Package Instance

Mozilla team members discovered several crashes during testing of the
browser engine showing evidence of memory corruption that we presume
is exploitable.Thunderbird shares the browser engine with Firefox
and could be vulnerable if JavaScript were to be enabled in mail. This is not
the default setting and we strongly discourage users from running
JavaScript in mail.

Mikolaj Habryn discovered an array index bug in crypto.signText() that
results in overflowing an allocated array of pointers by two when optional
Certificate Authority name arguments are passed in.Thunderbird shares the browser engine with Firefox
and could be vulnerable if JavaScript were to be enabled in mail. This is not
the default setting and we strongly discourage users from running
JavaScript in mail.

Mozilla researcher moz_bug_r_a4 demonstrated that javascript run via
EvalInSandbox can escape the sandbox and gain elevated privilege by
calling valueOf() on objects created outside the sandbox and inserted
into it. Malicious scripts could use these privileges to compromise
your computer or data.In Mozilla clients the primary use for EvalInSandbox is to run the
Proxy Autoconfig script should one be specified by your network
administrator. This is a rare option for home users, it is primarily
used by institutional networks which have a need for remote configuration.The popular Greasemonkey extension uses EvalInSandbox to run userscripts
which manipulate the web pages you visit on your behalf. Using this
vulnerability a malicious userscript could gain enough privilege to
install malware, but even when Greasemonkey is working as designed
a malicious userscript can make life miserable. Only install userscripts
from sources you can trust.

Web content could access the nsISelectionPrivate interface of the Selection
object and use it to add a SelectionListener. The listener would be called when
the user did a "Find" on the page or a "select all", and as intended this
shouldn't cause any problems. But as with escaping the PAC sandbox
in MFSA 2006-31 and content-defined DOM setters in
MFSA 2006-37 moz_bug_r_a4 figured a way to
leverage the fact that the notifications were created in a privileged context
into arbitrary code execution.

Kazuho Oku of Cybozu Labs reports via the Information-technology Promotion
Agency, Japan, that Firefox is vulnerable to HTTP response smuggling when
used with certain proxy servers.The first technique takes advantage of Mozilla's lenient handling
of HTTP header syntax which was necessary in the past to cope with various
real-world servers. One aspect was to accept HTTP headers with space
characters between the header name and the colon. A modern proxy with strict
syntax checking would ignore these as invalid headers while Mozilla
clients might accept them and interpret one long response as two shorter
responses. If a page on the malicious host can make Firefox issue two
requests in succession, one to the malicious host and one to the victim
site, the second part of the response from the malicious site could
be interpreted as the response from the victim site. The content of
that response could be a web page that could steal login cookies or
other sensitive data if the user has an account at the victim site.A second variant accomplishes the same thing by sending HTTP 1.1
headers through an HTTP 1.0 proxy such as the popular Squid. The proxy
will ignore the unknown 1.1 header (such as "Transfer-Encoding: chunked")
while Mozilla-based clients will accept them and again can be made to
interpret one long request as two shorter ones.If the user is not browsing through a proxy the same attacks
can still be mounted but would be effective only if the malicious
site were at the same IP address as the victim site.Thunderbird shares the browser engine with Firefox
and could be vulnerable if JavaScript were to be enabled in mail. This is not
the default setting and we strongly discourage users from running
JavaScript in mail. Thunderbird users are extremely unlikely to have logged
into a website using their mail client further reducing the risk from
this vulnerability.

Paul Nickerson discovered that content-defined setters on an object prototype were
getting called by privileged UI code, and moz_bug_r_a4 was able to develop an
exploit PoC that demonstrated that the higher privilege level could be passed
along to the content-defined attack code.Thunderbird shares the browser engine with Firefox
and could be vulnerable if JavaScript were to be enabled in mail. This is not
the default setting and we strongly discourage users from running
JavaScript in mail.

Masatoshi Kimura reported a hang caused by a double-free in Thunderbird
when processing a large VCard with invalid base64 characters in it.
Since an attacker can supply an arbitrary amount of
well-formed VCard data before introducing the error we presume this could
be exploited to run code of the attacker's choosing.

Chuck McAuley provided Proof-of-Concept code that demonstrates that
MFSA 2006-23 was not fixed for all cases. 
In Firefox 1.5.0.2 it is still possible to pre-fill a text input control 
with the path to a file at a known location and then change the type of 
the input control to a file upload control without having the value 
reset as intended.

In certain circumstances persisted XUL attributes are associated with the
wrong URL. If an attacker can get a persisted string associated with an
URL that will later eval or execute that attribute in a privileged
context then the attacker's code will run with the full permissions
of the browser.Thunderbird shares the browser engine with Firefox
and could be vulnerable if JavaScript were to be enabled in mail. This is not
the default setting and we strongly discourage users from running
JavaScript in mail.

Masatoshi Kimura reports that the Unicode Byte-order-Mark (BOM) is
stripped from UTF-8 pages during the conversion to Unicode before
the parser sees the web page. As a result the parser will see and
process script tags that web input sanitizers may miss
because they appear as "scr[BOM]ipt" or similar in the comment code
on the web site.Although Firefox 1.5.0.4 and later will be fixed and no longer
accept such script tags, web sites will continue to be visited by
older versions of Firefox and Mozilla browsers. Web sites can protect
themselves by explicitly setting the character encoding to something other
than UTF-8, or by adding the Unicode byte-order marks to the repertoire
of the site's input sanitizer.Thunderbird shares the browser engine with Firefox
and could be vulnerable if JavaScript were to be enabled in mail. This is not
the default setting and we strongly discourage users from running
JavaScript in mail.

Paul Nickerson demonstrated that if an attacker could convince a user
to right-click on a broken image and choose "View Image" from the context
menu then he could get javascript to run on a site of the attacker's choosing
by making the image src attribute a javascript: URL and loading the target
site on mousedown. This could be used to steal login cookies or other
confidential information from the target site.Similarly, if a user could be convinced to right-click and choose
"Show only this frame" on a frame whose src attribute is a javascript: URL
then that script would run in the context of the framing site. In order
for this variant to be effective not only would you have to convince the
user to view the frame, you would have to find an interesting target
site that can be made to host a frame of the attacker's choosing.

Normally Mozilla-based clients prevent web content from linking to local files
but Eric Foley reports a partial bypass of this restriction by using Windows
filename syntax (on a Windows computer) rather than a file:/// URL as the
SRC= attribute. The image will not be loaded on the web page--it will appear as
a broken image--but if a user can be convinced to right-click and select
"View Image" then the content will be loaded. Since the image will replace
the current document attacker script cannot be run on it. Loading a local
file at a known location is about the extent of this attack.If the local file is a media file an external helper program may be launched
to play the media depending on your settings. The action will be the same
as if you had clicked on a remote link of the same media type and does not
present any additional risk. Local files identified as executable will
never be opened in this way, with "executable" broadly
defined on windows to include many scriptable document formats with a history
of being abused.By referencing a local device rather than a file this could be used
as a limited denial-of-service attack to hang the browser.