Web console eval capable of executing chrome-privileged code — Mozilla

Security researcher Colby Russell discovered that eval in the web console can execute injected code with chrome privileges, leading to the running of malicious code in a privileged context. This allows for arbitrary code execution through a malicious web page if the web console is invoked by the...

Location object security checks bypassed by chrome code — Mozilla

Mozilla security researcher mozbugra4 reported that certain security checks in the location object can be bypassed if chrome code is called content in a specific manner. This allowed for the loading of restricted content. This can be combined with other issues to become potentially exploitable...

Installer will launch incorrect executable following new installation — Mozilla

Security researcher Masato Kinugawa reported that if a crafted executable is placed in the root partition on a Windows file system, the Firefox and Thunderbird installer will launch this program after a standard installation instead of Firefox or Thunderbird, running this program with the user's...

WebGL use-after-free and memory corruption — Mozilla

Security researcher miaubiz used the Address Sanitizer tool to discover two WebGL issues. The first issue is a use-after-free when WebGL shaders are called after being destroyed. The second issue exposes a problem with Mesa drivers on Linux, leading to a potentially exploitable crash...

Use-after-free issues found using Address Sanitizer — Mozilla

Security researcher Abhishek Arya Inferno of the Google Chrome Security Team discovered a series of use-after-free issues using the Address Sanitizer tool. Many of these issues are potentially exploitable, allowing for remote code execution...

Insecure use of __android_log_print — Mozilla

Mozilla developer Blake Kaplan reported that androidlogprint is called insecurely in places. If a malicious web page used a dump statement with a specially crafted string, it can trigger a potentially exploitable crash...

Spoofing issue with location — Mozilla

Security researcher Mariusz Mlynski reported an issue with spoofing of the location property. In this issue, calls to history.forward and history.back are used to navigate to a site while displaying the previous site in the addressbar but changing the baseURI to the newer site. This can be used f...

Gecko memory corruption — Mozilla

Google security researcher Abhishek Arya used the Address Sanitizer tool to uncover four issues: two use-after-free problems, one out of bounds read bug, and a bad cast. The first use-after-free problem is caused when an array of nsSMILTimeValueSpec objects is destroyed but attempts are made to...

Incorrect URL displayed in addressbar through drag and drop — Mozilla

Security researcher Mario Gomes andresearch firm Code Audit Labs reported a mechanism to short-circuit page loads through drag and drop to the addressbar by canceling the page load. This causes the address of the previously site entered to be displayed in the addressbar instead of the currently...

XSS through data: URLs — Mozilla

Mozilla security researcher mozbugra4 reported a cross-site scripting XSS attack through the context menu using a data: URL. In this issue, context menu functionality "View Image", "Show only this frame", and "View background image" are disallowed in a javascript: URL but allowed in a data: URL,...

JSDependentString::undepend string conversion results in memory corruption — Mozilla

Security researcher Bill Keese reported a memory corruption. This is caused by JSDependentString::undepend changing a dependent string into a fixed string when there are additional dependent strings relying on the same base. When the undepend occurs during conversion, the base data is freed,...

Out of bounds read in QCMS — Mozilla

Google developer Tony Payne reported an out of bounds OOB read in QCMS, Mozilla’s color management library. With a carefully crafted color profile portions of a user's memory could be incorporated into a transformed image and possibly deciphered...

Miscellaneous memory safety hazards (rv:14.0/ rv:10.0.6) — Mozilla

Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be...

Content Security Policy 1.0 implementation errors cause data leakage — Mozilla

Security researcher Karthikeyan Bhargavan of Prosecco at INRIA reported Content Security Policy CSP 1.0 implementation errors. CSP violation reports generated by Firefox and sent to the "report-uri" location include sensitive data within the "blocked-uri" parameter. These include fragment...

feed: URLs with an innerURI inherit security context of page — Mozilla

Security researchers Mario Gomes and Soroush Dalili reported that since Mozilla allows the pseudo-protocol feed: to prefix any valid URL, it is possible to construct feed:javascript: URLs that will execute scripts in some contexts. On some sites it may be possible to use this to evade output...

Code execution through javascript: URLs — Mozilla

Mozilla security researcher mozbugra4 reported a arbitrary code execution attack using a javascript: URL. The Gecko engine features a JavaScript sandbox utility that allows the browser or add-ons to safely execute script in the context of a web page. In certain cases, javascript: URLs are execute...

Clickjacking of certificate warning page — Mozilla

Security Researcher Matt McCutchen reported that a clickjacking attack using the certificate warning page. A man-in-the-middle MITM attacker can use an iframe to display its own certificate error warning page about:certerror with the "Add Exception" button of a real warning page from a malicious...

