Package Instance

Mozilla developers identified and fixed several stability bugs in the
browser engine used in Firefox and other Mozilla-based products. Some of
these crashes showed evidence of memory corruption under certain
circumstances and we presume that with enough effort at least some of these
could be exploited to run arbitrary code.Thunderbird shares the browser engine with Firefox and could
be vulnerable if JavaScript were to be enabled in mail. This is not the
default setting and we strongly discourage users from running JavaScript in
mail. Without further investigation we cannot rule out the possibility that
for some of these an attacker might be able to prepare memory for exploitation
through some means other than JavaScript such as large images.

Security research firm iDefense reported that researcher
regenrecht discovered a heap-based
buffer overflow vulnerability in Mozilla mail code which could potentially
allow an attacker to run arbitrary code. The vulnerability is caused by
allocating a buffer that can be three bytes too small in certain cases
when viewing an email message with an external MIME body.

Mozilla contributor David Bloom reported a
vulnerability in the way images are treated by the browser when a
user leaves a page which utilizes designMode frames.
The reported issue can be used to steal a user's navigation history,
forward navigation information, and crash the user's browser.
The crash showed evidence of memory corruption and might be exploitable
to run arbitrary code.

Security researcher Gregory Fleischer demonstrated that
web content fetched via the jar: protocol can use Java via
LiveConnect to open socket connections to arbitrary ports on the user's machine
("localhost"). The issue is caused by improper parsing of the content origin
passed from the browser to the Java plugin. Such content was incorrectly
evaluated to have a null host, assumed to be a local file, and was
subsequently allowed permission to connect to the localhost. Sun has updated
the Java Runtime Environment with a fix for this problem. Mozilla has also
added a fix to LiveConnect to protect users who don't have the latest version
of Java.

Security researchers Emil Ljungdahl and
Lars-Olof Moilanen demonstrated that, in cases where
the entire contents of a page are enclosed in a <div> with
absolute positioning, a web forgery warning dialog won't be displayed
unless the user switches tabs away-from then back-to the forgery page.

Mozilla developers identified and fixed several stability bugs in the
browser engine used in Firefox and other Mozilla-based products. Some of
these crashes showed evidence of memory corruption under certain
circumstances and we presume that with enough effort at least some of these
could be exploited to run arbitrary code.Thunderbird shares the browser engine with Firefox and could
be vulnerable if JavaScript were to be enabled in mail. This is not the
default setting and we strongly discourage users from running JavaScript in
mail. Without further investigation we cannot rule out the possibility that
for some of these an attacker might be able to prepare memory for exploitation
through some means other than JavaScript such as large images.

WebKit developer Alexey Proskuryakov reported that 
the Mozilla HTML parser treated the backspace character as whitespace
contrary to the HTML specification and different from other browsers.
This difference might lead to Cross-site Scripting (XSS) risks on sites
which filtered input in accordance with the specification.Yosuke Hasegawa reported a flaw in the way Mozilla
parses the control character 0x80 under Shift_JIS encoding. This flaw could
potentially be used to evade web-site input filters and result in a XSS
attack hazard. While investigating, Mozilla developer Simon
Montagu discovered several variants of this flaw involving zero-length
non-ASCII sequences in ISO-2022-JP, ISO-2022-CN, ISO-2022-KR, and HZ-GB-2312.
These flaws were fixed in and prior to Firefox 2.0.0.12
but the announcement was held until other browser vendors could fix related
flaws.

Mozilla developers identified and fixed several stability bugs in
the browser engine used in Firefox 2.0.0.12 and other Mozilla-based
products. Some of these crashes
showed evidence of memory corruption under certain circumstances and we
presume that with enough effort at least some of these could be exploited
to run arbitrary code.Thunderbird shares the browser engine with Firefox and could
be vulnerable if JavaScript were to be enabled in mail. This is not the default
setting and we strongly discourage users from running JavaScript in mail.
Without further investigation we cannot rule out the possibility that for some
of these an attacker might be able to prepare memory for exploitation through
some means other than JavaScript such as large images.

