Autocomplete data leak — Mozilla

As users downarrow through autocomplete choices each is copied in turn into the input control. A malicious site could create a page that autocompletes some common data such as phone number or SSN and potentially convince a user to arrow through the values. Script on the page could watch the value...

SSL "secure site" indicator spoofing — Mozilla

Various schemes were reported that could cause the "secure site" lock icon to appear and show certificate details for the wrong site. These could be used by phishers to make their spoofs look more legitimate, particularly in windows that hide the address bar showing the true location...

Download dialog source spoofing — Mozilla

The true source of a download can be disguised by using a host name long enough that the most significant parts are truncated. Spoofing can be made even more convincing on windows if the subdomain labels contain a string of non-breaking space characters...

Plugins can be used to load privileged content — Mozilla

Plugins such as flash can be used to load privileged content into a frame. Once loaded various spoofs can be applied to get the user to interact with the privileged content. Michael Krax's "Fireflashing" example demonstrates that an attacker can open about:config in a frame, hide it with an opaci...

Cross-site scripting by dropping javascript: link on tab — Mozilla

Dropping a javascript: or data: link on a tab executes in the context of the site already loaded in the tab. If an attacker could convince a user to drag and drop such a link on a particular tab this could be used to steal information or credentials associated with the site in that tab...

HTTP auth prompt tab spoofing — Mozilla

The HTTP authentication prompt appears above the currently open tab regardless of which tab triggered it. A spoofer who could get a user to open a high value target in another tab might be able to capture the user's ID and password. HTTP auth dialogs are visually distinct from the web form logins...

Browser responds to proxy auth request from non-proxy server (ssl/https) — Mozilla

If a proxy is configured the browser would respond to a 407 proxy auth request from any SSL-connected server rather than only responding to the configured proxy server. This could leak NTLM or SPNEGO credentials outside the organization...

Synthetic middle-click event can steal clipboard contents — Mozilla

Script-generated middle-click events can steal clipboard contents on systems where that action is a paste. Middle-click paste is the default behavior on Unix systems, and a hidden option elsewhere...

Input stealing from other tabs — Mozilla

Jakob Balle of Secunia reported two vulnerabilities in windows with multiple tabs. Malicious content in a background tab can attempt to steal information intended for the topmost tab by popping up prompt dialog that appears to come from the trusted site, or by silently redirecting input focus to ...

Secure site lock can be spoofed with a binary download — Mozilla

While on an insecure page triggering a load of a binary file from a secure server will cause the SSL lock icon to appear. The certificate information is that of the binary file's host, while the location bar URL correctly shows the original insecure page...

Heap overrun handling malicious news: URL — Mozilla

Maurycy Prodeus of iSEC Security Research reports a heap overrun in processing certain news: URLs. Thunderbird and the Mozilla Suite are affected; Firefox does not support the news: scheme...

Script-generated event can download without prompting — Mozilla

Script-generated click events were indistinguishable from true clicks. Combined with the Firefox Alt+click feature that downloads links to the default location without prompting this could be used by malicious sites to place executables or other malware onto a windows user's desktop without their...

Secure site lock can be spoofed with view-source: — Mozilla

Kohei Yoshino reports the secure site lock icon can be spoofed by using a view-source: URL targeted at the secure site whose credentials you want to appropriate. An insecure page of the attackers choice can then be loaded while the lock icon shows the previous secure state...

Mail responds to cookie requests — Mozilla

Mozilla mail clients from March to December 2004 responded to cookie requests accompanying content loaded over HTTP, ignoring the setting of the preference "network.cookie.disableCookieForMailNews" disabled cookies are the default in mail...

Opened attachments are temporarily saved world-readable — Mozilla

Mozilla software released after March 2004 saves some temporary files with world-readable permissions. In the browser this is primarily content fed to helper applications for example, PDF files, and in the mail clients it is attachments...

Link opened in new tab can load a local file — Mozilla

Links with a custom getter and toString method can bypass checks intended to prevent web content from linking to local files and "chrome" URIs if the user can be convinced to middle-click or control-click to open it in a new tab. The browser's "same-origin" policy prevents the attacker's content...

javascript: Livefeed bookmarks can steal cookies — Mozilla

Earlier versions of Firefox allowed javascript: and data: URLs as Livefeed bookmarks. When they updated the URL would be run in the context of the current page and could be used to steal cookies or data displayed on the page...

javascript: links in Thunderbird launch Internet Explorer — Mozilla

Clicking on javascript: links in Thunderbird launched the default handler for that scheme registered with the OS. On the Windows operating system Internet Explorer is the default handler for the javascript: scheme even when Firefox is the default browser...