1568 matches found
window.fullScreen writeable by untrusted content — Mozilla
Mozilla developer Matt Brubeck reported that window.fullScreen is writeable by untrusted content now that the DOM fullscreen API is enabled. Because window.fullScreen does not include mozRequestFullscreen's security protections, it could be used for UI spoofing. This code change makes...
libpng integer overflow — Mozilla
An integer overflow in the libpng library can lead to a heap-buffer overflow when decompressing certain PNG images. This leads to a crash, which may be potentially exploitable...
use after free in nsXBLDocumentInfo::ReadPrototypeBindings — Mozilla
Mozilla developers Andrew McCreight and Olli Pettay found that ReadPrototypeBindings will leave a XBL binding in a hash table even when the function fails. If this occurs, when the cycle collector reads this hash table and attempts to do a virtual method on this binding a crash will occur. This...
Miscellaneous memory safety hazards (rv:10.0/ 1.9.2.26) — Mozilla
Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be...
Firefox Recovery Key.html is saved with unsafe permission — Mozilla
magicant starmen reported that if a user chooses to export their Firefox Sync key the "Firefox Recovery Key.html" file is saved with incorrect permissions, making the file contents potentially readable by other users on Linux and OS X systems...
Crash with malformed embedded XSLT stylesheets — Mozilla
Security researchers Nicolas Grégoire and Aki Helin independently reported that when processing a malformed embedded XSLT stylesheet, Firefox can crash due to a memory corruption. While there is no evidence that this is directly exploitable, there is a possibility of remote code execution...
Frame scripts calling into untrusted objects bypass security checks — Mozilla
Mozilla security researcher mozbugra4 reported that frame scripts bypass XPConnect security checks when calling untrusted objects. This allows for cross-site scripting XSS attacks through web pages and Firefox extensions. The fix enables the Script Security Manager SSM to force security checks on...
Uninitialized memory appended when encoding icon images may cause information disclosure — Mozilla
Mozilla developer Tim Abraldes reported that when encoding images as image/vnd.microsoft.icon the resulting data was always a fixed size, with uninitialized memory appended as padding beyond the size of the actual image. This is the result of mImageBufferSize in the encoder being initialized with...
<iframe> element exposed across domains via name attribute — Mozilla
Vitaly Nevgen reported that an attacker could replace a sub-frame in another domain's document by using the name attribute of the sub-frame as a form submission target. This can potentially allow for phishing attacks against users and violates the HTML5 frame navigation policy...
Overly permissive IPv6 literal syntax — Mozilla
For historical reasons Firefox has been generous in its interpretation of web addresses containing square brackets around the host. If this host was not a valid IPv6 literal address, Firefox attempted to interpret the host as a regular domain name. Gregory Fleischer reported that requests made...
Potential Memory Corruption When Decoding Ogg Vorbis files — Mozilla
Security researcher regenrecht reported via TippingPoint's Zero Day Initiative the possibility of memory corruption during the decoding of Ogg Vorbis files. This can cause a crash during decoding and has the potential for remote code execution...
Child nodes from nsDOMAttribute still accessible after removal of nodes — Mozilla
Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that removed child nodes of nsDOMAttribute can be accessed under certain circumstances because of a premature notification of AttributeChildRemoved. This use-after-free of the child nodes could possibly allow for remot...
Miscellaneous memory safety hazards (rv:9.0) — Mozilla
Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be...
Crash when plugin removes itself on Mac OS X — Mozilla
FireBreath developer Richard Bateman reported a crash on Mac OS X that occurred when a plugin deletes its containing DOM frame during a call from that frame. The observed symptom is a null dereference but we cannot rule out the possibility that content from a scriptable plugin such as Flash could...
nsSVGValue out-of-bounds access — Mozilla
Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that a flaw in the Mozilla SVG implementation could result in an out-of-bounds memory access if SVG elements were removed during a DOMAttrModified event handler...
Potentially exploitable crash in the YARR regular expression library — Mozilla
Security researcher Aki Helin reported a crash in the YARR regular expression library that could be triggered by javascript in web content...
Crash scaling <video> to extreme sizes — Mozilla
sczimmer reported a crash when scaling an OGG element to extreme sizes...