Fixes for security problems in the JavaScript engine described in 

MFSA 2008-15 (CVE-2008-1237) introduced a stability problem, where some
users experienced crashes during JavaScript garbage collection. This is being
fixed primarily to address stability concerns. We have no demonstration that
this particular crash is exploitable but are issuing this advisory because
some crashes of this type have been shown to be exploitable in the past.This regression was introduced in Firefox 2.0.0.13 and does
not affect any shipping version of Thunderbird. Thunderbird 2.0.0.14 contains
the correct fix for MFSA 2008-15, although as noted in that advisory
Thunderbird users would be vulnerable only if they had enabled JavaScript.

Mozilla contributors moz_bug_r_a4, Boris
Zbarsky, and Johnny Stenback reported a series of
vulnerabilities which allow scripts from page content to run with elevated
privileges. moz_bug_r_a4 demonstrated additional variants of MFSA 2007-25
and MFSA2007-35 (arbitrary code execution through XPCNativeWrapper pollution).
Additional vulnerabilities reported separately by Boris Zbarsky, Johnny
Stenback, and moz_bug_r_a4 showed that the browser could be forced to run
JavaScript code using the wrong principal leading to universal XSS and
arbitrary code execution.Thunderbird shares the browser engine with Firefox and could
be vulnerable if JavaScript were to be enabled in mail. This is not the
default setting and we strongly discourage users from running JavaScript in
mail.

Mozilla contributors moz_bug_r_a4, Boris
Zbarsky, and Johnny Stenback reported a series of
vulnerabilities which allow scripts from page content to run with elevated
privileges. moz_bug_r_a4 demonstrated additional variants of MFSA 2007-25
and MFSA2007-35 (arbitrary code execution through XPCNativeWrapper pollution).
Additional vulnerabilities reported separately by Boris Zbarsky, Johnny
Stenback, and moz_bug_r_a4 showed that the browser could be forced to run
JavaScript code using the wrong principal leading to universal XSS and
arbitrary code execution.Thunderbird shares the browser engine with Firefox and could
be vulnerable if JavaScript were to be enabled in mail. This is not the
default setting and we strongly discourage users from running JavaScript in
mail.

Security researcher Gregory Fleischer demonstrated a
problem with the HTTP Referer: (sic) header sent with requests
to URLs containing Basic Authentication credentials with empty usernames.
In these cases a number of leading characters, based on the length of the
password in the URL, are removed from the referrer hostname. Fleischer
pointed out that websites which only check the Referer: header
to protect against Cross-Site Request Forgery (CSRF) could be attacked using
this flaw. This concept was based on and expanded from a post to the
sla.ckers.org forum by security researcher RSnake.

Peter Brodersen and Alexander Klink
independently reported that the default setting for SSL Client Authentication,
automatically selecting a client certificate on behalf of the user, creates
a potential privacy issue for users by allowing tracking through client
certificates. For users who already have certificates some real-world
identity information such as an email address or name may be available
to web sites depending on the purpose of the certificate and its issuer.The default preference has been changed to prompt the user each time
a website requests a client certificate.

Security researchers hong and Gregory
Fleischer each reported a variant on earlier reported bugs
regarding focus shifting in file input controls. Their variants
used file input controls nested inside <label> tags
to take advantage of automatic focus shifting into the file input field
noted on the Hacker WebZine. As with the earlier reported issues
this issue could be used to force a user to upload arbitrary files
assuming the attacker knows the full path and name of the file.These bugs are variations on earlier problems reported by
Charles McAuley and Michal Zalewski
which were fixed in Firefox 2.0.0.4, as well as an issue reported by
hong which was fixed in Firefox 2.0.0.8.Gregory Fleischer also submitted several other variations of
the same problem.

Security researcher Martin Straka reported
that Gecko-based browsers update the .href property of stylesheet
DOM nodes to reflect the final URI of the stylesheet after following
any 302 redirects (much as the document.location property is updated).
This differs from other browsers and could potentially reveal sensitive
URL parameters, such as those used by Single-signon systems, to scripts
on the page.

