Package Instance

Security researcher regenrecht reported via
TippingPoint's Zero Day Initiative that a select event handler for XUL
tree items could be called after the tree item was deleted.  This
results in the execution of previously freed memory which an attacker
could use to crash a victim's browser and run arbitrary code on the
victim's computer.This vulnerability does not affect Firefox 3.6

Mozilla community member Wladimir Palant reported
that XML documents were failing to call certain security checks when
loading new content.  This could result in certain resources being
loaded that would otherwise violate security policies set by the
browser or installed add-ons.This issue has not been fixed in Firefox 3.0

phpBB developer Henry Sudhof reported that when an
image tag points to a resource that redirects to
a mailto: URL, the external mail handler application is
launched.  This issue poses no security threat to users but could
create an annoyance when browsing a site that allows users to post
arbitrary images.This issue has not been fixed in Firefox 3.0

Mozilla developers added support in the Network Security Services
module for preventing a type of man-in-the-middle attack against TLS
using forced renegotiation.Note that to benefit from the fix, Firefox 3.6 and
Firefox 3.5 users will need to set
their security.ssl.require_safe_negotiation preference to
true.  Firefox 3 does not contain the fix for this issue.

Security researcher regenrecht reported via
TippingPoint's Zero Day Initiative an error in the implementation of
the window.navigator.plugins object.  When a page
reloads, the plugins array would reallocate all of its members without
checking for existing references to each member.  This could result in
the deletion of objects for which valid pointers still exist.  An
attacker could use this vulnerability to crash a victim's browser and
run arbitrary code on the victim's machine.

Mozilla developers identified and fixed several stability bugs in
the browser engine used in Firefox and other Mozilla-based
products. Some of these crashes showed evidence of memory corruption
under certain circumstances, and we presume that with enough effort at
least some of these could be exploited to run arbitrary code.

Security researcher regenrecht reported via
TippingPoint's Zero Day Initiative an error in the
way <option> elements are inserted into a XUL
tree <optgroup>.  In certain cases, the number of
references to an <option> element is under-counted so
that when the element is deleted, a live pointer to its old location
is kept around and may later be used.  An attacker could potentially
use these conditions to run arbitrary code on a victim's computer.

Security researcher Paul Stone reported that a
browser applet could be used to turn a simple mouse click into a
drag-and-drop action, potentially resulting in the unintended loading
of resources in a user's browser.  This behavior could be used twice
in succession to first load a privileged chrome: URL in a
victim's browser, then load a malicious javascript: URL
on top of the same document resulting in arbitrary script execution
with chrome privileges.