Crashes with evidence of memory corruption (rv:1.9.0.11) — Mozilla

Mozilla developers and community members identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some ...

Crash in nsTextFrame::ClearTextRun() — Mozilla

One of the security fixes in Firefox 3.0.9 introduced a regression that caused some users to experience frequent crashes. Users of the HTML Validator add-on were particularly affected, but other users also experienced this crash in some situations. In analyzing this crash we discovered that it wa...

jar: scheme ignores the content-disposition: header on the inner URI — Mozilla

Mozilla developer Daniel Veditz reported that when the jar: scheme is used to wrap a URI which serves the content with Content-Disposition: attachment, the HTTP header is ignored and the content is unpacked and displayed inline. A site may depend on this HTTP header to prevent potentially untrust...

Malicious search plugins can inject code into arbitrary sites — Mozilla

Security researcher Prateek Saxena reported that a malicious MozSearch plugin could be created using a javascript: URI in the SearchForm value. This URI is used as the default landing page when an empty search is performed. If an attacker could get a user to install the malicious plugin and perfo...

Same-origin violations when Adobe Flash loaded via view-source: scheme — Mozilla

Security researcher Gregory Fleischer reported that when an Adobe Flash file is loaded via the view-source: scheme, the Flash plugin misinterprets the origin of the content as localhost, leading to two specific vulnerabilities:...

XSS hazard using third-party stylesheets and XBL bindings — Mozilla

Web developer Cefn Hoile reported that sites which allow users to embed third-party stylesheets are vulnerable to script injection attacks using XBL bindings. While this behavior was documented previously, it was determined that this particular risk was not well-understood by some websites. To...

POST data sent to wrong site when saving web page with embedded frame — Mozilla

Developer and Mozilla community member Paolo Amadini reported that when saving the inner frame of a web page as a file when the outer page has POST data associated with it, the POST data will be incorrectly sent to the URL of the inner frame. This could potentially result in a user's sensitive da...

URL spoofing with box drawing character — Mozilla

Bjoern Hoehrmann and security researcher Moxie Marlinspike independently reported that Unicode box drawing characters were allowed in Internationalized Domain Names IDN where they could be visually confused with punctuation used in valid web addresses. This could be combined with a phishing-type...

Same-origin violations in XMLHttpRequest and XPCNativeWrapper.toString — Mozilla

Mozilla security researcher mozbugra4 reported that it is possible to create a document whose URI does not match the document's principal using XMLHttpRequest. This type of mismatch leads to incorrect results in principal-based security checks. An attacker could use this vulnerability to execute...

Crashes with evidence of memory corruption (rv:1.9.0.9) — Mozilla

Mozilla developers identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be...

Firefox allows Refresh header to redirect to javascript: URIs — Mozilla

Mozilla community member Michael reported that when a server responds with a Refresh header containing a javascript: URI, Firefox will redirect to the javascript: URI. If an attacker could inject a Refresh header into a server response, or could control the value that a site places in the Refresh...

XSL Transformation vulnerability — Mozilla

Security researcher Guido Landi discovered that a XSL stylesheet could be used to crash the browser during a XSL transformation. An attacker could potentially use this crash to run arbitrary code on a victim's computer...

Arbitrary code execution via XUL tree element — Mozilla

Security researcher Nils reported via TippingPoint's Zero Day Initiative that the XUL tree method moveToEdgeShift was in some cases triggering garbage collection routines on objects which were still in use. In such cases, the browser would crash when attempting to access a previously destroyed...

XML data theft via RDFXMLDataSource and cross-domain redirect — Mozilla

Mozilla security researcher Georgi Guninski reported that a website could use nsIRDFService and a cross-domain redirect to steal arbitrary XML data from another domain, a violation of the same-origin policy. This vulnerability could be used by a malicious website to steal private data from users...

URL spoofing with invisible control characters — Mozilla

Mozilla contributor Masahiro Yamada reported that certain invisible control characters were being decoded when displayed in the location bar, resulting in fewer visible characters than were present in the actual location. An attacker could use this vulnerability to spoof the location bar and...

Crashes with evidence of memory corruption (rv:1.9.0.7) — Mozilla

Mozilla developers identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be...

Mozilla Firefox XUL Linked Clones Double Free Vulnerability — Mozilla

An anonymous researcher, via TippingPoint's Zero Day Initiative program, reported a vulnerability in Mozilla's garbage collection process. The vulnerability was caused by improper memory management of a set of cloned XUL DOM elements which were linked as a parent and child. After reloading the...