Same-compartment Security Wrappers can be bypassed — Mozilla

Mozilla developer Bobby Holley found that same-compartment security wrappers SCSW can be bypassed by passing them to another compartment. Cross-compartment wrappers often do not go through SCSW, but have a filtering policy built into them. When an object is wrapped cross-compartment, the SCSW is...

use-after-free in nsGlobalWindow::PageHidden — Mozilla

Security researcher Arthur Gerkis used the Address Sanitizer tool to find a use-after-free in nsGlobalWindow::PageHidden when mFocusedContent is released and oldFocusedContent is used afterwards. This use-after-free could possibly allow for remote code execution...

Improper filtering of javascript in HTML feed-view — Mozilla

Security researcher Mario Heiderich reported that javascript could be executed in the HTML feed-view using tag within the RSS . This problem is due to tags not being filtered out during parsing and can lead to a potential cross-site scripting XSS attack. The flaw existed in a parser utility class...

X-Frame-Options header ignored when duplicated — Mozilla

Bugzilla developer Frédéric Buclin reported that the "X-Frame-Options header is ignored when the value is duplicated, for example X-Frame-Options: SAMEORIGIN, SAMEORIGIN. This duplication occurs for unknown reasons on some websites and when it occurs results in Mozilla browsers not being protecte...

Use-after-free in nsHTMLSelectElement — Mozilla

Security researcher regenrecht reported a flaw that affected Firefox versions 4 through 8 via TippingPoint's Zero Day Initiative. This flaw is a use-after-free in nsHTMLSelectElement when the parent node of the element is no longer active and could allow for possible remote code execution...

Use-after-free while replacing/inserting a node in a document — Mozilla

Security researcher Arthur Gerkis used the Address Sanitizer tool to find a use-after-free while replacing/inserting a node in a document. This use-after-free could possibly allow for remote code execution...

Content Security Policy inline-script bypass — Mozilla

Security researcher Adam Barth found that inline event handlers, such as onclick, were no longer blocked by Content Security Policy's CSP inline-script blocking feature. Web applications relying on this feature of CSP to protect against cross-site scripting XSS were not fully protected...

Privilege escalation through Mozilla Updater and Windows Updater Service — Mozilla

Security researcher James Forshaw of Context Information Security found two issues with the Mozilla updater and the Mozilla updater service introduced in Firefox 12 for Windows. The first issue allows Mozilla's updater to load a local DLL file in a privileged context. The updater can be called by...

Buffer overflow and use-after-free issues found using Address Sanitizer — Mozilla

Security researcher Abhishek Arya of Google used the Address Sanitizer tool to uncover several issues: two heap buffer overflow bugs and a use-after-free problem. The first heap buffer overflow was found in conversion from unicode to native character sets when the function fails. The use-after-fr...

NSS parsing errors with zero length items — Mozilla

Security researcher Kaspar Brand found a flaw in how the Network Security Services NSS ASN.1 decoder handles zero length items. Effects of this issue depend on the field. One known symptom is an unexploitable crash in handling OCSP responses. NSS also mishandles zero-length basic constraints,...

Information disclosure though Windows file shares and shortcut files — Mozilla

Security researcher Paul Stone reported an attack where an HTML page hosted on a Windows share and then loaded could then load Windows shortcut files .lnk in the same share. These shortcut files could then link to arbitrary locations on the local file system of the individual loading the HTML pag...

Miscellaneous memory safety hazards (rv:13.0/ rv:10.0.5) — Mozilla

Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be...

Miscellaneous memory safety hazards (rv:12.0/ rv:10.0.4) — Mozilla

Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be...

Multiple security flaws fixed in FreeType v2.4.9 — Mozilla

Mateusz Jurczyk of the Google Security Team used the Address Sanitizer tool to discover a series of memory safety bugs in the FreeType library, some of which could cause memory corruption and exploitable crashes with certain fonts and font parsing. Firefox Mobile has been upgraded to FreeType...

Potential site identity spoofing when loading RSS and Atom feeds — Mozilla

Security researcher Jeroen van der Gun reported that if RSS or Atom XML invalid content is loaded over HTTPS, the addressbar updates to display the new location of the loaded resource, including SSL indicators, while the main window still displays the previously loaded content. This allows for...

Potential memory corruption during font rendering using cairo-dwrite — Mozilla

Security research firm iDefense reported that researcher wushi of team509 discovered a memory corruption on Windows Vista and Windows 7 systems with hardware acceleration disabled or using incompatible video drivers. This is created by using cairo-dwrite to attempt to render fonts on an unsupport...

Potential XSS via multibyte content processing errors — Mozilla

Anne van Kesteren of Opera Software found a multi-octet encoding issue where certain octets will destroy the following octets in the processing of some multibyte character sets. This can leave users vulnerable to cross-site scripting XSS attacks on maliciously crafted web pages...

