1574 matches found
Graphite 2 memory corruption — Mozilla
Using the Address Sanitizer tool, Mozilla security researcher Christoph Diehl discovered two memory corruption issues involving the Graphite 2 library used in Mozilla products. Both of these issues can cause a potentially exploitable crash. These problems were fixed in the Graphite 2 library, whi...
WebGL use-after-free and memory corruption — Mozilla
Security researcher miaubiz used the Address Sanitizer tool to discover two WebGL issues. The first issue is a use-after-free when WebGL shaders are called after being destroyed. The second issue exposes a problem with Mesa drivers on Linux, leading to a potentially exploitable crash...
Miscellaneous memory safety hazards (rv:15.0/ rv:10.0.7) — Mozilla
Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be...
Insecure use of __android_log_print — Mozilla
Mozilla developer Blake Kaplan reported that androidlogprint is called insecurely in places. If a malicious web page used a dump statement with a specially crafted string, it can trigger a potentially exploitable crash...
Installer will launch incorrect executable following new installation — Mozilla
Security researcher Masato Kinugawa reported that if a crafted executable is placed in the root partition on a Windows file system, the Firefox and Thunderbird installer will launch this program after a standard installation instead of Firefox or Thunderbird, running this program with the user's...
HTTPMonitor extension allows for remote debugging without explicit activation — Mozilla
Mozilla security researcher Mark Goodwin discovered an issue with the Firefox developer tools' debugger. If remote debugging is disabled, but the experimental HTTPMonitor extension has been installed and enabled, a remote user can connect to and use the remote debugging service through the port...
Out-of-bounds read in format-number in XSLT — Mozilla
Security research Nicolas Grégoire used the Address Sanitizer tool to discover an out-of-bounds read in the format-number feature of XSLT, which can cause inaccurate formatting of numbers and information leakage. This is not directly exploitable...
Escalation of privilege through about:newtab — Mozilla
Security researcher Mariusz Mlynski reported that when a page opens a new tab, a subsequent window can then be opened that can be navigated to about:newtab, a chrome privileged page. Once about:newtab is loaded, the special context can potentially be used to escalate privilege, allowing for...
Location object can be shadowed using Object.defineProperty — Mozilla
Security researcher Mariusz Mlynski reported that it is possible to shadow the location object using Object.defineProperty. This could be used to confuse the current location to plugins, allowing for possible cross-site scripting XSS attacks...
Use-after-free issues found using Address Sanitizer — Mozilla
Security researcher Abhishek Arya Inferno of the Google Chrome Security Team discovered a series of use-after-free issues using the Address Sanitizer tool. Many of these issues are potentially exploitable, allowing for remote code execution...
SVG buffer overflow and use-after-free issues — Mozilla
Security researcher Arthur Gerkis used the Address Sanitizer tool to find two issues involving Scalable Vector Graphics SVG files. The first issue is a buffer overflow in Gecko's SVG filter code when the sum of two values is too large to be stored as a signed 32-bit integer, causing the function ...
Memory corruption with bitmap format images with negative height — Mozilla
Security researcher Frédéric Hoguin reported two related issues with the decoding of bitmap .BMP format images embedded in icon .ICO format files. When processing a negative "height" header value for the bitmap image, a memory corruption can be induced, allowing an attacker to write random memory...
X-Frame-Options header ignored when duplicated — Mozilla
Bugzilla developer Frédéric Buclin reported that the "X-Frame-Options header is ignored when the value is duplicated, for example X-Frame-Options: SAMEORIGIN, SAMEORIGIN. This duplication occurs for unknown reasons on some websites and when it occurs results in Mozilla browsers not being protecte...
Out of bounds read in QCMS — Mozilla
Google developer Tony Payne reported an out of bounds OOB read in QCMS, Mozilla’s color management library. With a carefully crafted color profile portions of a user's memory could be incorporated into a transformed image and possibly deciphered...
JSDependentString::undepend string conversion results in memory corruption — Mozilla
Security researcher Bill Keese reported a memory corruption. This is caused by JSDependentString::undepend changing a dependent string into a fixed string when there are additional dependent strings relying on the same base. When the undepend occurs during conversion, the base data is freed,...
Same-compartment Security Wrappers can be bypassed — Mozilla
Mozilla developer Bobby Holley found that same-compartment security wrappers SCSW can be bypassed by passing them to another compartment. Cross-compartment wrappers often do not go through SCSW, but have a filtering policy built into them. When an object is wrapped cross-compartment, the SCSW is...
Improper filtering of javascript in HTML feed-view — Mozilla
Security researcher Mario Heiderich reported that javascript could be executed in the HTML feed-view using tag within the RSS . This problem is due to tags not being filtered out during parsing and can lead to a potential cross-site scripting XSS attack. The flaw existed in a parser utility class...
