Package Instance

Mozilla add-on developer and community member Wladimir
Palant reported that content-loading policies were not
checked before loading external script files into XUL documents.
The severity of this problem would depend on the reasons behind the
content policy check, which include privacy from "web bugs" in
Thunderbird mail messages, blocking of Ads and Ad-server tracking
in AdBlock Plus.The original version of this advisory incorrectly claimed
that NoScript protection could by bypassed; NoScript was unaffected.

Mozilla security researcher moz_bug_r_a4 reported
a vulnerability which allows scripts from page content to run with
elevated privileges.  Using this vulnerability, an attacker could
cause a chrome privileged object, such as the browser sidebar or the
FeedWriter, to interact with web content in such a way that attacker
controlled code may be executed with the object's chrome
privileges.Thunderbird supports neither the sidebar nor
BrowserFeedWriter objects and is not vulnerable in its default
configuration. Thunderbird might be vulnerable if the user has installed
any add-on which adds a similarly implemented feature and then enables
JavaScript in mail messages.  This is not the default setting and we
strongly discourage users from running JavaScript in mail.

Jakob Balle and Carsten Eiram of
Secunia Research reported a race condition
in NPObjWrapper_NewResolve when accessing the properties
of a NPObject, a wrapped JSObject.  Balle
and Eiram demonstrated that this condition could be reached by
navigating away from a web page during the loading of a Java applet.
Under such conditions the Java object would be destroyed but later
called into resulting in a free memory read. It might be possible
for an attacker to write to the freed memory before it is reused and run
arbitrary code on the victim's computer.This vulnerability does not affect Firefox 2 nor other
products built using the "Gecko 1.8" version of Mozilla code.

Mozilla add-on developer Pavel Cvrcek reported
that certain invalid unicode characters, when used as part of an IDN,
are displayed as whitespace in the location bar.  This whitespace
could be used to force part of the URL out of view in the location
bar.  An attacker could use this vulnerability to spoof the location
bar and display a misleading URL for their malicious web page.

Mozilla security researcher moz_bug_r_a4 reported
that the owner document of an element can become null after garbage
collection.  In such cases, event listeners may be executed within the
wrong JavaScript context.  An attacker could potentially use this
vulnerability to have a malicious event handler execute arbitrary
JavaScript with chrome privileges.Thunderbird shares the browser engine with Firefox and
could be vulnerable if JavaScript were to be enabled in mail. This is
not the default setting and we strongly discourage users from running
JavaScript in mail.

Security researchers Adam Barth and Collin
Jackson reported that when a file: resource is
loaded via the location bar it inherits the principal of the
previously loaded document.  This vulnerability can potentially give
the newly loaded document additional privileges to access the contents
of other local files that it wouldn't otherwise have permission to read.
A potential victim would first have to have downloaded the attackers
document to their local machine. Then the victim would have to open another
document in a directory of interest to the attacker before opening the
attacker's file in the same window.
Prior to version 3.0, Firefox (like browsers from other
vendors) treated all local files as having the same origin without
restriction. This vulnerability is a partial bypass of the restrictions
implemented in Firefox 3.0

Mozilla developers and community members identified and fixed
several stability bugs in the browser engine used in Firefox and other
Mozilla-based products. Some of these crashes showed evidence of
memory corruption under certain circumstances and we presume that with
enough effort at least some of these could be exploited to run
arbitrary code.Thunderbird shares the browser engine with Firefox and
could be vulnerable if JavaScript were to be enabled in mail. This is
not the default setting and we strongly discourage users from running
JavaScript in mail. Without further investigation we cannot rule out
the possibility that for some of these an attacker might be able to
prepare memory for exploitation through some means other than
JavaScript such as large images.

Security researcher Gregory Fleischer reported
that local resources loaded via the file: protocol can
access any domain's cookies which have been saved on a user's machine.
Fleischer demonstrated that a local document's domain was being
calculated incorrectly from its URL.  If a victim could be persuaded
to download a malicious file and then open that file in their browser,
the malicious file could then steal arbitrary cookies from the
victim's computer.  Due to the interaction required for this attack,
the severity of the issue was determined to be moderate.