URIs with invalid %-encoding mishandled by Windows — Mozilla

On Windows XP with Internet Explorer 7 installed several "web related" URI schemes do not launch the registered protocol-handler if the URI contains an invalid %-encoded sequence. This was initially reported by Billy Rios and Nate McFeters with additional investigation by Secunia. A patch that...

onUnload Tailgating — Mozilla

Michal Zalewski demonstrated that onUnload event handlers had access to the address of the new page about to be loaded, even if the navigation was triggered from outside the page content such as by using a bookmark, pressing the back button, or typing an address into the location bar. If the...

XPCNativeWraper pollution using Script object — Mozilla

Mozilla security researcher mozbugra4 reported that it was possible to use the Script object to modify XPCNativeWrappers in such a way that subsequent access by the browser chrome--such as by right-clicking to open a context menu--can cause attacker-supplied javascript to run with the same...

XUL pages can hide the window titlebar — Mozilla

Mozilla developer Eli Friedman discovered that web pages written in the XUL markup language rather than the usual HTML can hide their window's titlebar. It may have been possible to abuse this ability to create more convincing spoof and phishing pages...

File input focus stealing vulnerability — Mozilla

A user on the Sla.ckers.org forums named hong reported that a file upload control could be filled programmatically by switching page focus to the label before a file upload form control for selected keyboard events. An attacker could use this trick to steal files from the users' computer if the...

Code execution via QuickTime Media-link files — Mozilla

On his blog Petko D. Petkov reported that QuickTime Media-Link files contain a qtnext attribute that could be used on Windows systems to launch the default browser with arbitrary command-line options. When the default browser is Firefox 2.0.0.6 or earlier use of the -chrome option allowed a remot...

Privilege escalation through chrome-loaded about:blank windows — Mozilla

Mozilla researcher mozbugra4 reported that a flaw was introduced by the fix for MFSA 2007-20 that could enable privilege escalation attacks against addons that create "about:blank" windows and populate them in certain ways including implicit "about:blank" document creation through data: or...

Unescaped URIs passed to external programs — Mozilla

Jesper Johansson pointed out that Mozilla did not percent-encode spaces and double-quotes in URIs handed off to external programs for handling, which can cause the receiving program to mistakenly interpret a single URI as multiple arguments. The danger depends on the arguments supported by the...

XPCNativeWrapper pollution — Mozilla

Mozilla security researchers shutdown and mozbugra4 reported two separate ways to modify an XPCNativeWrapper such that subsequent access by the browser would result in executing user-supplied code...

Frame spoofing while window is loading — Mozilla

Ronen Zilberman and Michal Zalewski both reported that it was possible to exploit a timing issue to inject content into about:blank frames in a page. When opening a window from a script, it is possible to spoof the content of the newly opened window's frames within a short time frame, while the...

Remote code execution by launching Firefox from Internet Explorer — Mozilla

Internet Explorer calls registered URL protocols without escaping quotes and may be used to pass unexpected and potentially dangerous data to the application that registers that URL Protocol...

XSS using addEventListener and setTimeout — Mozilla

Mozilla contributor mozbugra4 demonstrated that the methods addEventListener and setTimeout could be used to inject script into another site in violation of the browser's same-origin policy. This could be used to access or modify private or valuable information from that other site...

Unauthorized access to wyciwyg:// documents — Mozilla

Michal Zalewski reported that it was possible to bypass the same-origin checks and read from cached wyciwyg documents. It is possible to access wyciwyg:// documents without proper same domain policy checks through the use of HTTP 302 redirects. This enables the attacker to steal sensitive data...

File type confusion due to %00 in name — Mozilla

Ronald van den Heetkamp reported that a filename URL containing %00 encoded null can cause Firefox to interpret the file extension differently than the underlying Windows operating system potentially leading to unsafe actions such as running a program. This is only accessible locally...

Privilege escallation using an event handler attached to an element not in the document — Mozilla

An attacker can use an element outside of a document to call an event handler allowing content to run arbitrary code with chrome privileges...

Crashes with evidence of memory corruption (rv:1.8.1.5) — Mozilla

As part of the Firefox 2.0.0.5 update releases Mozilla developers fixed many bugs to improve the stability of the product. Some of these crashes that showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited t...

XSS using addEventListener — Mozilla

Mozilla contributor mozbugra4 demonstrated that the addEventListener method could be used to inject script into another site in violation of the browser's same-origin policy. This could be used to access or modify private or valuable information from that other site...

