A Mozilla Foundation Security Advisory reports:

moz_bug_r_a4 reported several exploits giving an attacker the ability to install malicious code or steal data, requiring only that the user do commonplace actions like click on a link or open the context menu. The common cause in each case was privileged UI code ("chrome") being overly trusting of DOM nodes from the content window. Scripts in the web page can override properties and methods of DOM nodes and shadow the native values, unless steps are taken to get the true underlying values.

We found that most extensions also interacted with content DOM in a natural, but unsafe, manner. Changes were made so that chrome code using this natural DOM coding style will now automatically use the native DOM value if it exists without having to use cumbersome wrapper objects.

Most of the specific exploits involved tricking the privileged code into calling eval() on an attacker-supplied script string, or the equivalent using the Script() object. Checks were added in the security manager to make sure eval and Script objects are run with the privileges of the context that created them, not the potentially elevated privileges of the context calling them.

Workaround: Disable Javascript

< 1.0.3,1

< 1.0.3

< 1.7.7,2

ge 1.8.*,2

< 1.7.7

ge 1.8.*

ge 0

ge 0

ge 0

A Mozilla Foundation Security Advisory reports:

Some security checks intended to prevent script injection were incorrect and could be bypassed by wrapping a javascript: url in the view-source: pseudo-protocol. Michael Krax demonstrated that a variant of his favicon exploit could still execute arbitrary code, and the same technique could also be used to perform cross-site scripting.

Georgi Guninski demonstrated the same flaw wrapping javascript: urls with the jar: pseudo-protocol.

L. David Baron discovered a nested variant that defeated checks in the script security manager.

Workaround: Disable Javascript

< 1.0.4,1

< 1.0.4

< 1.7.8,2

ge 1.8.*,2

< 1.7.8

ge 1.8.*

ge 0

ge 0

ge 0

Under some situations, Mozilla will automatically import a certificate from an email message or web site. This behavior can be used as a denial-of-service attack: if the certificate has a distinguished name (DN) identical to one of the built-in Certificate Authorities (CAs), then Mozilla will no longer be able to certify sites with certificates issued from that CA.

< 0.9.3

< 1.7.2

< 1.7.2,2

ge 1.8.a,2

< 1.7.2

A Mozilla Foundation Security Advisory reports of multiple issues. Several of which can be used to run arbitrary code with the privilege of the user running the program.

• MFSA 2006-29 Spoofing with translucent windows
• MFSA 2006-28 Security check of js_ValueToFunctionObject() can be circumvented
• MFSA 2006-26 Mail Multiple Information Disclosure
• MFSA 2006-25 Privilege escalation through Print Preview
• MFSA 2006-24 Privilege escalation using crypto.generateCRMFRequest
• MFSA 2006-23 File stealing by changing input type
• MFSA 2006-22 CSS Letter-Spacing Heap Overflow Vulnerability
• MFSA 2006-20 Crashes with evidence of memory corruption (rv:1.8.0.2)
• MFSA 2006-19 Cross-site scripting using .valueOf.call()
• MFSA 2006-18 Mozilla Firefox Tag Order Vulnerability
• MFSA 2006-17 cross-site scripting through window.controllers
• MFSA 2006-16 Accessing XBL compilation scope via valueOf.call()
• MFSA 2006-15 Privilege escalation using a JavaScript function's cloned parent
• MFSA 2006-14 Privilege escalation via XBL.method.eval
• MFSA 2006-13 Downloading executables with "Save Image As..."
• MFSA 2006-12 Secure-site spoof (requires security warning dialog)
• MFSA 2006-11 Crashes with evidence of memory corruption (rv:1.8)
• MFSA 2006-10 JavaScript garbage-collection hazard audit
• MFSA 2006-09 Cross-site JavaScript injection using event handlers

< 1.0.8,1

gt 1.5.*,1 lt 1.5.0.2,1

< 1.5.0.2

< 1.7.13,2

ge 1.8.*,2

< 1.7.13

gt 0

< 1.0.1

< 1.5.0.2

A Mozilla Foundation Security Advisory reports:

Firefox and the Mozilla Suite support custom "favicons" through the tag. If a link tag is added to the page programmatically and a javascript: url is used, then script will run with elevated privileges and could run or install malicious software.

