tab" page. This allows for the execution of locally installed programs if a user can be convinced to save a...

Improper security filtering for cross-origin wrappers — Mozilla

Mozilla developer Bobby Holley reported that security wrappers filter at the time of property access, but once a function is returned, the caller can use this function without further security checks. This affects cross-origin wrappers, allowing for write actions on objects when only read actions...

Firefox installer DLL hijacking — Mozilla

Security researcher Robert Kugler reported that when a specifically named DLL file on a Windows computer is placed in the default downloads directory with the Firefox installer, the Firefox installer will load this DLL when it is launched. In circumstances where the installer is run by an...

Memory corruption in str_unescape — Mozilla

Security researcher Scott Bell of Security-Assessment.com used the Address Sanitizer tool to discover a memory corruption in strunescape in the Javascript engine. This could potentially lead to arbitrary code execution...

CSS and HTML injection through Style Inspector — Mozilla

Security researcher Mariusz Mlynski reported that when a maliciously crafted stylesheet is inspected in the Style Inspector, HTML and CSS can run in a chrome privileged context without being properly sanitized first. This can lead to arbitrary code execution...

Use-after-free, buffer overflow, and memory corruption issues found using Address Sanitizer — Mozilla

Security researcher miaubiz used the Address Sanitizer tool to discover a series critically rated of use-after-free, buffer overflow, and memory corruption issues in shipped software. These issues are potentially exploitable, allowing for remote code execution. We would also like to thank miaubiz...

Use-after-free and buffer overflow issues found using Address Sanitizer — Mozilla

Security researcher Abhishek Arya Inferno of the Google Chrome Security Team discovered a series critically rated of use-after-free and buffer overflow issues using the Address Sanitizer tool in shipped software. These issues are potentially exploitable, allowing for remote code execution. We wou...

Script entered into Developer Toolbar runs with chrome privileges — Mozilla

Security researcher Masato Kinugawa reported that when script is entered into the Developer Toolbar, it runs in a chrome privileged context. This allows for arbitrary code execution or cross-site scripting XSS if a user can be convinced to paste malicious code into the Developer Toolbar...

Frames can shadow top.location — Mozilla

Security researcher Mariusz Mlynski reported that the location property can be accessed by binary plugins through top.location with a frame whose name attribute's value is set to "top". This can allow for possible cross-site scripting XSS attacks through plugins...

evalInSanbox location context incorrectly applied — Mozilla

Mozilla security researcher mozbugra4 reported that if code executed by the evalInSandbox function sets location.href, it can get the wrong subject principal for the URL check, ignoring the sandbox's Javascript context and gaining the context of evalInSandbox object. This can lead to malicious we...

Fixes for Location object issues — Mozilla

Mozilla has fixed a number of issues related to the Location object in order to enhance overall security. Details for each of the current fixed issues are below...

Miscellaneous memory safety hazards (rv:16.0.1) — Mozilla

Mozilla developers identified and fixed two top crashing bugs in the browser engine used in Firefox and other Mozilla-based products. These bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to ru...

defaultValue security checks not applied — Mozilla

Mozilla security researcher mozbugra4 reported a regression where security wrappers are unwrapped without doing a security check in defaultValue. This can allow for improper access to the Location object. In versions 15 and earlier of affected products, there was also the potential for arbitrary...

Heap memory corruption issues found using Address Sanitizer — Mozilla

Security researcher Atte Kettunen from OUSPG reported several heap memory corruption issues found using the Address Sanitizer tool. These issues are potentially exploitable, allowing for remote code execution...

Spoofing and script injection through location.hash — Mozilla

Security researcher Mariusz Mlynski reported an issue with spoofing of the location property. In this issue, writes to location.hash can be used in concert with scripted history navigation to cause a specific website to be loaded into the history object. The baseURI can then be changed to this...

Chrome Object Wrapper (COW) does not disallow access to privileged functions or properties — Mozilla

Security researcher Mariusz Mlynski reported that when InstallTrigger fails, it throws an error wrapped in a Chrome Object Wrapper COW that fails to specify exposed properties. These can then be added to the resulting object by an attacker, allowing access to chrome privileged functions through...

Use-after-free in the IME State Manager — Mozilla

Security researcher miaubiz used the Address Sanitizer tool to discover a use-after-free in the IME State Manager code. This could lead to a potentially exploitable crash...

Use-after-free, buffer overflow, and out of bounds read issues found using Address Sanitizer — Mozilla

Security researcher Abhishek Arya Inferno of the Google Chrome Security Team discovered a series of use-after-free, buffer overflow, and out of bounds read issues using the Address Sanitizer tool in shipped software. These issues are potentially exploitable, allowing for remote code execution. We...

top object and location property accessible by plugins — Mozilla

Security researcher Mariusz Mlynski reported that the location property can be accessed by binary plugins through top.location and top can be shadowed by Object.defineProperty as well. This can allow for possible cross-site scripting XSS attacks through plugins...

