Mozilla Foundation Security Advisory 2008-41
Title: Privilege escalation via XPCnativeWrapper pollution Impact: Critical Announced: September 23, 2008 Reporter: moz_bug_r_a4, Olli Pettay Products: Firefox, Thunderbird, SeaMonkey
Fixed in: Firefox 3.0.2 Firefox 126.96.36.199 Thunderbird 188.8.131.52 SeaMonkey 1.1.12 Description
Mozilla security researcher moz_bug_r_a4 reported a series of vulnerabilities by which page content can pollute XPCNativeWrappers and have arbitrary code run with chrome privileges. One variant reported by moz_bug_r_a4 only affected Firefox 2.
Mozilla developer Olli Pettay reported that XSLT can create documents which do not have script handling objects. moz_bug_r_a4 also reported that document.loadBindingDocument() returns a document that does not have a script handling object. These issues could also be used by an attacker to run arbitrary script with chrome privileges.
* XPCnativeWrapper pollution bugs * CVE-2008-4058 * XPCnativeWrapper pollution (Firefox 2) * CVE-2008-4059 * Documents without script handling objects * CVE-2008-4060