Package Instance

moz_bug_r_a4 discovered that the compilation scope of privileged
built-in XBL bindings was not fully protected from web content and
could be accessed by calling valueOf.call()
and valueOf.apply() on a method of that binding. This could then
be used to compile and run attacker-supplied JavaScript, giving it
the privileges of the binding which would allow an attacker
to install malware such as viruses and password sniffers.shutdown reported an alternate way to get to XBL compilation scope
by inserting an XBL method into the DOM's document.body
prototype chain.Thunderbird shares the JavaScript engine with Firefox
and could be vulnerable if JavaScript were to be enabled in mail. This is not
the default setting and we strongly discourage users from running
JavaScript in mail.

Claus Jörgensen reports that a text input box can be pre-filled with
a filename and then turned into a file-upload control with the 
contents intact, allowing a malicious website the ability to
steal any local file whose name they can guess.Jesse Ruderman reports a variation, changing the type of the input
control in an event handler to work around some of the initial
checks.

Garbage collection hazards have been found in the JavaScript
engine where some routines used temporary variables
that were not properly protected (rooted). Specially crafted objects
could contain a user-defined method that would be called during
the lifetime of these temporaries. If this method triggered
garbage collection the engine would operate on the unexpectedly freed
temporary object when it returned from the user-defined routine.The risk appears remote, but this type of memory corruption could
potentially be used by an attacker to run arbitrary code.CVE-2006-0293 was introduced during Firefox 1.5 development and does not
affect Firefox 1.0. CVE-2006-0292 affects all versions of Firefox.Thunderbird shares the JavaScript engine with Firefox
and could be vulnerable if JavaScript is enabled in mail. This is not
the default setting; we strongly discourage users from running
JavaScript in mail.Update (13 April 2006)
This flaw has been fixed in Thunderbird 1.5.0.2Updated versions of Firefox 1.0, Thunderbird 1.0, and the Mozilla Suite 1.7
have been released containing this fix.

moz_bug_r_a4 discovered that .valueOf.call() and .valueOf.apply()
when called with no arguments were returning the Object class
prototype rather than the caller's global window object. When
called on a reachable property of another window this provides
a hook to get around the same-origin protection, allowing an
attacker to inject script into another window.Cross-site script injection can be used to steal confidential
data such as cookies or passwords, or perform actions on
the user's behalf. It can also be used to alter the content
of the other window which could be used to fool a user
into trusting bogus information or downloaded content.Thunderbird shares the JavaScript engine with Firefox
and could be vulnerable if JavaScript were to be enabled in mail. This is not
the default setting and we strongly discourage users from running
JavaScript in mail.

An anonymous researcher for TippingPoint and the Zero Day Initiative reports
that an invalid and nonsensical ordering of table-related tags causes Mozilla
to use a negative array index. This invalid memory use can be exploited to run
code of the attacker's choice.

Georgi Guninski reported two variants of using scripts in an XBL control
to gain chrome privileges when the page is viewed under "Print Preview".This vulnerability exists even if web-content JavaScript is turned off.

shutdown reported a method of injecting running JavaScript code into
a page on another site using a modal alert to suspend an event handler
while a new page is being loaded. This vulnerability allows an attacker
to steal any confidential information the new page might contain,
including any passwords and cookies which might allow the attacker
to log on to that site as the victim.shutdown also reported a variant using the two-argument form of eval() that
did not require a modal dialog and would be much less obtrusive.
moz_bug_r_a4 reported two variants that bypassed our initial fixes,
one using "new Script()", the other extending the eval() attack using
window.__proto__Thunderbird shares the browser engine with Firefox
and could be vulnerable if JavaScript were to be enabled in mail. This is not
the default setting and we strongly discourage users from running
JavaScript in mail.

Tristor reports that it was possible to spoof the browser's secure-site
indicators (the lock icon, the site name in the URL field, the gold URL
field background in Firefox) by first loading the target secure site
in a pop-up window, then changing its location to a different site.If the user has turned on the "Entering secure site" modal warning dialog
then the window location can be changed while that dialog is displayed
and the secure-browsing indicators from the original site will remain.These dialogs are turned off by default in Firefox, and most Suite users
click the checkbox to turn them off.

XULDocument.persist() did not validate the attribute name,
allowing an attacker to inject XML into localstore.rdf that would
be read and acted upon at startup. This could include JavaScript
commands that would be run with the permissions of the browser.Thunderbird could be vulnerable if JavaScript is
enabled. This is not the default setting and we strongly
discourage users from turning on JavaScript in mail. Thunderbird
is not vulnerable in its default configuration.Update (13 April 2006)
This flaw has been fixed in Thunderbird 1.5.0.2Updated versions of Firefox 1.0, Thunderbird 1.0, and the Mozilla Suite 1.7
have been released containing this fix.

shutdown demonstrated that the crypto.generateCRMFRequest method
can be used to run arbitrary code with the privilege of the
user, which could enable an attacker to install malware.Thunderbird shares the browser engine with Firefox
and could be vulnerable if JavaScript were to be enabled in mail. This is not
the default setting and we strongly discourage users from running
JavaScript in mail.

