|
VCID-125v-281q-ufgj
|
moz_bug_r_a4 discovered that the compilation scope of privileged
built-in XBL bindings was not fully protected from web content and
could be accessed by calling valueOf.call()
and valueOf.apply() on a method of that binding. This could then
be used to compile and run attacker-supplied JavaScript, giving it
the privileges of the binding which would allow an attacker
to install malware such as viruses and password sniffers.shutdown reported an alternate way to get to XBL compilation scope
by inserting an XBL method into the DOM's document.body
prototype chain.Thunderbird shares the JavaScript engine with Firefox
and could be vulnerable if JavaScript were to be enabled in mail. This is not
the default setting and we strongly discourage users from running
JavaScript in mail.
|
CVE-2006-1733
|
|
VCID-49rf-24dt-vydg
|
moz_bug_r_a4 discovered that .valueOf.call() and .valueOf.apply()
when called with no arguments were returning the Object class
prototype rather than the caller's global window object. When
called on a reachable property of another window this provides
a hook to get around the same-origin protection, allowing an
attacker to inject script into another window.Cross-site script injection can be used to steal confidential
data such as cookies or passwords, or perform actions on
the user's behalf. It can also be used to alter the content
of the other window which could be used to fool a user
into trusting bogus information or downloaded content.Thunderbird shares the JavaScript engine with Firefox
and could be vulnerable if JavaScript were to be enabled in mail. This is not
the default setting and we strongly discourage users from running
JavaScript in mail.
|
CVE-2006-1731
|
|
VCID-98rs-2wsu-2qg7
|
shutdown reported a method of injecting running JavaScript code into
a page on another site using a modal alert to suspend an event handler
while a new page is being loaded. This vulnerability allows an attacker
to steal any confidential information the new page might contain,
including any passwords and cookies which might allow the attacker
to log on to that site as the victim.shutdown also reported a variant using the two-argument form of eval() that
did not require a modal dialog and would be much less obtrusive.
moz_bug_r_a4 reported two variants that bypassed our initial fixes,
one using "new Script()", the other extending the eval() attack using
window.__proto__Thunderbird shares the browser engine with Firefox
and could be vulnerable if JavaScript were to be enabled in mail. This is not
the default setting and we strongly discourage users from running
JavaScript in mail.
|
CVE-2006-1741
|
|
VCID-cmj4-etdb-pbbd
|
Tristor reports that it was possible to spoof the browser's secure-site
indicators (the lock icon, the site name in the URL field, the gold URL
field background in Firefox) by first loading the target secure site
in a pop-up window, then changing its location to a different site.If the user has turned on the "Entering secure site" modal warning dialog
then the window location can be changed while that dialog is displayed
and the secure-browsing indicators from the original site will remain.These dialogs are turned off by default in Firefox, and most Suite users
click the checkbox to turn them off.
|
CVE-2006-1740
|
|
VCID-g3d9-vf5u-dqbk
|
Using the eval associated with methods of an XBL binding it was possible
to create JavaScript functions that would get compiled with the wrong
privileges, allowing the attacker to run code of their choice with the
full permission of the user running the browser. This
could be used to install spyware or viruses.Thunderbird shares the JavaScript engine with Firefox
and could be vulnerable if JavaScript were to be enabled in mail. This is not
the default setting and we strongly discourage users from running
JavaScript in mail.
|
CVE-2006-1735
|
|
VCID-rcu3-aqdr-x3ej
|
shutdown demonstrated how to use the window.controllers array
to bypass same-origin protections, allowing a malicious site to
inject script into content from another site. This could allow
the malicious page to steal information such as cookies or
passwords from the other site, or perform transactions on the user's
behalf if the user were already logged in.Thunderbird shares the JavaScript engine with Firefox
and could be vulnerable if JavaScript were to be enabled in mail. This is not
the default setting and we strongly discourage users from running
JavaScript in mail.
|
CVE-2006-1732
|
|
VCID-rkdp-67ts-uyht
|
By layering a transparent image link to an executable on top of a
visible (and presumably desirable) image
a malicious site might be able to convince some visitors to
right-click and choose "Save image as..." from the context menu
and fool them by giving them the executable instead. When the users
later double-click on the saved "image" to view or edit it
the attacker's malware would be run.The attacker could put a lot of spaces before the extension to hide it
by pushing it out of the standard file-saving dialog, and once downloaded
the default Windows behavior of hiding the extension could make a filename
such as "bikini.jpg .exe"
look like a legitimate image. The attacker
could further this illusion by embedding a common image icon into
the executable.
|
CVE-2006-1736
|
|
VCID-rmmr-446e-a3fe
|
As part of the Firefox 1.5 release we fixed several crash bugs to
improve the stability of the product. Some of these crashes showed
evidence of memory corruption that we presume could be exploited
to run arbitrary code and have been applied to the Firefox 1.0.x
and Mozilla Suite 1.7.x releasesWhile fixing an unexploitable recursion-induced crash Bernd Mielke
discovered that the CSS border-rendering code could potentially write
past the end of an array.Alden D'Souza reported a crash when using an extremely large
regular expression in JavaScript. This was tracked down to a 16-bit
integer overflow that could potentially cause the browser to interpret
attacker supplied data as JavaScript bytecode.Martijn Wargers found two potentially exploitable crashes when programmatically
changing the -moz-grid and -moz-grid-group display styles.Bob Clary found a memory corruption crash using the InstallTrigger.install()
method that was introduced in Firefox 1.0.7 by one of the regression
fixes described in MFSA 2005-58.Thunderbird shares the browser engine with Firefox
and could be vulnerable if JavaScript were to be enabled in mail. This is not
the default setting and we strongly discourage users from running
JavaScript in mail.
|
CVE-2006-1739
|
|
VCID-s7pe-nyw7-dqa4
|
shutdown discovered it was possible to use the Object.watch()
method to access an internal function object (the "clone parent")
which could then be used to run arbitrary JavaScript code with
full permission. This could be used to install malware such as
password sniffers or viruses.In pre-release versions of Firefox 1.5 the same technique could
be applied to the Array generic methods introduced in that release.Thunderbird shares the JavaScript engine with Firefox
and could be vulnerable if JavaScript were to be enabled in mail. This is not
the default setting and we strongly discourage users from running
JavaScript in mail.
|
CVE-2006-1734
|
|
VCID-vend-pzwu-5qe3
|
A particular sequence of HTML tags that reliably crash
Mozilla clients was reported by an anonymous researcher via
TippingPoint and the Zero Day Initiative. The crash is due to memory corruption
that can be exploited to run arbitrary code.Mozilla mail clients will crash on the tag sequence, but
without the ability to run scripts to fill memory with the attack
code it may not be possible for an attacker to exploit this crash.
|
CVE-2006-0749
|
|
VCID-vn98-s2xg-37ap
|
Igor Bukanov has audited the JavaScript engine for routines that use
temporary variables not protected against garbage-collection.
If malicious content could cause garbage-collection to run during the
lifetime of these temporaries then the original routine would end up
operating on freed memory.The risk appears remote, but this type of memory corruption could
potentially be used by an attacker to run arbitrary code including
the installation of malware.Thunderbird shares the JavaScript engine with Firefox
and could be vulnerable if JavaScript were to be enabled in mail. This is not
the default setting and we strongly discourage users from running
JavaScript in mail.Update (29 July 2006)
Added reference to bug 313500 which was part of this audit.
|
CVE-2006-1742
|