Upgrade PNG library to fix memory safety hazards — Mozilla

Google security researcher Tavis Ormandy reported several memory safety hazards to the libpng project, an external library used by Mozilla to render PNG images. These vulnerabilities could be used by a malicious website to crash a victim's browser and potentially execute arbitrary code on their...

Crashes with evidence of memory corruption (rv:1.9.0.6) — Mozilla

Mozilla developers identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be...

Chrome privilege escalation via local .desktop files — Mozilla

Mozilla security researcher Georgi Guninski reported that the fix for an earlier vulnerability reported by Liu Die Yu using local internet shortcut files to access other sites MFSA 2008-47 could be bypassed by redirecting to a privileged about: URI such as about:plugins. If an attacker could get ...

Local file stealing with SessionStore — Mozilla

Mozilla security researcher mozbugra4 reported that a form input control's type could be changed during the restoration of a closed tab. An attacker could set an input control's text value to the path of a local file whose location was known to the attacker. If the tab was then closed and the...

XMLHttpRequest allows reading HTTPOnly cookies — Mozilla

Developer and Mozilla community member Wladimir Palant reported that cookies marked HTTPOnly were readable by JavaScript via the XMLHttpRequest.getResponseHeader and XMLHttpRequest.getAllResponseHeaders APIs. This vulnerability bypasses the security mechanism provided by the HTTPOnly flag which...

Directives to not cache pages ignored — Mozilla

Paul Nel reported that certain HTTP directives to not cache web pages, Cache-Control: no-store and Cache-Control: no-cache for HTTPS pages, were being ignored by Firefox 3. On a shared system, applications relying upon these HTTP directives could potentially expose private data. Another user on t...

XSS using a chrome XBL method and window.eval — Mozilla

Mozilla security researcher mozbugra4 reported that a chrome XBL method can be used in conjunction with window.eval to execute arbitrary JavaScript within the context of another website, violating the same origin policy...

User tracking via XUL persist attribute — Mozilla

Security researcher Hish reported that the persist attribute in XUL elements can be used to store cookie-like information on a user's computer which could later be read by a website. This creates a privacy issue for users who have a non-standard cookie preference and wish to prevent sites from...

Additional XSS attack vectors in feed preview — Mozilla

Mozilla security researcher mozbugra4 reported an additional variation on the feed preview vulnerabilities fixed in Firefox 2.0.0.17. mozbugra4 demonstrated that it was still possible to use the feed preview as a vector for JavaScript privilege escalation. An attacker could use this issue to run...

Information stealing via loadBindingDocument — Mozilla

Mozilla developer Boris Zbarsky reported that XBL bindings could be used to read data from other domains, a violation of the same-origin policy. The severity of this issue was determined to be moderate due to several mitigating factors:...

Crashes with evidence of memory corruption (rv:1.9.0.5/1.8.1.19) — Mozilla

Mozilla developers identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be...

XSS vulnerabilities in SessionStore — Mozilla

Mozilla security researcher mozbugra4 reported vulnerabilities in the session-restore feature by which content could be injected into an incorrect document storage location, including storage locations for other domains. An attacker could utilize these issues to violate the browser's same-origin...

Escaped null characters ignored by CSS parser — Mozilla

Kojima Hajime reported that unlike literal null characters which were handled correctly, the escaped form '\0' was ignored by the CSS parser and treated as if it was not present in the CSS input string. This issue could potentially be used to bypass script sanitization routines in web application...

Errors parsing URLs with leading whitespace and control characters — Mozilla

Perl developer Chip Salzenberg reported that certain control characters, when placed at the beginning of a URL, would lead to incorrect parsing resulting in a malformed URL being output by the parser. IBM researchers Justin Schuh, Tom Cross, and Peter William also reported a related symptom as pa...

Cross-domain data theft via script redirect error message — Mozilla

Google security researcher Chris Evans reported that a website could access a limited amount of data from a different domain by loading a same-domain JavaScript URL which redirects to an off-domain target resource containing data which is not parsable as JavaScript. Upon attempting to load the da...

XSS and JavaScript privilege escalation — Mozilla

Mozilla security researcher mozbugra4 reported that an XBL binding, when attached to an unloaded document, can be used to violate the same-origin policy and execute arbitrary JavaScript within the context of a different website...

