XSS using SJOW scripted function — Mozilla

Mozilla security researcher mozbugra4 reported that the wrapper class XPCSafeJSObjectWrapper SJOW on the Mozilla 1.9.1 development branch has a logical error in its scripted function implementation that allows the caller to run the function within the context of another site. This is a violation ...

UTF-7 XSS by overriding document charset using <object> type attribute — Mozilla

Security researchers David Huang and Collin Jackson of Carnegie Mellon University CyLab Silicon Valley campus reported that the type attribute of an tag can override the charset of a framed HTML document, even when the document is included across origins. A page could be constructed containing su...

Copy-and-paste or drag-and-drop into designMode document allows XSS — Mozilla

Security researcher Paul Stone reported that when an HTML selection containing JavaScript is copy-and-pasted or dropped onto a document with designMode enabled the JavaScript will be executed within the context of the site where the code was dropped. A malicious site could leverage this issue in ...

SJOW creates scope chains ending in outer object — Mozilla

Mozilla developer Blake Kaplan reported that the wrapper class XPCSafeJSObjectWrapper SJOW, a security wrapper that allows content-defined objects to be safely accessed by privileged code, creates scope chains ending in outer objects. Users of SJOWs which expect the scope chain to end on an inner...

Information leak via XMLHttpRequest statusText — Mozilla

Matt Haggard reported that the statusText property of an XMLHttpRequest object is readable by the requester even when the request is made across origins. This status information reveals the presence of a web server and could be used to gather information about servers on internal private networks...

Crash on Mac using fuzzed font in data: URL — Mozilla

Security researcher Marc Schoenefeld reported that a specially crafted font could be applied to a document and cause a crash on Mac systems. The crash showed signs of memory corruption and presumably could be used by an attacker to execute arbitrary code on a victim's computer...

Heap buffer overflow in nsTextFrameUtils::TransformText — Mozilla

Security researcher wushi of team509 reported a heap buffer overflow in code routines responsible for transforming text runs. A page could be constructed with a bidirectional text run which upon reflow could result in an incorrect length being calculated for the run of text. When this value is...

Remote code execution using malformed PNG image — Mozilla

OUSPG researcher Aki Helin reported a buffer overflow in Mozilla graphics code which consumes image data processed by libpng. A malformed PNG file could be created which would cause libpng to incorrectly report the size of the image to downstream consumers. When the dimensions of such images are...

Arbitrary code execution using SJOW and fast native function — Mozilla

Mozilla security researcher mozbugra4 reported that when content script which is running in a chrome context accesses a content object via SJOW, the content code can gain access to an object from the chrome scope and use that object to run arbitrary JavaScript with chrome privileges...

nsTreeSelection dangling pointer remote code execution vulnerability — Mozilla

Security researcher regenrecht reported via TippingPoint's Zero Day Initiative an integer overflow vulnerability in the implementation of the XUL element's selection attribute. When the size of a new selection is sufficiently large the integer used in calculating the length of the selection can...

nsCSSValue::Array index integer overflow — Mozilla

Security researcher J23 reported via TippingPoint's Zero Day Initiative that an array class used to store CSS values contained an integer overflow vulnerability. The 16 bit integer value used in allocating the size of the array could overflow, resulting in too small a memory buffer being created...

Characters mapped to U+FFFD in 8 bit encodings cause subsequent character to vanish — Mozilla

Security researcher O. Andersen reported that undefined positions within various 8 bit character encodings are mapped to the sequence U+FFFD which when displayed causes the immediately following character to disappear from the text run. This could potentially contribute to XSS problems on sites...

Cross-origin data disclosure via Web Workers and importScripts — Mozilla

Security researcher Yosuke Hasegawa reported that the Web Worker method importScripts can read and parse resources from other domains even when the content is not valid JavaScript. This is a violation of the same-origin policy and could be used by an attacker to steal information from other sites...

Same-origin bypass using canvas context — Mozilla

Mozilla developer Vladimir Vukicevic reported that a canvas element can be used to read data from another site, violating the same-origin policy. The read restriction placed on a canvas element which has had cross-origin data rendered into it can be bypassed by retaining a reference to the canvas...

Multiple location bar spoofing vulnerabilities — Mozilla

Google security researcher Michal Zalewski reported two methods for spoofing the contents of the location bar. The first method works by opening a new window containing a resource that responds with an HTTP 204 no content and then using the reference to the new window to insert HTML content into...

Dangling pointer crash regression from plugin parameter array fix — Mozilla

Mozilla developer Daniel Holbert reported that the fix to the plugin parameter array crash that was fixed in Firefox 3.6.7 caused a crash showing signs of memory corruption. In certain circumstances, properties in the plugin instance's parameter array could be freed prematurely leaving a dangling...