.jar not treated as executable in Firefox 3.6 on Mac — Mozilla
Part of the fix for MFSA 2011-40, reported by Mariusz Mlynski, was to treat .jar files as executables. This is necessary because Java treats downloaded .jar files as fully-featured "Applications" rather than restricting them to the limited privileges of in-browser "Applets". The fix taken in...
Key detection without JavaScript via SVG animation — Mozilla
Security researcher Mario Heiderich reported it was possible to use SVG animation accessKey events to detect key strokes even when JavaScript was disabled. Since web pages can normally detect key events through script and most users have scripting enabled this does not present a risk for most...
Cross-origin data theft using canvas and Windows D2D — Mozilla
Mozilla developer Bas Schouten reported that the introduction of the "Azure" graphics back-end on Windows in Firefox 7 re-introduced the cross-origin data theft issue reported by nasalislarvatus3000 as described in MFSA 2011-29...
Miscellaneous memory safety hazards (rv:8.0) — Mozilla
Mozilla developers fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run...
Memory corruption while profiling using Firebug — Mozilla
Marc Schoenefeld reported a crash when using Firebug to profile a JavaScript file with many functions. It may be possible to trigger this crash without the use of debugging APIs, and if so this could be exploitable...
Potential XSS against sites using Shift-JIS — Mozilla
Yosuke Hasegawa reported that the Mozilla browser engine mishandled invalid sequences in the Shift-JIS encoding. When encountering an invalid pair Mozilla would turn the entire two-byte sequence into a single unknown character rather than an unknown character followed by a valid single-byte...
loadSubScript unwraps XPCNativeWrapper scope parameter (1.9.2 branch) — Mozilla
Mozilla security researcher mozbugra4 reported that the problem described in MFSA 2011-43 and fixed in Firefox 7 also affected Firefox 3.6: a malicious page could potentially exploit a Firefox user who had installed an add-on that used loadSubscript in vulnerable ways...
Code execution via NoWaiverWrapper — Mozilla
Mozilla security researcher mozbugra4 reported that an internal privilege check failed to respect the NoWaiverWrappers introduced with Firefox 4. This could result in elevated privilege being granted to web content...
Cross-origin image theft on Mac with integrated Intel GPU — Mozilla
Claus Wahlers reported that random images from GPU memory were showing up in WebGL textures. Once incorporated into the WebGL graphics it is possible for a site to programmatically read the image data and potentially gain sensitive data from other things that had been displayed earlier. This...
Miscellaneous memory safety hazards (rv:7.0 / rv:1.9.2.23) — Mozilla
Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be...
loadSubScript unwraps XPCNativeWrapper scope parameter — Mozilla
David Rees reported that the JSSubScriptLoader a feature used by some add-ons was "unwrapping" XPCNativeWrappers when they were used as the scope parameter to loadSubScript. Without the protection of the wrappers the add-on could be vulnerable to privilege escalation attacks from malicious web...
Integer underflow when using JavaScript RegExp — Mozilla
Mark Kaplan reported a potentially exploitable crash due to integer underflow when using a large JavaScript RegExp expression. We would also like to thank Mark for contributing the fix for this problem...
XSS via plugins and shadowed window.location object — Mozilla
Mozilla developer Boris Zbarsky reported that a frame named "location" could shadow the window.location object unless a script in a page grabbed a reference to the true object before the frame was created. Because some plugins use the value of window.location to determine the page origin this cou...
Potentially exploitable crash in the YARR regular expression library — Mozilla
Security researcher Aki Helin reported a potentially exploitable crash in the YARR regular expression library used by JavaScript...
Potentially exploitable WebGL crashes — Mozilla
Michael Jordon of Context IS reported that in the ANGLE library used by WebGL the return value from GrowAtomTable was not checked for errors. If an attacker could cause requests that exceeded the available memory those would fail and potentially lead to a buffer overrun as subsequent code wrote...
Defense against multiple Location headers due to CRLF Injection — Mozilla
Ian Graham of Citrix Online reported that when multiple Location headers were present in a redirect response Mozilla behavior differed from other browsers: Mozilla would use the second Location header while Chrome and Internet Explorer would use the first. Two copies of this header with different...
Code installation through holding down Enter — Mozilla
Mariusz Mlynski reported that if you could convince a user to hold down the Enter key--as part of a game or test, perhaps--a malicious page could pop up a download dialog where the held key would then activate the default Open action. For some file types this would be merely annoying the equivale...