Workaround: Disable Javascript

< 1.0.3,1

< 1.0.3

< 1.7.7,2

ge 1.8.*,2

< 1.7.7

ge 1.8.*

ge 0

ge 0

ge 0

The Mozilla Foundation reports a vulnerability within the mozilla browser. This vulnerability also affects various other browsers like firefox and seamonkey. The vulnerability is caused by QuickTime Media-Link files that contain a qtnext attribute. This could allow an attacker to start the browser with arbitrary command-line options. This could allow the attacker to install malware, steal local data and possibly execute and/or do other arbitrary things within the users context.

< 2.0.0.7,1

< 2.0.0.7

< 1.1.5

< 3.0.a2007.12.12

< 2.0.a2007.12.12

gt 0

The Mozilla Foundation reports of multiple security vulnerabilities in Firefox and Mozilla:

• MFSA 2005-56 Code execution through shared function objects
• MFSA 2005-55 XHTML node spoofing
• MFSA 2005-54 Javascript prompt origin spoofing
• MFSA 2005-53 Standalone applications can run arbitrary code through the browser
• MFSA 2005-52 Same origin violation: frame calling top.focus()
• MFSA 2005-51 The return of frame-injection spoofing
• MFSA 2005-50 Possibly exploitable crash in InstallVersion.compareTo()
• MFSA 2005-49 Script injection from Firefox sidebar panel using data:
• MFSA 2005-48 Same-origin violation with InstallTrigger callback
• MFSA 2005-47 Code execution via "Set as Wallpaper"
• MFSA 2005-46 XBL scripts ran even when Javascript disabled
• MFSA 2005-45 Content-generated event vulnerabilities

< 1.0.5,1

< 1.0.5

< 1.7.9,2

ge 1.8.*,2

< 1.7.9

ge 1.8.*

ge 0

ge 0

ge 0

A Mozilla Foundation Security Advisory reports of multiple issues:

Heap overrun in XBM image processing

jackerror reports that an improperly terminated XBM image ending with space characters instead of the expected end tag can lead to a heap buffer overrun. This appears to be exploitable to install or run malicious code on the user's machine.

Thunderbird does not support the XBM format and is not affected by this flaw.

Crash on "zero-width non-joiner" sequence

Mats Palmgren discovered that a reported crash on Unicode sequences with "zero-width non-joiner" characters was due to stack corruption that may be exploitable.

XMLHttpRequest header spoofing

It was possible to add illegal and malformed headers to an XMLHttpRequest. This could have been used to exploit server or proxy flaws from the user's machine, or to fool a server or proxy into thinking a single request was a stream of separate requests. The severity of this vulnerability depends on the value of servers which might be vulnerable to HTTP request smuggling and similar attacks, or which share an IP address (virtual hosting) with the attacker's page.

For users connecting to the web through a proxy this flaw could be used to bypass the same-origin restriction on XMLHttpRequests by fooling the proxy into handling a single request as multiple pipe-lined requests directed at arbitrary hosts. This could be used, for example, to read files on intranet servers behind a firewall.

Object spoofing using XBL

moz_bug_r_a4 demonstrated a DOM object spoofing bug similar to MFSA 2005-55 using an XBL control that an internal interface. The severity depends on the version of Firefox: investigation so far indicates Firefox 1.0.x releases don't expose any vulnerable functionality to interfaces spoofed in this way, but that early Deer Park Alpha 1 versions did.

XBL was changed to no longer allow unprivileged controls from web content to implement XPCOM interfaces.

JavaScript integer overflow

Georgi Guninski reported an integer overflow in the JavaScript engine. We presume this could be exploited to run arbitrary code under favorable conditions.

Privilege escalation using about: scheme

heatsync and shutdown report two different ways to bypass the restriction on loading high privileged "chrome" pages from an unprivileged "about:" page. By itself this is harmless--once the "about" page's privilege is raised the original page no longer has access--but should this be combined with a same-origin violation this could lead to arbitrary code execution.

