Package Instance

Security researcher Mariusz Mlynski reported that the
location property can be accessed by binary plugins through
top.location and top can be shadowed by
Object.defineProperty as well. This can allow for possible
cross-site scripting (XSS) attacks through plugins.
In general these flaws cannot be exploited through email in the
Thunderbird and SeaMonkey products because scripting is disabled, but are
potentially a risk in browser or browser-like contexts in those products.

Security researcher Mariusz Mlynski reported an issue with
spoofing of the location property. In this issue, writes to
location.hash can be used in concert with scripted history
navigation to cause a specific website to be loaded into the history object. The
baseURI can then be changed to this stored site, allowing an attacker to inject
a script or intercept posted data posted to a location specified with a relative
path.
In general these flaws cannot be exploited through email in the
Thunderbird and SeaMonkey products because scripting is disabled, but are
potentially a risk in browser or browser-like contexts in those products.

Security researcher Abhishek Arya (Inferno) of the Google
Chrome Security Team discovered a series of use-after-free, buffer overflow, and
out of bounds read issues using the Address Sanitizer tool in shipped software.
These issues are potentially exploitable, allowing for remote code execution.
We would also like to thank Abhishek for reporting two additional use-after-free
flaws introduced during Firefox 16 development and fixed before general release. 
In general these flaws cannot be exploited through email in the
Thunderbird and SeaMonkey products because scripting is disabled, but are
potentially a risk in browser or browser-like contexts in those products.

Security researcher Atte Kettunen from OUSPG reported
several heap memory corruption issues found using the Address Sanitizer tool.
These issues are potentially exploitable, allowing for remote code execution.
In general these flaws cannot be exploited through email in the
Thunderbird and SeaMonkey products because scripting is disabled, but are
potentially a risk in browser or browser-like contexts in those products.

Mozilla developers identified and fixed several memory safety bugs in the
browser engine used in Firefox and other Mozilla-based products. Some of these
bugs showed evidence of memory corruption under certain circumstances, and we
presume that with enough effort at least some of these could be exploited to run
arbitrary code.In general these flaws cannot be exploited through email in the Thunderbird
and SeaMonkey products because scripting is disabled, but are potentially a risk
in browser or browser-like contexts in those products.

Security researcher miaubiz used the Address Sanitizer tool
to discover a use-after-free in the IME State Manager code. This could lead to a
potentially exploitable crash. 
In general these flaws cannot be exploited through email in the
Thunderbird and SeaMonkey products because scripting is disabled, but are
potentially a risk in browser or browser-like contexts in those products.

Security researcher Soroush Dalili reported that a
combination of invoking full screen mode and navigating backwards in history
could, in some circumstances, cause a hang or crash due to a timing dependent
use-after-free pointer reference. This crash may be potentially exploitable.
In general these flaws cannot be exploited through email in the
Thunderbird and SeaMonkey products because scripting is disabled, but are
potentially a risk in browser or browser-like contexts in those products.

Mozilla developer Johnny Stenback discovered that several
methods of a feature used for testing (DOMWindowUtils) are not protected by
existing security checks, allowing these methods to be called through script by
web pages. This was addressed by adding the existing security checks to these
methods.
In general these flaws cannot be exploited through email in the
Thunderbird and SeaMonkey products because scripting is disabled, but are
potentially a risk in browser or browser-like contexts in those products.

Mozilla community member Alice White reported that when the
GetProperty function is invoked through JSAPI, security checking
can be bypassed when getting cross-origin properties. This potentially allowed
for arbitrary code execution. 
In general these flaws cannot be exploited through email in the
Thunderbird and SeaMonkey products because scripting is disabled, but are
potentially a risk in browser or browser-like contexts in those products.

Security researcher Mariusz Mlynski reported that it is possible to shadow the location object using Object.defineProperty. This could be used to confuse the current location to plugins, allowing for possible cross-site scripting (XSS) attacks.
Update October 9, 2012: This advisory was updated to reflect the fact that bug 756719 was also fixed in ESR 10.0.8.

Security researcher Mariusz Mlynski reported that when
InstallTrigger fails, it throws an error wrapped in a Chrome Object Wrapper
(COW) that fails to specify exposed properties. These can then be added to the
resulting object by an attacker, allowing access to chrome privileged functions
through script.
While investigating this issue, Mozilla security researcher
moz_bug_r_a4 found that COW did not disallow accessing of
properties from a standard prototype in some situations, even when the original
issue had been fixed.
These issues could allow for a cross-site scripting (XSS) attack or arbitrary
code execution. 
In general these flaws cannot be exploited through email in the
Thunderbird and SeaMonkey products because scripting is disabled, but are
potentially a risk in browser or browser-like contexts in those products.