Package Instance

Mozilla security developer Daniel Veditz discovered that
<iframe sandbox> restrictions are not applied to an
<object> element contained within a sandboxed iframe. This
could allow content hosted within a sandboxed iframe to use
<object> element to bypass the sandbox restrictions that
should be applied.

Security researchers Tyson Smith and Jesse
Schwartzentruber of the BlackBerry Security Automated Analysis Team
used the Address Sanitizer tool while fuzzing to discover a user-after-free in
the functions for synthetic mouse movement handling. Security researcher
Atte Kettunen from OUSPG also reported a variant of the same
flaw. This issue leads to a potentially exploitable crash.
In general these flaws cannot be exploited through email in the
Thunderbird and Seamonkey products because scripting is disabled, but are
potentially a risk in browser or browser-like contexts.

Security researchers Tyson Smith and Jesse
Schwartzentruber of the BlackBerry Security Automated Analysis Team
used the Address Sanitizer tool while fuzzing to discover a mechanism where
inserting an ordered list into a document through script could lead to a
potentially exploitable crash that can be triggered by web content. 
In general these flaws cannot be exploited through email in the
Thunderbird and Seamonkey products because scripting is disabled, but are
potentially a risk in browser or browser-like contexts.

Security researcher Fabián Cuchietti discovered that
it was possible to bypass the restriction on JavaScript execution in mail by
embedding an <iframe> with a data: URL within a message. If the victim
replied or forwarded the mail after receiving it, quoting it "in-line"
using Thunderbird's HTML mail editor, it would run the attached script. The
running script would be restricted to the mail composition window where it could
observe and potentially modify the content of the mail before it was sent.
Scripts were not executed if the recipient merely viewed the mail, only if it
was edited as HTML. Turning off HTML composition prevented the vulnerability and
forwarding the mail "as attachment" prevented the forwarding
variant.Ateeq ur Rehman Khan of Vulnerability Labs reported
additional variants of this attack involving the use of the <object> tag
and which could be used to attach object data types such as images, audio, or
video.This affected the Thunderbird 17 branch. It was fixed in all
versions based on Gecko 23 or later. Thunderbird 24 and later are not affected
by this vulnerability.

Security researcher Nils used the Address Sanitizer tool
while fuzzing to discover a use-after-free problem in the table editing user
interface of the editor during garbage collection. This leads to a potentially
exploitable crash.

Using the Address Sanitizer tool, security researcher Atte
Kettunen from OUSPG found an out-of-bounds read while rendering GIF
format images. This could cause a non-exploitable crash and could also attempt
to render normally inaccessible data as part of the image.

Mozilla developers identified and fixed several memory safety bugs in the
browser engine used in Firefox and other Mozilla-based products. Some of these
bugs showed evidence of memory corruption under certain circumstances, and we
presume that with enough effort at least some of these could be exploited to run
arbitrary code.In general these flaws cannot be exploited through email in the
Thunderbird and Seamonkey products because scripting is disabled, but are
potentially a risk in browser or browser-like contexts.

Security researcher Masato Kinugawa discovered that if a web
page is missing character set encoding information it can inherit character
encodings across navigations into another domain from an earlier site. Only
same-origin inheritance is allowed according to the HTML5 specification. This
issue allows an attacker to add content that will be interpreted one way on the
victim site, but which may then behave differently, evading cross-site scripting
(XSS) filtering, when forced into an unexpected character set. Web site authors
should always explicitly declare a character encoding to avoid similar issues.
In general these flaws cannot be exploited through email in the
Thunderbird and Seamonkey products because scripting is disabled, but are
potentially a risk in browser or browser-like contexts.

Security researchers Tyson Smith and Jesse
Schwartzentruber of the BlackBerry Security Automated Analysis Team
used the Address Sanitizer tool while fuzzing to discover a user-after-free when
interacting with event listeners from the mListeners array. This
leads to a potentially exploitable crash.
In general these flaws cannot be exploited through email in the
Thunderbird and Seamonkey products because scripting is disabled, but are
potentially a risk in browser or browser-like contexts.