Chrome window spoofing

moz_bug_r_a4 demonstrates a way to get a blank "chrome" canvas by opening a window from a reference to a closed window. The resulting window is not privileged, but the normal browser UI is missing and can be used to construct a spoof page without any of the safety features of the browser chrome designed to alert users to phishing sites, such as the address bar and the status bar.

< 1.0.7,1

< 1.0.7

< 1.7.12,2

ge 1.8.*,2

< 1.7.12

gt 0

ge 0

ge 0

ge 0

When handling FTP URLs containing NULL bytes, Mozilla will interpret the file content as HTML. This may allow unexpected execution of Javascript when viewing plain text or other file types via FTP.

< 0.9.3

< 1.7.2

< 1.7.2,2

ge 1.8.a,2

< 1.7.2

A Mozilla Foundation Security Advisory reports:

Additional checks were added to make sure Javascript eval and Script objects are run with the privileges of the context that created them, not the potentially elevated privilege of the context calling them in order to protect against an additional variant of MFSA 2005-41.

The Mozilla Foundation Security Advisory MFSA 2005-41 reports:

moz_bug_r_a4 reported several exploits giving an attacker the ability to install malicious code or steal data, requiring only that the user do commonplace actions like click on a link or open the context menu.

< 1.0.4,1

< 1.0.4

< 1.7.8,2

ge 1.8.*,2

< 1.7.8

ge 1.8.*

ge 0

ge 0

ge 0

A Mozilla Foundation Security Advisory states:

An (sic) GIF processing error when parsing the obsolete Netscape extension 2 can lead to an exploitable heap overrun, allowing an attacker to run arbitrary code on the user's machine.

< 1.0.2,1

< 1.0.2

< 1.7.6,2

ge 1.8.*,2

< 1.7.6

ge 1.8.*

ge 0

ge 0

ge 0

The Mozilla Foundation reports of multiple security issues in Firefox, Seamonkey, and Thunderbird. Several of these issues can probably be used to run arbitrary code with the privilege of the user running the program.

• MFSA 2006-64 Crashes with evidence of memory corruption (rv:1.8.0.7)
• MFSA 2006-63 JavaScript execution in mail via XBL
• MFSA 2006-62 Popup-blocker cross-site scripting (XSS)
• MFSA 2006-61 Frame spoofing using document.open()
• MFSA 2006-60 RSA Signature Forgery
• MFSA 2006-59 Concurrency-related vulnerability
• MFSA 2006-58 Auto-Update compromise through DNS and SSL spoofing
• MFSA 2006-57 JavaScript Regular Expression Heap Corruption

< 1.5.0.7,1

gt 2.*,1 lt 2.0_1,1

< 1.5.0.7

< 1.0.5

< 1.5.0.7

< 3.0.a2006.09.21

< 1.5.a2006.09.21

gt 0

The Mozilla Foundation reports of multiple security issues in Firefox, Seamonkey, and Thunderbird. Several of these issues can probably be used to run arbitrary code with the privilege of the user running the program.

• MFSA 2007-08 onUnload + document.write() memory corruption
• MFSA 2007-07 Embedded nulls in location.hostname confuse same-domain checks
• MFSA 2007-06 Mozilla Network Security Services (NSS) SSLv2 buffer overflow
• MFSA 2007-05 XSS and local file access by opening blocked popups
• MFSA 2007-04 Spoofing using custom cursor and CSS3 hotspot
• MFSA 2007-03 Information disclosure through cache collisions
• MFSA 2007-02 Improvements to help protect against Cross-Site Scripting attacks
• MFSA 2007-01 Crashes with evidence of memory corruption (rv:1.8.0.10/1.8.1.2)

< 1.5.0.10,1

gt 2.*,1 lt 2.0.0.2,1

< 1.5.0.10

< 0.3.1

< 1.0.8

ge 1.1 lt 1.1.1

< 1.5.0.10

< 3.0.a2007.04.18

< 1.5.a2007.04.18

gt 0

A Mozilla Foundation Security Advisory reports of multiple issues. Several of which can be used to run arbitrary code with the privilege of the user running the program.