XMLHttpRequest 302 response disclosure — Mozilla

Marius Schilder of Google Security reported that when a XMLHttpRequest is made to a same-origin resource which 302 redirects to a resource in a different domain, the response from the cross-domain resource is readable by the site issuing the XHR. Cookies marked HttpOnly were not readable, but oth...

Script access to .documentURI and .textContent in mail — Mozilla

Mozilla developer Boris Zbarsky reported that a malicious mail message might be able to glean personal information about the recipient from the mailbox URI such as computer account name if the mail recipient has enabled JavaScript in mail. If a malicious mail is forwarded "in-line" to a recipient...

Crash and remote code execution in nsFrameManager — Mozilla

ling and wushi of team509, via TippingPoint's Zero Day Initiative program, reported a flaw in part of Mozilla's DOM constructing code. This vulnerability can be exploited by modifying certain properties of a file input element before it has finished initializing. When the blur method of the...

nsXMLHttpRequest::NotifyEventListeners() same-origin violation — Mozilla

Mozilla security researcher mozbugra4 reported that the same-origin check in nsXMLHttpRequest::NotifyEventListeners could be bypassed. This vulnerability could be used to execute JavaScript in the context of a different website...

Parsing error in E4X default namespace — Mozilla

Security researcher Chris Evans reported an error in the method used to parse the default namespace in an E4X document. The error was caused by quote characters in the namespace not being properly escaped. The severity of this issue was determined to be low...

Crashes with evidence of memory corruption (rv:1.9.0.4/1.8.1.18) — Mozilla

Mozilla developers identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be...

Crash and remote code execution via __proto__ tampering — Mozilla

Mozilla developer Jesse Ruderman demonstrated that by tampering with the window.proto.proto object, one can cause the browser to place a lock on a non-native object, leading to a crash. Although we have not demonstrated such control, a determined attacker might be able to exploit this crash to ru...

XSS and JavaScript privilege escalation via session restore — Mozilla

Security researcher David Bloom reported that the browser's session restore feature can be used to violate the same-origin policy and run JavaScript in the context of another site. Any otherwise unexploitable crash can be used to force the user into the session restore state...

-moz-binding property bypasses security checks on codebase principals — Mozilla

Security researcher Collin Jackson reported that the -moz-binding CSS property can be used to bypass security checks which validate codebase principals. Similar to the issue reported in MFSA 2008-23, Jackson demonstrated that an attacker can replace a stylesheet in a signed JAR which uses relativ...

Arbitrary code execution via Flash Player dynamic module unloading — Mozilla

An anonymous security researcher reported via TippingPoint's Zero Day Initiative that insufficient checks were being performed to test whether the Flash module was properly dynamically unloaded. The researcher demonstrated that a SWF file which dynamically unloads itself from an outside JavaScrip...

Image stealing via canvas and HTTP redirect — Mozilla

Mozilla developer Georgi Guninski reported that the canvas element could be used in conjunction with an HTTP redirect to bypass same-origin restrictions and gain access to the content in arbitrary images from other domains. This vulnerability could be used by an attacker to steal private...

Information stealing via local shortcut files — Mozilla

Security researcher Liu Die Yu of TopsecTianRongXin reported that locally saved .url shortcut files could be used to read information stored in the local cache. An attacker could use this vulnerability to steal information from a victim's browser cache if they were able to get the victim to...

Buffer overflow in http-index-format parser — Mozilla

Justin Schuh of the IBM X-Force reported a flaw in the way Mozilla parses the http-index-format MIME type. By sending a specially crafted 200 header line in the HTTP index response, an attacker can cause the browser to crash and run arbitrary code on the victim's computer...

file: URIs inherit chrome privileges when opened from chrome — Mozilla

Security researcher Luke Bryan reported that file: URIs are given chrome privileges when opened in the same tab as a chrome page or privileged about: page. This vulnerability could be used by an attacker to run arbitrary JavaScript with chrome privileges. The severity of this issue was determined...

Heap overflow when canceling newsgroup message — Mozilla

Georgi Guninski reported a buffer overflow in the handling of cancelled newsgroup messages. The error was caused by too small a heap buffer being allocated to store message header information. This buffer could be overrun by an attacker using a specially crafted message which could crash the mail...

Crashes with evidence of memory corruption (rv:1.9.0.2/1.8.1.17) — Mozilla

Mozilla developers identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be...

resource: traversal vulnerabilities — Mozilla

Mozilla developer Boris Zbarsky reported that the resource: protocol allowed directory traversal on Linux when using URL-encoded slashes...