1573 matches found
XSS encoding hazard with inline SVG — Mozilla
Security researcher Mario Heiderich reported that HTML-encoded entities were being improperly decoded when displayed inside SVG elements. This could lead to XSS attacks on sites relying on HTML encoding of user-supplied content...
Cookie isolation error — Mozilla
Mozilla security researcher David Chan reported that cookies set for example.com. note the trailing dot and example.com were treated as interchangeable. This is a violation of same-origin conventions and could potentially lead to leakage of cookie data to the wrong party...
Multiple WebGL crashes — Mozilla
Mozilla security researcher Christoph Diehl reported two crashes in WebGL code. One crash was the result of an out-of-bounds read and could be used to read data from other processes who had stored data in the GPU. The severity of this issue was determined to be high. The second crash was the resu...
Integer overflow and arbitrary code execution in Array.reduceRight() — Mozilla
Security researchers Chris Rohlf and Yan Ivnitskiy of Matasano Security reported that when a JavaScript Array object had its length set to an extremely large value, the iteration of array elements that occurs when its reduceRight method was subsequently called could result in the execution of...
Memory corruption due to multipart/x-mixed-replace images — Mozilla
Security researcher Jordi Chancel reported a crash on multipart/x-mixed-replace images due to memory corruption...
Use-after-free vulnerability when viewing XUL document with script disabled — Mozilla
Security researcher Martin Barbella reported that under certain conditions, viewing a XUL document while JavaScript was disabled caused deleted memory to be accessed. This flaw could potentially be used by an attacker to crash a victim's browser and run arbitrary code on their computer...
Miscellaneous memory safety hazards (rv:3.0/1.9.2.18) — Mozilla
Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be...
Multiple dangling pointer vulnerabilities — Mozilla
Security researcher regenrecht reported via TippingPoint's Zero Day Initiative two instances of code which modifies SVG element lists failed to account for changes made to the list by user-supplied callbacks before accessing list elements. If a user-supplied callback deleted such an object, the...
Multiple dangling pointer vulnerabilities — Mozilla
Security researcher regenrecht reported several dangling pointer vulnerabilities via TippingPoint's Zero Day Initiative...
Information stealing via form history — Mozilla
Security researcher Paul Stone reported that a Java applet could be used to mimic interaction with form autocomplete controls and steal entries from the form history...
Directory traversal in resource: protocol — Mozilla
Security researcher Soroush Dalili reported that the resource: protocol could be exploited to allow directory traversal on Windows and the potential loading of resources from non-permitted locations. The impact would depend on whether interesting files existed in predictable locations in a useful...
Miscellaneous memory safety hazards (rv:2.0.1/ 1.9.2.17/ 1.9.1.19) — Mozilla
Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be...
WebGLES vulnerabilities — Mozilla
Two crashes that could potentially be exploited to run malicious code were found in the WebGL feature and fixed in Firefox 4.0.1. In addition the WebGLES libraries could potentially be used to bypass a security feature of recent Windows versions. The WebGL feature was introduced in Firefox 4; old...
Escalation of privilege through Java Embedding Plugin — Mozilla
David Remahl of Apple Product Security reported that the Java Embedding Plugin JEP shipped with the Mac OS X versions of Firefox could be exploited to obtain elevated access to resources on a user's system...
XSLT generate-id() function heap address leak — Mozilla
Chris Evans of the Chrome Security Team reported that the XSLT generate-id function returned a string that revealed a specific valid address of an object on the memory heap. It is possible that in some cases this address would be valuable information that could be used by an attacker while...
Update to HTTPS certificate blacklist — Mozilla
Several invalid HTTPS certificates were placed on the certificate blacklist to prevent their misuse...
CSRF risk with plugins and 307 redirects — Mozilla
Independent security researcher Kuza55 and Microsoft security researcher Tom Gallagher reported that when plugin-initiated requests receive a 307 redirect response, the plugin is not notified and the request is forwarded to the new location. This is true even for cross-site redirects, so any cust...
Crash caused by corrupted JPEG image — Mozilla
Security researcher Jordi Chancel reported that a JPEG image could be constructed that would be decoded incorrectly, causing data to be written past the end of a buffer created to store the image. An attacker could potentially craft such an image that would cause malicious code to be stored in...