Gerry Eisenhaur reported the chrome: URI scheme
improperly allowed directory traversal that could be used to load
JavaScript, images, and stylesheets from local files in known locations.
This traversal was possible only when the browser had installed add-ons
which used "flat" packaging rather than the more popular .jar packaging,
and the attacker would need to target that specific add-on.Mozilla researcher moz_bug_r_a4 reported that this
vulnerability could be used to steal the contents of the browser's
sessionstore.js file, which contains session cookie data
and information about currently open web pages.

Mozilla contributors moz_bug_r_a4, Boris
Zbarsky, and Johnny Stenback reported a series of
vulnerabilities which allow scripts from page content to run with elevated
privileges. moz_bug_r_a4 demonstrated additional variants of MFSA 2007-25
and MFSA2007-35 (arbitrary code execution through XPCNativeWrapper pollution).
Additional vulnerabilities reported separately by Boris Zbarsky, Johnny
Stenback, and moz_bug_r_a4 showed that the browser could be forced to run
JavaScript code using the wrong principal leading to universal XSS and
arbitrary code execution.Thunderbird shares the browser engine with Firefox and could
be vulnerable if JavaScript were to be enabled in mail. This is not the
default setting and we strongly discourage users from running JavaScript in
mail.

Mozilla contributor oo.rio.oo demonstrated that
once a file with Content-Disposition: attachment and
(improper) Content-Type: plain/text is saved locally,
the browser would no longer open local files with .txt extensions
for viewing, but would rather prompt the user to save the file.

Mozilla contributors moz_bug_r_a4 and
Boris Zbarsky submitted a series of vulnerabilities
which allow scripts from page content to escape from its sandboxed
context and/or run with chrome privileges. An additional vulnerability
reported by moz_bug_r_a4 demonstrated that the XMLDocument.load()
function can be used to inject script into another site, violating the
browser's same-origin policy.

Security researcher Gynvael Coldwind of Vexillium
(crediting help from udevd and porneL)
demonstrated that BMP images
could be used to reveal small chunks of uninitialized memory
that might contain sensitive data from other pages or other
programs, and that this data could be extracted from the
image using methods associated with the <canvas>
feature.
Because this flaw also affected products from other vendors disclosure
was delayed until they could release a fix.Update: Thunderbird was incorrectly listed as affected by this
vulnerability. The maliciously formed BMP images would contain
noise influenced by uninitialized memory as in Firefox, but Thunderbird
lacks the <canvas> feature necessary for an attacker
to extract the data from the image.

Security researcher Michal Zalewski demonstrated
that timer-enabled security dialogs can be subverted by attackers using
JavaScript to change the window focus.  Zalewski showed that a user
could be tricked into confirming a security dialog of this type by
bringing the dialog back into focus right before a user clicked in
a predictable time and place.

Mozilla contributor Chris Thomas demonstrated that it was
possible to have a background tab create a borderless XUL pop-up in front of
the active tab in the user's browser. This technique could be used by an
attacker to spoof form elements such as a login prompt for a site opened
in a different tab and steal the user's login credentials for that site.

Mozilla developers identified and fixed several stability bugs in
the browser engine used in Firefox 2.0.0.12 and other Mozilla-based
products. Some of these crashes
showed evidence of memory corruption under certain circumstances and we
presume that with enough effort at least some of these could be exploited
to run arbitrary code.Thunderbird shares the browser engine with Firefox and could
be vulnerable if JavaScript were to be enabled in mail. This is not the default
setting and we strongly discourage users from running JavaScript in mail.
Without further investigation we cannot rule out the possibility that for some
of these an attacker might be able to prepare memory for exploitation through
some means other than JavaScript such as large images.

Mozilla developer Justin Dolske discovered that
malicious sites, upon a user saving his or her password, could inject
newlines into Firefox's password store and corrupt saved passwords
for other sites.