Cross-domain data theft using CSS — Mozilla

Google security researcher Chris Evans reported that data can be read across domains by injecting bogus CSS selectors into a target site and then retrieving the data using JavaScript APIs. If an attacker can inject opening and closing portions of a CSS selector into points A and B of a target pag...

Cross-origin data leakage from script filename in error messages — Mozilla

Security researcher Soroush Dalili reported that potentially sensitive URL parameters could be leaked across domains upon script errors when the script filename and line number is included in the error message...

Plugin parameter EnsureCachedAttrParamArrays remote code execution vulnerability — Mozilla

Security researcher J23 reported via TippingPoint's Zero Day Initiative an error in the code used to store the names and values of plugin parameter elements. A malicious page could embed plugin content containing a very large number of parameter elements which would cause an overflow in the integ...

DOM attribute cloning remote code execution vulnerability — Mozilla

Security researcher regenrecht reported via TippingPoint's Zero Day Initiative an error in the DOM attribute cloning routine where under certain circumstances an event attribute node can be deleted while another object still contains a reference to it. This reference could subsequently be accesse...

Miscellaneous memory safety hazards (rv:1.9.2.7/ 1.9.1.11) — Mozilla

Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be...

Use-after-free error in NodeIterator — Mozilla

Security researcher regenrecht reported via TippingPoint's Zero Day Initiative an error in Mozilla's implementation of NodeIterator in which a malicious NodeFilter could be created which would detach nodes from the DOM tree while it was being traversed. The use of a detached and subsequently...

Crashes with evidence of memory corruption (rv:1.9.2.4/ 1.9.1.10) — Mozilla

Mozilla developers identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be...

Freed object reuse across plugin instances — Mozilla

Microsoft Vulnerability Research reported that two plugin instances could interact in a way in which one plugin gets a reference to an object owned by a second plugin and continues to hold that reference after the second plugin is unloaded and its object is destroyed. In these cases, the first...

Integer Overflow in XSLT Node Sorting — Mozilla

Security researcher Martin Barbella reported via TippingPoint's Zero Day Initiative that an XSLT node sorting routine contained an integer overflow vulnerability. In cases where one of the nodes to be sorted contained a very large text value, the integer used to allocate a memory buffer to store...

Heap buffer overflow in nsGenericDOMDataNode::SetTextInternal — Mozilla

Security researcher Nils of MWR InfoSecurity reported that the routine for setting the text value for certain types of DOM nodes contained an integer overflow vulnerability. When a very long string was passed to this routine, the integer value used in creating a new memory buffer to hold the stri...

Content-Disposition: attachment ignored if Content-Type: multipart also present — Mozilla

Security researcher Ilja van Sprundel of IOActive reported that the Content-Disposition: attachment HTTP header was ignored when Content-Type: multipart was also present. This issue could potentially lead to XSS problems in sites that allow users to upload arbitrary files and specify a Content-Ty...

focus() behavior can be used to inject or steal keystrokes — Mozilla

Google security researcher Michal Zalewski reported that focus could be used to change a user's cursor focus while they are typing, potentially directing their keyboard input to an unintended location. This behavior was also present across origins when content from one domain was embedded within...

Use-after-free error in nsCycleCollector::MarkRoots() — Mozilla

Security researcher wushi of team509 reported that the frame construction process for certain types of menus could result in a menu containing a pointer to a previously freed menu item. During the cycle collection process, this freed item could be accessed, resulting in the execution of a section...

User tracking across sites using Math.random() — Mozilla

Security researcher Amit Klein reported that it was possible to reverse engineer the value used to seed Math.random. Since the pseudo-random number generator was only seeded once per browsing session, this seed value could be used as a unique token to identify and track users across different web...

Re-use of freed object due to scope confusion — Mozilla

A memory corruption flaw leading to code execution was reported by security researcher Nils of MWR InfoSecurity during the 2010 Pwn2Own contest sponsored by TippingPoint's Zero Day Initiative. By moving DOM nodes between documents Nils found a case where the moved node incorrectly retained its ol...

XMLDocument::load() doesn't check nsIContentPolicy — Mozilla

Mozilla community member Wladimir Palant reported that XML documents were failing to call certain security checks when loading new content. This could result in certain resources being loaded that would otherwise violate security policies set by the browser or installed add-ons...

Arbitrary code execution with Firebug XMLHttpRequestSpy — Mozilla

Mozilla security researcher mozbugra4 reported that the XMLHttpRequestSpy module in the Firebug add-on was exposing an underlying chrome privilege escalation vulnerability. When the XMLHttpRequestSpy object was created, it would attach various properties of itself to objects defined in web conten...