Miscellaneous memory safety hazards (rv:16.0/ rv:10.0.8) — Mozilla

Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be...

Crash with invalid cast when using instanceof operator — Mozilla

Mozilla community member Ms2ger reported a crash due to an invalid cast when using the instanceof operator on certain types of JavaScript objects. This can lead to a potentially exploitable crash...

DOS and crash with full screen and history navigation — Mozilla

Security researcher Soroush Dalili reported that a combination of invoking full screen mode and navigating backwards in history could, in some circumstances, cause a hang or crash due to a timing dependent use-after-free pointer reference. This crash may be potentially exploitable...

GetProperty function can bypass security checks — Mozilla

Mozilla community member Alice White reported that when the GetProperty function is invoked through JSAPI, security checking can be bypassed when getting cross-origin properties. This potentially allowed for arbitrary code execution...

Continued access to initial origin after setting document.domain — Mozilla

Security researcher Collin Jackson reported a violation of the HTML5 specifications for document.domain behavior. Specified behavior requires pages to only have access to windows in a new document.domain but the observed violation allowed pages to retain access to windows from the page's initial...

select element persistence allows for attacks — Mozilla

Security researcher David Bloom of Cue discovered that elements are always-on-top chromeless windows and that navigation away from a page with an active menu does not remove this window.When another menu is opened programmatically on a new page, the original menu can be retained and arbitrary HTM...

Reader Mode pages have chrome privileges — Mozilla

Security researcher Warren He reported that when a page is transitioned into Reader Mode in Firefox for Android, the resulting page has chrome privileges and its content is not thoroughly sanitized. A successful attack requires user enabling of reader mode for a malicious page, which could then...

Some DOMWindowUtils methods bypass security checks — Mozilla

Mozilla developer Johnny Stenback discovered that several methods of a feature used for testing DOMWindowUtils are not protected by existing security checks, allowing these methods to be called through script by web pages. This was addressed by adding the existing security checks to these methods...

SPDY information disclosure — Mozilla

Security researchers Thai Duong and Juliano Rizzo reported that SPDY's request header compression leads to information leakage, which can allow the extraction of private data such as session cookies, even over an encrypted SSL connection...

Miscellaneous memory safety hazards (rv:15.0/ rv:10.0.7) — Mozilla

Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be...

DOMParser loads linked resources in extensions when parsing text/html — Mozilla

Security researcher vsemozhetbyt reported that when the DOMParser is used to parse text/html data in a Firefox extension, linked resources within this HTML data will be loaded. If the data being parsed in the extension is untrusted, it could lead to information leakage and can potentially be...

HTTPMonitor extension allows for remote debugging without explicit activation — Mozilla

Mozilla security researcher Mark Goodwin discovered an issue with the Firefox developer tools' debugger. If remote debugging is disabled, but the experimental HTTPMonitor extension has been installed and enabled, a remote user can connect to and use the remote debugging service through the port...

Incorrect site SSL certificate data display — Mozilla

Security researcher Mark Poticha reported an issue where incorrect SSL certificate information can be displayed on the addressbar, showing the SSL data for a previous site while another has been loaded. This is caused by two onLocationChange events being fired out of the expected order, leading t...

Escalation of privilege through about:newtab — Mozilla

Security researcher Mariusz Mlynski reported that when a page opens a new tab, a subsequent window can then be opened that can be navigated to about:newtab, a chrome privileged page. Once about:newtab is loaded, the special context can potentially be used to escalate privilege, allowing for...

Location object can be shadowed using Object.defineProperty — Mozilla

Security researcher Mariusz Mlynski reported that it is possible to shadow the location object using Object.defineProperty. This could be used to confuse the current location to plugins, allowing for possible cross-site scripting XSS attacks...

SVG buffer overflow and use-after-free issues — Mozilla

Security researcher Arthur Gerkis used the Address Sanitizer tool to find two issues involving Scalable Vector Graphics SVG files. The first issue is a buffer overflow in Gecko's SVG filter code when the sum of two values is too large to be stored as a signed 32-bit integer, causing the function ...

Out-of-bounds read in format-number in XSLT — Mozilla

Security research Nicolas Grégoire used the Address Sanitizer tool to discover an out-of-bounds read in the format-number feature of XSLT, which can cause inaccurate formatting of numbers and information leakage. This is not directly exploitable...

Graphite 2 memory corruption — Mozilla

Using the Address Sanitizer tool, Mozilla security researcher Christoph Diehl discovered two memory corruption issues involving the Graphite 2 library used in Mozilla products. Both of these issues can cause a potentially exploitable crash. These problems were fixed in the Graphite 2 library, whi...

Memory corruption with bitmap format images with negative height — Mozilla

Security researcher Frédéric Hoguin reported two related issues with the decoding of bitmap .BMP format images embedded in icon .ICO format files. When processing a negative "height" header value for the bitmap image, a memory corruption can be induced, allowing an attacker to write random memory...