Off-by-one error in OpenType Sanitizer — Mozilla

Mateusz Jurczyk of the Google Security Team discovered an off-by-one error in the OpenType Sanitizer using the Address Sanitizer tool. This can lead to an out-of-bounds read and execution of an uninitialized function pointer during parsing and possible remote code execution...

Potential XSS through ISO-2022-KR/ISO-2022-CN decoding issues — Mozilla

Security researcher Masato Kinugawa found that during the decoding of ISO-2022-KR and ISO-2022-CN character sets, characters near 1024 bytes are treated incorrectly, either doubling or deleting bytes. On certain pages it might be possible for an attacker to pad the output of the page such that...

WebGL.drawElements may read illegal video memory due to FindMaxUshortElement error — Mozilla

Mozilla community member Matias Juntunen discovered an error in WebGLBuffer where FindMaxElementInSubArray receives wrong template arguments from FindMaxUshortElement. This bug causes maximum index to be computed incorrectly within WebGL.drawElements, allowing the reading of illegal video memory...

Ambiguous IPv6 in Origin headers may bypass webserver access restrictions — Mozilla

Security researcher Simone Fabiano reported that if a cross-site XHR or WebSocket is opened on a web server on a non-standard port for web traffic while using an IPv6 address, the browser will send an ambiguous origin headers if the IPv6 address contains at least 2 consecutive 16-bit fields of...

Page load short-circuit can lead to XSS — Mozilla

Security researchers Jordi Chancel and Eddy Bordi reported that they could short-circuit page loads to show the address of a different site than what is loaded in the window in the addressbar. Security researcher Chris McGowen independently reported the same flaw, and further demonstrated that th...

HTTP Redirections and remote content can be read by javascript errors — Mozilla

Security researcher Daniel Divricean reported that a defect in the error handling of javascript errors can leak the file names and location of javascript files on a server, leading to inadvertent information disclosure and a vector for further attacks...

use-after-free in IDBKeyRange — Mozilla

Using the Address Sanitizer tool, security researcher Aki Helin from OUSPG found that IDBKeyRange of indexedDB remains in the XPConnect hashtable instead of being unlinked before being destroyed. When it is destroyed, this causes a use-after-free, which is potentially exploitable...

Invalid frees causes heap corruption in gfxImageSurface — Mozilla

Using the Address Sanitizer tool, security researcher Atte Kettunen from OUSPG found a heap corruption in gfxImageSurface which allows for invalid frees and possible remote code execution. This happens due to float error, resulting from graphics values being passed through different number system...

Crash with WebGL content using textImage2D — Mozilla

Mozilla community member Ms2ger found an image rendering issue with WebGL when texImage2D uses use JSVALTOOBJECT on arbitrary objects. This can lead to a crash on a maliciously crafted web page. While there is no evidence that this is directly exploitable, there is a possibility of remote code...

Miscellaneous memory safety hazards (rv:11.0/ rv:10.0.3 / rv:1.9.2.28) — Mozilla

Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be...

Crash when accessing keyframe cssText after dynamic modification — Mozilla

Mozilla community member Daniel Glazman of Disruptive Innovations reported a crash when accessing a keyframe's cssText after dynamic modification. This crash may be potentially exploitable...

SVG issues found with Address Sanitizer — Mozilla

Security researcher Atte Kettunen from OUSPG found two issues with Firefox's handling of SVG using the Address Sanitizer tool. The first issue, critically rated, is a use-after-free in SVG animation that could potentially lead to arbitrary code execution. The second issue is rated moderate and is...

Use-after-free in shlwapi.dll — Mozilla

Security researchers Blair Strang and Scott Bell of Security Assessment found that when a parent window spawns and closes a child window that uses the file open dialog, a crash can be induced in shlwapi.dll on 32-bit Windows 7 systems. This crash may be potentially exploitable...

XSS with Drag and Drop and Javascript: URL — Mozilla

Firefox prevents the dropping of javascript: links onto a frame to prevent malicious sites from tricking users into performing a cross-site scripting XSS attacks on themselves. Security researcher Soroush Dalili reported a way to bypass this protection...

Escalation of privilege with Javascript: URL as home page — Mozilla

Security researcher Mariusz Mlynski reported that an attacker able to convince a potential victim to set a new home page by dragging a link to the "home" button can set that user's home page to a javascript: URL. Once this is done the attacker's page can cause repeated crashes of the browser,...

window.fullScreen writeable by untrusted content — Mozilla

Mozilla developer Matt Brubeck reported that window.fullScreen is writeable by untrusted content now that the DOM fullscreen API is enabled. Because window.fullScreen does not include mozRequestFullscreen's security protections, it could be used for UI spoofing. This code change makes...