Package Instance

Mozilla developers identified and fixed several stability bugs in
the browser engine used in Firefox and other Mozilla-based
products. Some of these crashes showed evidence of memory corruption
under certain circumstances and we presume that with enough effort at
least some of these could be exploited to run arbitrary code.

Mozilla developers identified and fixed
several stability bugs in the browser engine used in Firefox and other
Mozilla-based products. Some of these crashes showed evidence of
memory corruption under certain circumstances and we presume that with
enough effort at least some of these could be exploited to run
arbitrary code.

Security researcher Hidetake Jo of Microsoft
Vulnerability Research reported that the properties set on an object
passed to showModalDialog were readable by the document
contained in the dialog, even when the document was from a different
domain.  This is a violation of the same-origin policy and could
result in a website running untrusted JavaScript if it assumed
the dialogArguments could not be initialized by another
site.An anonymous security researcher, via TippingPoint's Zero Day
Initiative, also independently reported this issue to Mozilla.

Mozilla security researcher moz_bug_r_a4 reports that
by using an appropriately wrapped object it was possible to bypass the fix
for 
MFSA 2007-19. Prior to Firefox 3.6 this gives an attacker the ability
to perform cross-site scripting attacks against arbitrary sites as in the
original MFSA 2007-19 attack. Due to unrelated changes in the browser engine
used by Firefox 3.6, attacks in that version are limited to capturing keystroke
events from a cross-origin frame or window rather than full DOM access.
Those events might be sufficient to illicitly obtain passwords
or other sensitive information entered into web forms.
Thunderbird does not allow JavaScript to run in mail
messages, but users who open web content (such as RSS feeds, or other
content through add-ons) could be at risk.

Security researcher Alin Rad Pop of Secunia
Research reported that the HTML parser incorrectly freed used memory
when insufficient space was available to process remaining input.
Under such circumstances, memory occupied by in-use objects was freed
and could later be filled with attacker-controlled text.  These
conditions could result in the execution or arbitrary code if methods
on the freed objects were subsequently called.

Mozilla developer Wladimir Palant reported that
stylesheets used in remote XUL documents can wind up in the XUL cache
where it can later be accessed by browser chrome for use in styling
the user interface.  A malicious website could use this issue to
pollute a user's XUL cache and change style attributes of their
browser such as font size and color.

Security researcher Orlando Barrera II of SecTheory reported,
via TippingPoint's Zero Day Initiative, that Mozilla's implementation
of Web Workers contained an error in its handling of array data types
when processing posted messages.  This error could be used by an
attacker to corrupt heap memory and crash the browser, potentially
running arbitrary code on a victim's computer.Web Workers were introduced in Firefox 3.5; Firefox 3.0
and earlier versions were not affected.

Mozilla security researcher Georgi Guninski
reported that when a SVG document which is served
with Content-Type: application/octet-stream is embedded
into another document via an <embed> tag
with type="image/svg+xml", the Content-Type is ignored
and the SVG document is processed normally.  A website which allows
arbitrary binary data to be uploaded but which relies
on Content-Type: application/octet-stream to prevent
script execution could have such protection bypassed.  An attacker
could upload a SVG document containing JavaScript as a binary file to
a website, embed the SVG document into a malicious page on another
site, and gain access to the script environment from the SVG-serving
site, bypassing the same-origin policy.

Mozilla security researcher moz_bug_r_a4 reported
that the XMLHttpRequestSpy module in the Firebug add-on was exposing
an underlying chrome privilege escalation vulnerability.  When the
XMLHttpRequestSpy object was created, it would attach various
properties of itself to objects defined in web content, which were not
being properly wrapped to prevent their exposure to chrome privileged
objects.  This could result in an attacker running arbitrary
JavaScript on a victim's machine, though it required the victim to
have Firebug installed, so the overall severity of the issue was
determined to be High.This vulnerability does not affect Firefox 3.6