Using the eval associated with methods of an XBL binding it was possible
to create JavaScript functions that would get compiled with the wrong
privileges, allowing the attacker to run code of their choice with the
full permission of the user running the browser. This
could be used to install spyware or viruses.Thunderbird shares the JavaScript engine with Firefox
and could be vulnerable if JavaScript were to be enabled in mail. This is not
the default setting and we strongly discourage users from running
JavaScript in mail.

Web pages with extremely long titles--the public demonstration
had a title 2.5 million characters long--cause subsequent
launches of the browser to appear to "hang" for up to a few
minutes, or even crash if the computer has insufficient memory.Once affected this condition will recur every time the browser
is started until the item expires from the saved browsing history
or the user deletes the file history.dat from
the user profile directory.Update (13 April 2006)
Updated versions of Firefox 1.0 and the Mozilla Suite 1.7
have been released containing this fix.

An anonymous researcher for TippingPoint and the Zero Day Initiative discovered
an integer overflow triggered by the CSS letter-spacing property. This results in
in under-allocating memory and ultimately a heap buffer overflow which could
be exploited to run code of the attacker's choice.The overflow condition itself does not require JavaScript
and thus could affect Thunderbird via received mail, but without
scripting to prepare memory it may not be possible to exploit
this condition in mail.

shutdown demonstrated how to use the window.controllers array
to bypass same-origin protections, allowing a malicious site to
inject script into content from another site. This could allow
the malicious page to steal information such as cookies or
passwords from the other site, or perform transactions on the user's
behalf if the user were already logged in.Thunderbird shares the JavaScript engine with Firefox
and could be vulnerable if JavaScript were to be enabled in mail. This is not
the default setting and we strongly discourage users from running
JavaScript in mail.

By layering a transparent image link to an executable on top of a
visible (and presumably desirable) image
a malicious site might be able to convince some visitors to
right-click and choose "Save image as..." from the context menu
and fool them by giving them the executable instead. When the users
later double-click on the saved "image" to view or edit it
the attacker's malware would be run.The attacker could put a lot of spaces before the extension to hide it
by pushing it out of the standard file-saving dialog, and once downloaded
the default Windows behavior of hiding the extension could make a filename
such as "bikini.jpg        .exe"
look like a legitimate image. The attacker
could further this illusion by embedding a common image icon into
the executable.

As part of the Firefox 1.5 release we fixed several crash bugs to
improve the stability of the product. Some of these crashes showed
evidence of memory corruption that we presume could be exploited
to run arbitrary code and have been applied to the Firefox 1.0.x
and Mozilla Suite 1.7.x releasesWhile fixing an unexploitable recursion-induced crash Bernd Mielke
discovered that the CSS border-rendering code could potentially write
past the end of an array.Alden D'Souza reported a crash when using an extremely large
regular expression in JavaScript. This was tracked down to a 16-bit
integer overflow that could potentially cause the browser to interpret
attacker supplied data as JavaScript bytecode.Martijn Wargers found two potentially exploitable crashes when programmatically
changing the -moz-grid and -moz-grid-group display styles.Bob Clary found a memory corruption crash using the InstallTrigger.install()
method that was introduced in Firefox 1.0.7 by one of the regression
fixes described in MFSA 2005-58.Thunderbird shares the browser engine with Firefox
and could be vulnerable if JavaScript were to be enabled in mail. This is not
the default setting and we strongly discourage users from running
JavaScript in mail.

shutdown discovered it was possible to use the Object.watch()
method to access an internal function object (the "clone parent")
which could then be used to run arbitrary JavaScript code with
full permission. This could be used to install malware such as
password sniffers or viruses.In pre-release versions of Firefox 1.5 the same technique could
be applied to the Array generic methods introduced in that release.Thunderbird shares the JavaScript engine with Firefox
and could be vulnerable if JavaScript were to be enabled in mail. This is not
the default setting and we strongly discourage users from running
JavaScript in mail.

A particular sequence of HTML tags that reliably crash
Mozilla clients was reported by an anonymous researcher via
TippingPoint and the Zero Day Initiative. The crash is due to memory corruption
that can be exploited to run arbitrary code.Mozilla mail clients will crash on the tag sequence, but
without the ability to run scripts to fill memory with the attack
code it may not be possible for an attacker to exploit this crash.

Igor Bukanov has audited the JavaScript engine for routines that use
temporary variables not protected against garbage-collection.
If malicious content could cause garbage-collection to run during the
lifetime of these temporaries then the original routine would end up
operating on freed memory.The risk appears remote, but this type of memory corruption could
potentially be used by an attacker to run arbitrary code including
the installation of malware.Thunderbird shares the JavaScript engine with Firefox
and could be vulnerable if JavaScript were to be enabled in mail. This is not
the default setting and we strongly discourage users from running
JavaScript in mail.Update (29 July 2006)
Added reference to bug 313500 which was part of this audit.