Inferring keystrokes from motion data — Mozilla
University of California, Davis researchers Liang Cai and Hao Chen presented a paper at the 2011 USENIX HotSec workshop on inferring keystrokes from device motion data on mobile devices. Web pages can now receive data similar to the apps studied in that paper and likely present a similar risk. We...
Use after free reading OGG headers — Mozilla
sczimmer reported that Firefox crashed when loading a particular .ogg file. This was due to a use-after-free condition and could potentially be exploited to install malware...
Additional protection against fraudulent DigiNotar certificates — Mozilla
Description: As more information has come to light about the attack on the DigiNotar Certificate Authority we have improved the protections added in MFSA 2011-34. The main change is to add explicit distrust to the DigiNotar root certificate and several intermediates. Removing the root as in our...
Protection against fraudulent DigiNotar certificates — Mozilla
Description: Google Chrome user alibo encountered an active "man in the middle" MITM attack on secure SSL connections to Google servers. The fraudulent certificate was mis-issued by DigiNotar, a Dutch Certificate Authority. DigiNotar has reported evidence that other fraudulent certificates were...
Security issues addressed in Thunderbird 6 — Mozilla
Many of the issues listed below are not exploitable through mail since JavaScript is disabled by default in Thunderbird. These particular issues may be triggered while viewing RSS feeds and displaying full remote content rather than the feed summary. Addons that expose browser functionality may...
Security issues addressed in Firefox 6 — Mozilla
Miscellaneous memory safety hazards rv:4.0 Impact: Critical Description: Mozilla identified and fixed several memory safety bugs in the browser engine used in Firefox 4, Firefox 5 and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances...
Security issues addressed in Thunderbird 3.1.12 — Mozilla
Many of the issues listed below are not exploitable through mail since JavaScript is disabled by default in Thunderbird. These particular issues may be triggered while viewing RSS feeds and displaying full remote content rather than the feed summary. Addons that expose browser functionality may...
Security issues addressed in SeaMonkey 2.3 — Mozilla
Miscellaneous memory safety hazards rv:4.0 Impact: Critical Description: Mozilla identified and fixed several memory safety bugs in the browser engine used in SeaMonkey 2.2 and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and w...
Security issues addressed in Firefox 3.6.20 — Mozilla
Miscellaneous memory safety hazards rv:1.9.2.20 Impact: Critical Description: Mozilla developers and community members identified and fixed several memory safety bugs in the browser engine used in Firefox 3.6 and other Mozilla-based products. Some of these bugs showed evidence of memory corruptio...
Miscellaneous memory safety hazards (rv:3.0/1.9.2.18) — Mozilla
Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be...
Integer overflow and arbitrary code execution in Array.reduceRight() — Mozilla
Security researchers Chris Rohlf and Yan Ivnitskiy of Matasano Security reported that when a JavaScript Array object had its length set to an extremely large value, the iteration of array elements that occurs when its reduceRight method was subsequently called could result in the execution of...
Multiple WebGL crashes — Mozilla
Mozilla security researcher Christoph Diehl reported two crashes in WebGL code. One crash was the result of an out-of-bounds read and could be used to read data from other processes who had stored data in the GPU. The severity of this issue was determined to be high. The second crash was the resu...
Stealing of cross-domain images using WebGL textures — Mozilla
Security research firm Context IS discovered that an image from a different domain could be loaded into a WebGL texture, and then each pixel could be rendered into a canvas element with a shader program, creating an approximation of the image in a form that was readable by the creator of the WebG...
Cookie isolation error — Mozilla
Mozilla security researcher David Chan reported that cookies set for example.com. note the trailing dot and example.com were treated as interchangeable. This is a violation of same-origin conventions and could potentially lead to leakage of cookie data to the wrong party...
Memory corruption due to multipart/x-mixed-replace images — Mozilla
Security researcher Jordi Chancel reported a crash on multipart/x-mixed-replace images due to memory corruption...
Multiple dangling pointer vulnerabilities — Mozilla
Security researcher regenrecht reported via TippingPoint's Zero Day Initiative two instances of code which modifies SVG element lists failed to account for changes made to the list by user-supplied callbacks before accessing list elements. If a user-supplied callback deleted such an object, the...