Update NSS to support TLS renegotiation indication — Mozilla

Mozilla developers added support in the Network Security Services module for preventing a type of man-in-the-middle attack against TLS using forced renegotiation...

Image src redirect to mailto: URL opens email editor — Mozilla

phpBB developer Henry Sudhof reported that when an image tag points to a resource that redirects to a mailto: URL, the external mail handler application is launched. This issue poses no security threat to users but could create an annoyance when browsing a site that allows users to post arbitrary...

Dangling pointer vulnerability in nsTreeContentView — Mozilla

Security researcher regenrecht reported via TippingPoint's Zero Day Initiative an error in the way elements are inserted into a XUL tree . In certain cases, the number of references to an element is under-counted so that when the element is deleted, a live pointer to its old location is kept arou...

Chrome privilege escalation via forced URL drag and drop — Mozilla

Security researcher Paul Stone reported that a browser applet could be used to turn a simple mouse click into a drag-and-drop action, potentially resulting in the unintended loading of resources in a user's browser. This behavior could be used twice in succession to first load a privileged chrome...

Dangling pointer vulnerability in nsPluginArray — Mozilla

Security researcher regenrecht reported via TippingPoint's Zero Day Initiative an error in the implementation of the window.navigator.plugins object. When a page reloads, the plugins array would reallocate all of its members without checking for existing references to each member. This could resu...

Crashes with evidence of memory corruption (rv:1.9.2.2/ 1.9.1.9/ 1.9.0.19) — Mozilla

Mozilla developers identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be...

Remote code execution with use-after-free in nsTreeSelection — Mozilla

Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that a select event handler for XUL tree items could be called after the tree item was deleted. This results in the execution of previously freed memory which an attacker could use to crash a victim's browser and run...

Asynchronous Auth Prompt attaches to wrong window — Mozilla

Mozilla developer Justin Dolske reported that the new asynchronous Authorization Prompt HTTP username and password was not always attached to the correct window. Although we have not demonstrated this, it may be possible for a malicious page to convince a user to open a new tab or popup to a...

XSS via plugins and unprotected Location object — Mozilla

Mozilla developer Blake Kaplan reported that the window.location object was made a normal overridable JavaScript object in the Firefox 3.6 browser engine Gecko 1.9.2 because new mechanisms were developed to enforce the same-origin policy between windows and frames. This object is unfortunately al...

Crashes with evidence of memory corruption (rv:1.9.2.2/ 1.9.1.8/ 1.9.0.18) — Mozilla

Mozilla developers identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be...

Deleted frame reuse in multipart/x-mixed-replace image — Mozilla

Security researcher regenrecht reported via TippingPoint's Zero Day Initiative a potential reuse of a deleted image frame in Firefox 3.6's handling of multipart/x-mixed-replace images. Although no exploit was shown, re-use of freed memory has led to exploitable vulnerabilities in the past...

XSS using addEventListener and setTimeout on a wrapped object — Mozilla

Mozilla security researcher mozbugra4 reports that by using an appropriately wrapped object it was possible to bypass the fix for MFSA 2007-19. Prior to Firefox 3.6 this gives an attacker the ability to perform cross-site scripting attacks against arbitrary sites as in the original MFSA 2007-19...

Content policy bypass with image preloading — Mozilla

Mozilla developer Josh Soref of Nokia reported that documents failed to call certain security checks when attempting to preload images. Although the image content is not available to the page, it is possible to specify protocols that are normally not allowed in a web page such as file:. This...

Browser chrome defacement via cached XUL stylesheets — Mozilla

Mozilla developer Wladimir Palant reported that stylesheets used in remote XUL documents can wind up in the XUL cache where it can later be accessed by browser chrome for use in styling the user interface. A malicious website could use this issue to pollute a user's XUL cache and change style...

WOFF heap corruption due to integer overflow — Mozilla

Security researcher Evgeny Legerov of Intevydis reported that the WOFF decoder contains an integer overflow in a font decompression routine. This flaw could result in too small a memory buffer being allocated to store a downloadable font. An attacker could use this vulnerability to crash a victim...

Scriptable plugin execution in SeaMonkey mail — Mozilla

Security researcher Georgi Guninski reported that scriptable plugin content, such as Flash objects, could be loaded and executed in SeaMonkey mail messages by embedding the content in an iframe inside the message. If a user were to reply to or forward such a message, malicious JavaScript embedded...

Fixes for potentially exploitable crashes ported to the legacy branch — Mozilla

Mozilla developers took fixes from previously fixed memory safety bugs in newer Mozilla-based products and ported them to the Mozilla 1.8.1 branch so they can be utilized by Thunderbird 2 and SeaMonkey 1.1...