ParanoidFragmentSink allows javascript: URLs in chrome documents — Mozilla
Security researcher Roberto Suggi Liverani reported that ParanoidFragmentSink, a class used to sanitize potentially unsafe HTML for display, allows javascript: URLs and other inline JavaScript when the embedding document is a chrome document. While there are no unsafe uses of this class in any...
Miscellaneous memory safety hazards (rv:1.9.2.14/ 1.9.1.17) — Mozilla
Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be...
Use-after-free error using Web Workers — Mozilla
Daniel Kozlowski reported that a JavaScript Worker could be used to keep a reference to an object that could be freed during garbage collection. Subsequent calls through this deleted reference could cause attacker-controlled memory to be executed on a victim's computer...
Memory corruption during text run construction (Windows) — Mozilla
Alex Miller reported that when very long strings were constructed and inserted into an HTML document, the browser would incorrectly construct the layout objects used to display the text. Under such conditions an incorrect length would be calculated for a text run resulting in too small of a memor...
Buffer overflow in JavaScript atom map — Mozilla
Security researcher Christian Holler reported that the JavaScript engine's internal mapping of string values contained an error in cases where the number of values being stored was above 64K. In such cases an offset pointer was manually moved forwards and backwards to access the larger address...
Use-after-free error in JSON.stringify — Mozilla
Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that a method used by JSON.stringify contained a use-after-free error in which a currently in-use pointer was freed and subsequently dereferenced. This could lead to arbitrary code execution if an attacker was able to...
Buffer overflow in JavaScript upvarMap — Mozilla
Security researcher Christian Holler reported that the JavaScript engine's internal memory mapping of non-local JS variables contained a buffer overflow which could potentially be used by an attacker to run arbitrary code on a victim's computer...
Recursive eval call causes confirm dialogs to evaluate to true — Mozilla
Security researcher Zach Hoffman reported that a recursive call to eval wrapped in a try/catch statement places the browser into a inconsistent state. Any dialog box opened in this state is displayed without text and with non-functioning buttons. Closing the window causes the dialog to evaluate t...
Use-after-free error with nsDOMAttribute MutationObserver — Mozilla
Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that a nsDOMAttribute node can be modified without informing the iterator object responsible for various DOM traversals. This flaw could lead to a inconsistent state where the iterator points to an object it believes i...
Chrome privilege escalation with window.open and <isindex> element — Mozilla
Security researcher echo reported that a web page could open a window with an about:blank location and then inject an element into that page which upon submission would redirect to a chrome: document. The effect of this defect was that the original page would wind up with a reference to a...
Buffer overflow while line breaking after document.write with long string — Mozilla
Dirk Heinrich reported that on Windows platforms when document.write was called with a very long string a buffer overflow was caused in line breaking routines attempting to process the string for display. Such cases triggered an invalid read past the end of an array causing a crash which an...
Java security bypass from LiveConnect loaded via data: URL meta refresh — Mozilla
Security researcher Gregory Fleischer reported that when a Java LiveConnect script was loaded via a data: URL which redirects via a meta refresh, then the resulting plugin object was created with the wrong security principal and thus received elevated privileges such as the abilities to read loca...
Miscellaneous memory safety hazards (rv:1.9.2.13/ 1.9.1.16) — Mozilla
Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be...
Incomplete fix for CVE-2010-0179 — Mozilla
Mozilla security researcher mozbugra4 reported that the fix for CVE-2010-0179 could be circumvented permitting the execution of arbitrary JavaScript with chrome privileges...
XSS hazard in multiple character encodings — Mozilla
Security researchers Yosuke Hasegawa and Masatoshi Kimura reported that the x-mac-arabic, x-mac-farsi and x-mac-hebrew character encodings are vulnerable to XSS attacks due to some characters being converted to angle brackets when displayed by the rendering engine. Sites using these character...
Integer overflow vulnerability in NewIdArray — Mozilla
Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that JavaScript arrays were vulnerable to an integer overflow vulnerability. The report demonstrated that an array could be constructed containing a very large number of items such that when memory was allocated to sto...