Gecko memory corruption — Mozilla
Google security researcher Abhishek Arya used the Address Sanitizer tool to uncover four issues: two use-after-free problems, one out of bounds read bug, and a bad cast. The first use-after-free problem is caused when an array of nsSMILTimeValueSpec objects is destroyed but attempts are made to...
XSS through data: URLs — Mozilla
Mozilla security researcher mozbugra4 reported a cross-site scripting XSS attack through the context menu using a data: URL. In this issue, context menu functionality "View Image", "Show only this frame", and "View background image" are disallowed in a javascript: URL but allowed in a data: URL,...
Code execution through javascript: URLs — Mozilla
Mozilla security researcher mozbugra4 reported a arbitrary code execution attack using a javascript: URL. The Gecko engine features a JavaScript sandbox utility that allows the browser or add-ons to safely execute script in the context of a web page. In certain cases, javascript: URLs are execute...
Content Security Policy 1.0 implementation errors cause data leakage — Mozilla
Security researcher Karthikeyan Bhargavan of Prosecco at INRIA reported Content Security Policy CSP 1.0 implementation errors. CSP violation reports generated by Firefox and sent to the "report-uri" location include sensitive data within the "blocked-uri" parameter. These include fragment...
feed: URLs with an innerURI inherit security context of page — Mozilla
Security researchers Mario Gomes and Soroush Dalili reported that since Mozilla allows the pseudo-protocol feed: to prefix any valid URL, it is possible to construct feed:javascript: URLs that will execute scripts in some contexts. On some sites it may be possible to use this to evade output...
use-after-free in nsGlobalWindow::PageHidden — Mozilla
Security researcher Arthur Gerkis used the Address Sanitizer tool to find a use-after-free in nsGlobalWindow::PageHidden when mFocusedContent is released and oldFocusedContent is used afterwards. This use-after-free could possibly allow for remote code execution...
Spoofing issue with location — Mozilla
Security researcher Mariusz Mlynski reported an issue with spoofing of the location property. In this issue, calls to history.forward and history.back are used to navigate to a site while displaying the previous site in the addressbar but changing the baseURI to the newer site. This can be used f...
Incorrect URL displayed in addressbar through drag and drop — Mozilla
Security researcher Mario Gomes andresearch firm Code Audit Labs reported a mechanism to short-circuit page loads through drag and drop to the addressbar by canceling the page load. This causes the address of the previously site entered to be displayed in the addressbar instead of the currently...
Miscellaneous memory safety hazards (rv:14.0/ rv:10.0.6) — Mozilla
Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be...
Clickjacking of certificate warning page — Mozilla
Security Researcher Matt McCutchen reported that a clickjacking attack using the certificate warning page. A man-in-the-middle MITM attacker can use an iframe to display its own certificate error warning page about:certerror with the "Add Exception" button of a real warning page from a malicious...
Use-after-free in nsHTMLSelectElement — Mozilla
Security researcher regenrecht reported a flaw that affected Firefox versions 4 through 8 via TippingPoint's Zero Day Initiative. This flaw is a use-after-free in nsHTMLSelectElement when the parent node of the element is no longer active and could allow for possible remote code execution...
NSS parsing errors with zero length items — Mozilla
Security researcher Kaspar Brand found a flaw in how the Network Security Services NSS ASN.1 decoder handles zero length items. Effects of this issue depend on the field. One known symptom is an unexploitable crash in handling OCSP responses. NSS also mishandles zero-length basic constraints,...
Buffer overflow and use-after-free issues found using Address Sanitizer — Mozilla
Security researcher Abhishek Arya of Google used the Address Sanitizer tool to uncover several issues: two heap buffer overflow bugs and a use-after-free problem. The first heap buffer overflow was found in conversion from unicode to native character sets when the function fails. The use-after-fr...
Information disclosure though Windows file shares and shortcut files — Mozilla
Security researcher Paul Stone reported an attack where an HTML page hosted on a Windows share and then loaded could then load Windows shortcut files .lnk in the same share. These shortcut files could then link to arbitrary locations on the local file system of the individual loading the HTML pag...
Miscellaneous memory safety hazards (rv:13.0/ rv:10.0.5) — Mozilla
Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be...
Use-after-free while replacing/inserting a node in a document — Mozilla
Security researcher Arthur Gerkis used the Address Sanitizer tool to find a use-after-free while replacing/inserting a node in a document. This use-after-free could possibly allow for remote code execution...
Content Security Policy inline-script bypass — Mozilla
Security researcher Adam Barth found that inline event handlers, such as onclick, were no longer blocked by Content Security Policy's CSP inline-script blocking feature. Web applications relying on this feature of CSP to protect against cross-site scripting XSS were not fully protected...