• MFSA 2006-56 chrome: scheme loading remote content
• MFSA 2006-55 Crashes with evidence of memory corruption (rv:1.8.0.5)
• MFSA 2006-54 XSS with XPCNativeWrapper(window).Function(...)
• MFSA 2006-53 UniversalBrowserRead privilege escalation
• MFSA 2006-52 PAC privilege escalation using Function.prototype.call
• MFSA 2006-51 Privilege escalation using named-functions and redefined "new Object()"
• MFSA 2006-50 JavaScript engine vulnerabilities
• MFSA 2006-49 Heap buffer overwrite on malformed VCard
• MFSA 2006-48 JavaScript new Function race condition
• MFSA 2006-47 Native DOM methods can be hijacked across domains
• MFSA 2006-46 Memory corruption with simultaneous events
• MFSA 2006-45 Javascript navigator Object Vulnerability
• MFSA 2006-44 Code execution through deleted frame reference

< 1.5.0.5,1

gt 2.*,1 lt 2.0_1,1

< 1.5.0.5

< 3.0.a2006.07.26

< 1.0.3

< 1.5.0.5

gt 0

A Secunia Advisory reports:

Peter Zelezny has discovered a vulnerability in Firefox, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to the shell script used to launch Firefox parsing shell commands that are enclosed within backticks in the URL provided via the command line. This can e.g. be exploited to execute arbitrary shell commands by tricking a user into following a malicious link in an external application which uses Firefox as the default browser.

< 1.0.7,1

< 1.0.7

< 1.7.12,2

ge 1.8.*,2

< 1.7.12

gt 0

ge 0

ge 0

ge 0

The Mozilla Foundation reports of multiple security issues in Firefox, Seamonkey, and Thunderbird. Several of these issues can probably be used to run arbitrary code with the privilege of the user running the program.

• MFSA 2007-25 XPCNativeWrapper pollution
• MFSA 2007-24 Unauthorized access to wyciwyg:// documents
• MFSA 2007-21 Privilege escalation using an event handler attached to an element not in the document
• MFSA 2007-20 Frame spoofing while window is loading
• MFSA 2007-19 XSS using addEventListener and setTimeout
• MFSA 2007-18 Crashes with evidence of memory corruption

< 2.0.0.5,1

gt 3.*,1 lt 3.0.a2_3,1

< 2.0.0.5

< 1.1.3

< 3.0.a2007.12.12

< 2.0.a2007.12.12

gt 0

A Mozilla Foundation Security Advisory reports:

Two vulnerabilities have been discovered in Firefox, which can be exploited by malicious people to conduct cross-site scripting attacks and compromise a user's system.

1. The problem is that "IFRAME" JavaScript URLs are not properly protected from being executed in context of another URL in the history list. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an arbitrary site.
2. Input passed to the "IconURL" parameter in "InstallTrigger.install()" is not properly verified before being used. This can be exploited to execute arbitrary JavaScript code with escalated privileges via a specially crafted JavaScript URL.

Successful exploitation requires that the site is allowed to install software (default sites are "update.mozilla.org" and "addons.mozilla.org").

A combination of vulnerability 1 and 2 can be exploited to execute arbitrary code.

< 1.0.4,1

< 1.0.4

< 1.7.8,2

ge 1.8.*,2

< 1.7.8

ge 1.8.*

ge 0

ge 0

ge 0

A Mozilla Foundation Security Advisory reports:

A bug in javascript's regular expression string replacement when using an anonymous function as the replacement argument allows a malicious script to capture blocks of memory allocated to the browser. A web site could capture data and transmit it to a server without user interaction or knowledge.

Workaround: Disable Javascript

< 1.0.3,1

< 1.0.3

< 1.7.7,2

ge 1.8.*,2

< 1.7.7

ge 1.8.*

ge 0

ge 0

ge 0