Location bar SSL spoofing using network error page — Mozilla
Google security researcher Michal Zalewski reported that when a window was opened to a site resulting in a network or certificate error page, the opening site could access the document inside the opened window and inject arbitrary content. An attacker could use this bug to spoof the location bar...
Crash and remote code execution using HTML tags inside a XUL tree — Mozilla
Security researcher wushi of team509 reported that when a XUL tree had an HTML element nested inside a element then code attempting to display content in the XUL tree would incorrectly treat the element as a parent node to tree content underneath it resulting in incorrect indexes being calculated...
Add support for OTS font sanitizer — Mozilla
Mozilla added the OTS font sanitizing library to prevent downloadable fonts from exposing vulnerabilities in the underlying OS font code. This library mitigates against several issues independently reported by Red Hat Security Response Team member Marc Schoenefeld and Mozilla security researcher...
Heap buffer overflow mixing document.write and DOM insertion — Mozilla
Morten Kråkvik of Telenor SOC reported an exploit targeting particular versions of Firefox 3.6 on Windows XP that Telenor found while investigating an intrusion attempt on a customer network. The underlying vulnerability, however, was present on both the Firefox 3.5 and Firefox 3.6 development...
XSS in gopher parser when parsing hrefs — Mozilla
Google security researcher Robert Swiecki reported that functions used by the Gopher parser to convert text to HTML tags could be exploited to turn text into executable JavaScript. If an attacker could create a file or directory on a Gopher server with the encoded script as part of its name the...
Cross-site information disclosure via modal calls — Mozilla
Security researcher Eduardo Vela Nava reported that if a web page opened a new window and used a javascript: URL to make a modal call, such as alert, then subsequently navigated the page to a different domain, once the modal call returned the opener of the window could get access to objects in th...
Insecure Diffie-Hellman key exchange — Mozilla
Mozilla cryptographer Nelson Bolyard reported that the SSL implementation was permitting servers to use Diffie-Hellman Ephemeral mode DHE with too short of a minimum key length. DHE keys of such lengths are trivially breakable on modern hardware so SSL servers operating in this mode were providin...
Dangling pointer vulnerability in LookupGetterOrSetter — Mozilla
Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that when window.lookupGetter is called with no arguments the code assumes the top JavaScript stack value is a property name. Since there were no arguments passed into the function, the top value could represent...
Use-after-free error in nsBarProp — Mozilla
Security researcher Sergey Glazunov reported that it was possible to access the locationbar property of a window object after it had been closed. Since the closed window's memory could have been subsequently reused by the system it was possible that an attempt to access the locationbar property...
Buffer overflow and memory corruption using document.write — Mozilla
Security researcher Alexander Miller reported that passing an excessively long string to document.write could cause text rendering routines to end up in an inconsistent state with sections of stack memory being overwritten with the string data. An attacker could use this flaw to crash a victim's...
Miscellaneous memory safety hazards (rv:1.9.2.11/ 1.9.1.14) — Mozilla
Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be...
SSL wildcard certificate matching IP addresses — Mozilla
Security researcher Richard Moore reported that when an SSL certificate was created with a common name containing a wildcard followed by a partial IP address a valid SSL connection could be established with a server whose IP address matched the wildcard range by browsing directly to the IP addres...
Unsafe library loading vulnerabilities — Mozilla
Mozilla developer Ehsan Akhgari reported that a function used to load external libraries on Windows platforms was using a relative path to a DLL-loading application and was thus vulnerable to binary planting if an attacker was able to place an executable of the same name in the current working...
Miscellaneous memory safety hazards (rv:1.9.2.9/ 1.9.1.12) — Mozilla
Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be...
Crash and remote code execution in normalizeDocument — Mozilla
Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that code used to normalize a document contained a logical flaw that could be leveraged to run arbitrary code. When the normalization code ran, a static count of the document's child nodes was used in the traversal, so...
Windows XP DLL loading vulnerability — Mozilla
Security researcher Haifei Li of FortiGuard Labs reported that Firefox could be used to load a malicious code library that had been planted on a victim's computer. Firefox attempts to load dwmapi.dll upon startup as part of its platform detection, so on systems that don't have this library, such ...