Privilege escalation through Mozilla Updater and Windows Updater Service — Mozilla
Security researcher James Forshaw of Context Information Security found two issues with the Mozilla updater and the Mozilla updater service introduced in Firefox 12 for Windows. The first issue allows Mozilla's updater to load a local DLL file in a privileged context. The updater can be called by...
Potential site identity spoofing when loading RSS and Atom feeds — Mozilla
Security researcher Jeroen van der Gun reported that if RSS or Atom XML invalid content is loaded over HTTPS, the addressbar updates to display the new location of the loaded resource, including SSL indicators, while the main window still displays the previously loaded content. This allows for...
Ambiguous IPv6 in Origin headers may bypass webserver access restrictions — Mozilla
Security researcher Simone Fabiano reported that if a cross-site XHR or WebSocket is opened on a web server on a non-standard port for web traffic while using an IPv6 address, the browser will send an ambiguous origin headers if the IPv6 address contains at least 2 consecutive 16-bit fields of...
Potential XSS through ISO-2022-KR/ISO-2022-CN decoding issues — Mozilla
Security researcher Masato Kinugawa found that during the decoding of ISO-2022-KR and ISO-2022-CN character sets, characters near 1024 bytes are treated incorrectly, either doubling or deleting bytes. On certain pages it might be possible for an attacker to pad the output of the page such that...
Page load short-circuit can lead to XSS — Mozilla
Security researchers Jordi Chancel and Eddy Bordi reported that they could short-circuit page loads to show the address of a different site than what is loaded in the window in the addressbar. Security researcher Chris McGowen independently reported the same flaw, and further demonstrated that th...
WebGL.drawElements may read illegal video memory due to FindMaxUshortElement error — Mozilla
Mozilla community member Matias Juntunen discovered an error in WebGLBuffer where FindMaxElementInSubArray receives wrong template arguments from FindMaxUshortElement. This bug causes maximum index to be computed incorrectly within WebGL.drawElements, allowing the reading of illegal video memory...
Potential XSS via multibyte content processing errors — Mozilla
Anne van Kesteren of Opera Software found a multi-octet encoding issue where certain octets will destroy the following octets in the processing of some multibyte character sets. This can leave users vulnerable to cross-site scripting XSS attacks on maliciously crafted web pages...
Potential memory corruption during font rendering using cairo-dwrite — Mozilla
Security research firm iDefense reported that researcher wushi of team509 discovered a memory corruption on Windows Vista and Windows 7 systems with hardware acceleration disabled or using incompatible video drivers. This is created by using cairo-dwrite to attempt to render fonts on an unsupport...
use-after-free in IDBKeyRange — Mozilla
Using the Address Sanitizer tool, security researcher Aki Helin from OUSPG found that IDBKeyRange of indexedDB remains in the XPConnect hashtable instead of being unlinked before being destroyed. When it is destroyed, this causes a use-after-free, which is potentially exploitable...
Invalid frees causes heap corruption in gfxImageSurface — Mozilla
Using the Address Sanitizer tool, security researcher Atte Kettunen from OUSPG found a heap corruption in gfxImageSurface which allows for invalid frees and possible remote code execution. This happens due to float error, resulting from graphics values being passed through different number system...
Miscellaneous memory safety hazards (rv:12.0/ rv:10.0.4) — Mozilla
Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be...
Multiple security flaws fixed in FreeType v2.4.9 — Mozilla
Mateusz Jurczyk of the Google Security Team used the Address Sanitizer tool to discover a series of memory safety bugs in the FreeType library, some of which could cause memory corruption and exploitable crashes with certain fonts and font parsing. Firefox Mobile has been upgraded to FreeType...
HTTP Redirections and remote content can be read by javascript errors — Mozilla
Security researcher Daniel Divricean reported that a defect in the error handling of javascript errors can leak the file names and location of javascript files on a server, leading to inadvertent information disclosure and a vector for further attacks...
Crash with WebGL content using textImage2D — Mozilla
Mozilla community member Ms2ger found an image rendering issue with WebGL when texImage2D uses use JSVALTOOBJECT on arbitrary objects. This can lead to a crash on a maliciously crafted web page. While there is no evidence that this is directly exploitable, there is a possibility of remote code...
Off-by-one error in OpenType Sanitizer — Mozilla
Mateusz Jurczyk of the Google Security Team discovered an off-by-one error in the OpenType Sanitizer using the Address Sanitizer tool. This can lead to an out-of-bounds read and execution of an uninitialized function pointer during parsing and possible remote code execution...
Miscellaneous memory safety hazards (rv:11.0/ rv:10.0.3 / rv:1.9.2.28) — Mozilla
Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be...