Package Instance

Security researchers Yosuke Hasegawa
and Masatoshi Kimura reported that the x-mac-arabic,
x-mac-farsi and x-mac-hebrew character encodings are vulnerable to XSS
attacks due to some characters being converted to angle brackets when
displayed by the rendering engine.  Sites using these character
encodings would thus be potentially vulnerable to script injection
attacks if their script filtering code fails to strip out these
specific characters.

Security researcher Gregory Fleischer reported
that when a Java LiveConnect script was loaded via
a data: URL which redirects via a meta refresh, then the
resulting plugin object was created with the wrong security principal
and thus received elevated privileges such as the abilities to read
local files, launch processes, and create network connections.

Security researcher regenrecht reported via
TippingPoint's Zero Day Initiative that a nsDOMAttribute
node can be modified without informing the iterator object responsible
for various DOM traversals.  This flaw could lead to a inconsistent
state where the iterator points to an object it believes is part of
the DOM but actually points to some other object.  If such an object
had been deleted and its memory reclaimed by the system, then the
iterator could be used to call into attacker-controlled memory.

Dirk Heinrich reported that on Windows platforms
when document.write() was called with a very long string
a buffer overflow was caused in line breaking routines attempting to
process the string for display.  Such cases triggered an invalid read
past the end of an array causing a crash which an attacker could
potentially use to run arbitrary code on a victim's computer.

Mozilla developers identified and fixed several memory safety bugs
in the browser engine used in Firefox and other Mozilla-based
products. Some of these bugs showed evidence of memory corruption
under certain circumstances, and we presume that with enough effort at
least some of these could be exploited to run arbitrary code.Update (March 1, 2011): CVE-2010-3777 was
fixed in Firefox 3.5.17

Mozilla added the OTS
font sanitizing library to prevent downloadable fonts from exposing
vulnerabilities in the underlying OS font code. This library mitigates
against several issues independently reported by Red Hat Security
Response Team member Marc Schoenefeld and Mozilla
security researcher Christoph Diehl.

Security researcher wushi of team509 reported that
when a XUL tree had an HTML <div> element nested inside a
<treechildren> element then code attempting to display content
in the XUL tree would incorrectly treat the <div> element as a
parent node to tree content underneath it resulting in incorrect
indexes being calculated for the child content.  These incorrect
indexes were used in subsequent array operations which resulted in
writing data past the end of an allocated buffer.  An attacker could
use this issue to crash a victim's browser and run arbitrary code on
their machine.

Security researcher regenrecht reported via
TippingPoint's Zero Day Initiative that JavaScript arrays were
vulnerable to an integer overflow vulnerability. The report
demonstrated that an array could be constructed containing a very
large number of items such that when memory was allocated to store the
array items, the integer value used to calculate the buffer size would
overflow resulting in too small a buffer being allocated. Subsequent
use of the array object could then result in data being written past
the end of the buffer and causing memory corruption.

Google security researcher Michal Zalewski
reported that when a window was opened to a site resulting in a
network or certificate error page, the opening site could access the
document inside the opened window and inject arbitrary content.  An
attacker could use this bug to spoof the location bar and trick a user
into thinking they were on a different site than they actually
were.

Mozilla security researcher moz_bug_r_a4 reported
that the XMLHttpRequestSpy module in the Firebug add-on was exposing
an underlying chrome privilege escalation vulnerability.  When the
XMLHttpRequestSpy object was created, it would attach various
properties of itself to objects defined in web content, which were not
being properly wrapped to prevent their exposure to chrome privileged
objects.  This could result in an attacker running arbitrary
JavaScript on a victim's machine, though it required the victim to
have Firebug installed, so the overall severity of the issue was
determined to be High.This vulnerability does not affect Firefox 3.6

Security researcher echo reported that a web page
could open a window with an about:blank location and then inject an
<isindex> element into that page which upon submission would
redirect to a chrome: document.  The effect of this defect was that
the original page would wind up with a reference to a
chrome-privileged object, the opened window, which could be leveraged
for privilege escalation attacks.Mozilla security researcher moz_bug_r_a4 provided
proof-of-concept code demonstrating how the above vulnerability could
be used to run arbitrary code with chrome privileges.