Package Instance

Security researcher regenrecht reported via
TippingPoint's Zero Day Initiative that code used to normalize a
document contained a logical flaw that could be leveraged to run
arbitrary code.  When the normalization code ran, a static count of
the document's child nodes was used in the traversal, so a page could
be constructed that would remove DOM nodes during this normalization
which could lead to the accessing of a deleted object and potentially
the execution of attacker-controlled memory.

Mozilla security researcher moz_bug_r_a4 reported
that the wrapper class XPCSafeJSObjectWrapper (SJOW) on
the Mozilla 1.9.1 development branch has a logical error in its
scripted function implementation that allows the caller to run the
function within the context of another site.  This is a violation of
the same-origin policy and could be used to mount an XSS attack.

Security researcher Marc Schoenefeld reported that
a specially crafted font could be applied to a document and cause a
crash on Mac systems.  The crash showed signs of memory corruption and
presumably could be used by an attacker to execute arbitrary code on a
victim's computer.

Security researcher regenrecht reported via
TippingPoint's Zero Day Initiative that there was a remaining dangling
pointer issue leftover from the fix
to CVE-2010-2753.
Under certain circumstances one of the pointers held by a XUL tree
selection could be freed and then later reused, potentially resulting
in the execution of attacker-controlled memory.

Security researcher Paul Stone reported that when
an HTML selection containing JavaScript is copy-and-pasted or dropped
onto a document with designMode enabled the JavaScript will be
executed within the context of the site where the code was dropped.  A
malicious site could leverage this issue in an XSS attack by
persuading a user into taking such an action and in the process
running malicious JavaScript within the context of another site.

Security researchers David Huang
and Collin Jackson of Carnegie Mellon University
CyLab (Silicon Valley campus) reported that the type
attribute of an <object> tag can override the charset of a
framed HTML document, even when the document is included across
origins.  A page could be constructed containing such an
<object> tag which sets the charset of the framed document to
UTF-7.  This could potentially allow an attacker to inject UTF-7
encoded JavaScript into a site, bypassing the site's XSS filters, and
then executing the code using the above technique.

Security researcher regenrecht reported via
TippingPoint's Zero Day Initiative that the implementation of XUL
<tree>'s content view contains a dangling pointer vulnerability.
One of the content view's methods for accessing the internal structure
of the tree could be manipulated into removing a node prior to
accessing it, resulting in the accessing of deleted memory.  If an
attacker can control the contents of the deleted memory prior to its
access they could use this vulnerability to run arbitrary code on a
victim's machine.

Security researcher Amit Klein reported that it
was possible to reverse engineer the value used to
seed Math.random().  Since the pseudo-random number
generator was only seeded once per browsing session, this seed value
could be used as a unique token to identify and track users across
different web sites.Update (October 27, 2010): After the Firefox 3.6.4
and Firefox 3.5.10 releases, Amit Klein reported that there was an
additional unfixed case where user tracking could occur using the
above-mentioned technique and a pop-up window or iframe that was
subsequently navigated by the user.  This additional variant is
identified as CVE-2010-3171.

Security researcher regenrecht reported via
TippingPoint's Zero Day Initiative that XUL <tree> objects could
be manipulated such that the setting of certain properties on the
object would trigger the removal of the tree from the DOM and cause
certain sections of deleted memory to be accessed.  In products based on
Gecko version 1.9.2 (Firefox 3.6, Thunderbird 3.1) and newer
this memory has been overwritten by a value that will cause an
unexploitable crash. In products based on Gecko version 1.9.1 (Firefox 3.5,
Thunderbird 3.0, and SeaMonkey 2.0) and older an attacker could
potentially use this vulnerability to crash a victim's browser and run
arbitrary code on their computer.

Matt Haggard reported that
the statusText property of an XMLHttpRequest
object is readable by the requester even when the request is made
across origins.  This status information reveals the presence of a web
server and could be used to gather information about servers on
internal private networks.This issue was also independently reported to Mozilla
by Nicholas Berthaume

Mozilla developers identified and fixed several memory safety bugs
in the browser engine used in Firefox and other Mozilla-based
products. Some of these bugs showed evidence of memory corruption
under certain circumstances, and we presume that with enough effort at
least some of these could be exploited to run arbitrary code.

Security researcher Chris Rohlf of Matasano
Security reported that the implementation of the HTML frameset element
contained an integer overflow vulnerability.  The code responsible for
parsing the frameset columns used an 8-byte counter for the column
numbers, so when a very large number of columns was passed in the
counter would overflow.  When this counter was subsequently used to
allocate memory for the frameset, the memory buffer would be too
small, potentially resulting in a heap buffer overflow and execution
of attacker-controlled memory.

Security researcher wushi of team509 reported a
heap buffer overflow in code routines responsible for transforming
text runs.  A page could be constructed with a bidirectional text run
which upon reflow could result in an incorrect length being calculated
for the run of text.  When this value is subsequently used to allocate
memory for the text too small a buffer may be created potentially
resulting in a buffer overflow and the execution of attacker
controlled memory.

Security researcher Sergey Glazunov reported a
dangling pointer vulnerability in the implementation
of navigator.plugins in which the navigator
object could retain a pointer to the plugins array even after it had
been destroyed.  An attacker could potentially use this issue to crash
the browser and run arbitrary code on a victim's computer.

Security researcher Haifei Li of FortiGuard Labs
reported that Firefox could be used to load a malicious code library
that had been planted on a victim's computer.  Firefox attempts to
load dwmapi.dll upon startup as part of its platform detection, so on
systems that don't have this library, such as Windows XP, Firefox will
subsequently attempt to load the library from the current working
directory. An attacker could use this vulnerability to trick a user
into downloading a HTML file and a malicious copy of dwmapi.dll into
the same directory on their computer and opening the HTML file with
Firefox, thus causing the malicious code to be executed.  If the
attacker was on the same network as the victim, the malicious DLL
could also be loaded via a UNC path. This DLL is only loaded at
startup so a successful attack requires that Firefox not currently
be running when it is asked to open the HTML
file and accompanying DLL.This issue was also independently reported to Mozilla
by Acros Security.  After the issue became public a
number of other community members contacted Mozilla to report the
issue.Firefox users on Windows Vista or Windows 7
were not vulnerable to this attack because dwmapi.dll is part
of the OS in Vista and later versions and the legitimate copy
is successfully loaded by
Firefox before attempting to load the planted DLL.