XUL Popup Spoofing — Mozilla

Chris Thomas demonstrated that XUL popups opened by web content could be placed outside the boundaries of the content area. This could be used to spoof or hide parts of the browser chrome such as the location bar...

Persistent Autocomplete Denial of Service — Mozilla

Marcel reported that a malicious web page could perform a denial of service attack against the form autocomplete feature that would persist from session to session until the malicious form data was deleted. Filling a text field with millions of characters and submitting the form will cause the...

Security Vulnerability in APOP Authentication — Mozilla

Gaëtan Leurent informed us of a weakness in APOP authentication that could allow an attacker to recover the first part of your mail password if the attacker could interpose a malicious mail server on your network masquerading as your legitimate mail server. With normal settings it could take...

Path Abuse in Cookies — Mozilla

Nicolas Derouet reported two problems with cookie handling in Mozilla clients. The first was that the cookie path parameter was not subject to any length checks, and this could be abused to cause the victim's browser to use excessive amounts of memory while it was running as well as waste the dis...

Crashes with evidence of memory corruption (rv:1.8.0.12/1.8.1.4) — Mozilla

As part of the Firefox 2.0.0.4 and 1.5.0.12 update releases Mozilla developers fixed many bugs to improve the stability of the product. Some of these crashes that showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could b...

FTP PASV port-scanning — Mozilla

The FTP protocol includes the PASV passive command which is used by Firefox to request an alternate data port. The specification of the FTP protocol allows the server response to include an alternate server address as well, although this is rarely used in practice...

Potential integer overflow with text/enhanced mail — Mozilla

Georgi Guninski discovered a potential integer overflow in the code that handles mail formatted as text/enhanced or text/richtext. This could in turn lead to a buffer overflow and potential code execution...

Privilege escalation by setting img.src to javascript: URI — Mozilla

mozbugra4 reports that the fix for MFSA 2006-72 in Firefox 1.5.0.9 and Firefox 2.0.0.1 introduced a regression that allows scripts from web content to execute arbitrary code by setting the src attribute of an IMG tag to a specially crafted javascript: URI...

onUnload + document.write() memory corruption — Mozilla

Michal Zalewski reported a memory corruption vulnerability in Firefox 2.0.0.1 involving mixing the onUnload event handler and self-modifying document.write calls. This flaw was introduced in Firefox 2.0.0.1 and 1.5.0.9 and does not affect earlier versions; it is fixed in Firefox 2.0.0.2 and 1.5.0...

Crashes with evidence of memory corruption (rv:1.8.0.10/1.8.1.2) — Mozilla

As part of the Firefox 2.0.0.2 and 1.5.0.10 update releases we fixed several bugs to improve the stability of the product. Some of these were crashes that showed evidence of memory corruption and we presume that with enough effort at least some of these could be exploited to run arbitrary code...

Information disclosure through cache collisions — Mozilla

Aad reported that two web pages can collide in the disk cache with the result that depending on order loaded the end of the longer document can be appended to the shorter when the shorter is reloaded from the cache. It is possible a determined hacker could construct a targeted attack to steal som...

Improvements to help protect against Cross-Site Scripting attacks — Mozilla

Firefox 2.0.0.2 and 1.5.0.10 contain several small changes that will make it easier for sites to protect their visitors against Cross-Site Scripting XSS attacks. Invalid trailing characters in HTML tag attributes The Mozilla parser formerly ignored invalid trailing characters in HTML tag attribut...

Mozilla Network Security Services (NSS) SSLv2 buffer overflows — Mozilla

iDefense has informed Mozilla about two potential buffer overflow vulnerabilities found by researcher regenrecht in the Network Security Services NSS code for processing the SSLv2 protocol...

XSS and local file access by opening blocked popupsand local file access by opening blocked popups — Mozilla

shutdown reported that if you could convince a user to open a blocked popup you could perform a cross-site scripting attack against any site that contains a frame whose source is a data: URL. To accomplish this the attacker's site would have to frame the target site plus another frame whose sourc...

Embedded nulls in location.hostname confuse same-domain checks — Mozilla

Michal Zalewski demonstrated that setting location.hostname to a value with embedded null characters can confuse the browsers domain checks. Setting the value triggers a load, but the networking software reads the hostname only up to the null character while other checks for "parent domain" start...

Spoofing using custom cursor and CSS3 hotspot — Mozilla

David Eckel reported that browser UI elements--such as the host name and security indicators--could be spoofed by using a large, mostly transparent, custom cursor and adjusting the CSS3 hotspot property so that the visible part of the cursor floated outside the browser content area...

CSS cursor image buffer overflow (Windows only) — Mozilla

Frederik Reiss reported a crash when using the CSS cursor property to set the cursor to certain images on Windows. A miscalculated size during conversion of the image to a Windows bitmap can result in a heap buffer overflow which could be used to compromise the victim's computer...

Mail header processing heap overflows — Mozilla

Georgi Guninski reported that long Content-Type headers in external message bodies could cause a heap buffer overflow when processing mail headers. While working on that code David Bienvenu discovered a similar overflow could occur when processing long rfc2047-encoded headers...

Mozilla SVG Processing Remote Code Execution — Mozilla

Appending an SVG comment DOM node from one document into another type of document such as HTML in some cases results in a crash due to memory corruption that can be exploited to run arbitrary code...

Crashes with evidence of memory corruption (rv:1.8.0.9/1.8.1.1) — Mozilla

As part of the Firefox 2.0.0.1 and 1.5.0.9 update releases we fixed several bugs to improve the stability of the product. Some of these were crashes that showed evidence of memory corruption and we presume that at least some of these could be exploited to run arbitrary code with enough effort...

RSS Feed-preview referrer leak — Mozilla

Jared Breland reported on LEGROOM.net that when the new "Feed Preview" feature in Firefox 2.0 retrieves the icons of the installed web-based feed viewers it is potentially informing those services of your feed-browsing habits by sending the URL of the feed in a referrer header with each icon...

XSS by setting img.src to javascript: URI — Mozilla

mozbugra4 reported that the src attribute of an IMG element loaded in a frame could be changed to a javascript: URI that was able to bypass the protections against cross-site script XSS injection. The injected script could steal credentials and financial data, or perform destructive actions on...

Privilege escalation using watch point — Mozilla

Shutdown demonstrated that it was possible to use a JavaScript watch to gain elevated privilege. This could be used to compromise the user's computer and install malware...

XSS using outer window's Function object — Mozilla

mozbugra4 demonstrated that the Function prototype regression described in bug 355161 could be exploited to bypass the protections against cross site script XSS injection, which could be used to steal credentials or sensitive data from arbitrary sites or perform destructive actions on behalf of a...

LiveConnect crash finalizing JS objects — Mozilla

Steven Michaud reported a crash in LiveConnect, the bridge code that allows Java applets and web JavaScript to communicate. The crash is due to re-use of an already-freed object and we presume this could be exploited with enough effort...

Running Script can be recompiled — Mozilla

shutdown demonstrated that it was possible to modify a Script object while it was executing, potentially leading to the execution of arbitrary JavaScript bytecode...

Crashes with evidence of memory corruption (rv:1.8.0.8) — Mozilla

As part of the Firefox 1.5.0.8 release we fixed several bugs to improve the stability of the product. Some of these were crashes that showed evidence of memory corruption and we presume that at least some of these could be exploited to run arbitrary code with enough effort...

RSA Signature Forgery (variant) — Mozilla

MFSA 2006-60 reported that RSA digital signatures with a low exponent typically 3 could be forged. This flaw was corrected in the Mozilla Network Security Services NSS library version 3.11.3 used by Firefox 2.0 and current development versions of Mozilla clients...

Crashes with evidence of memory corruption (rv:1.8.0.7) — Mozilla

As part of the Firefox 1.5.0.7 release we fixed several bugs to improve the stability of the product. Some of these were crashes that showed evidence of memory corruption and we presume that at least some of these could be exploited to run arbitrary code with enough effort...

Frame spoofing using document.open() — Mozilla

shutdown demonstrated a way to inject content into a sub-frame of another site using targetWindow.framesn.document.open, making the attackers content look like it was part of the victim site. Similar in effect to MFSA 2005-51...

Concurrency-related vulnerability — Mozilla

Jonathan Watt and Michal Zalewski independently reported timing dependent testcases that trigger crashes at the same place during text display. We have seen no demonstration that these crashes could be reliably exploited, but they do show evidence of memory corruption so we presume they could be...

Auto-update compromise through DNS and SSL spoofing — Mozilla

The Firefox and Thunderbird auto-update mechanism protects itself against DNS spoofing using SSL; only a site presenting a valid certificate for aus2.mozilla.org will be trusted as a source of update information. Jon Oberheide points out, however, that many users accept unverifiable self-signed...

RSA Signature Forgery — Mozilla

Philip Mackenzie and Marius Schilder of Google informed us of Daniel Bleichenbacher's recent presentation of a common implementation error in RSA signature verification, a failure to account for extra data in the signature. For signatures with a small exponent such as 3 it is possible for an...