Package Instance

Mozilla developers identified and fixed several stability bugs in
the browser engine used in Firefox and other Mozilla-based
products. Some of these crashes showed evidence of memory corruption
under certain circumstances and we presume that with enough effort at
least some of these could be exploited to run arbitrary code.

Security researcher Evgeny Legerov of Intevydis
reported that the WOFF decoder contains an integer overflow in a
font decompression routine.  This flaw could result in too small a
memory buffer being allocated to store a downloadable font.  An
attacker could use this vulnerability to crash a victim's browser
and execute arbitrary code on his/her system.Support for the WOFF downloadable font format
is new in Firefox 3.6 (Gecko 1.9.2); this vulnerability does not affect
products built on earlier versions of the Mozilla browser engine.

Mozilla community member Wladimir Palant reported
that XML documents were failing to call certain security checks when
loading new content.  This could result in certain resources being
loaded that would otherwise violate security policies set by the
browser or installed add-ons.This issue has not been fixed in Firefox 3.0

phpBB developer Henry Sudhof reported that when an
image tag points to a resource that redirects to
a mailto: URL, the external mail handler application is
launched.  This issue poses no security threat to users but could
create an annoyance when browsing a site that allows users to post
arbitrary images.This issue has not been fixed in Firefox 3.0

Mozilla developer Josh Soref of Nokia reported that
documents failed to call certain security checks when attempting to
preload images.  Although the image content is not available to the page, it
is possible to specify protocols that are normally not allowed in a web page
such as file:. This includes internal schemes implemented by
add-ons that might perform privileged actions resulting in something like a
Cross-Site Request Forgery (CSRF) attack against the add-on. Potential severity
would depend on the add-ons installed.

Mozilla developers added support in the Network Security Services
module for preventing a type of man-in-the-middle attack against TLS
using forced renegotiation.Note that to benefit from the fix, Firefox 3.6 and
Firefox 3.5 users will need to set
their security.ssl.require_safe_negotiation preference to
true.  Firefox 3 does not contain the fix for this issue.

Mozilla security researcher moz_bug_r_a4 reports that
by using an appropriately wrapped object it was possible to bypass the fix
for 
MFSA 2007-19. Prior to Firefox 3.6 this gives an attacker the ability
to perform cross-site scripting attacks against arbitrary sites as in the
original MFSA 2007-19 attack. Due to unrelated changes in the browser engine
used by Firefox 3.6, attacks in that version are limited to capturing keystroke
events from a cross-origin frame or window rather than full DOM access.
Those events might be sufficient to illicitly obtain passwords
or other sensitive information entered into web forms.
Thunderbird does not allow JavaScript to run in mail
messages, but users who open web content (such as RSS feeds, or other
content through add-ons) could be at risk.

Security researcher regenrecht reported via
TippingPoint's Zero Day Initiative an error in the implementation of
the window.navigator.plugins object.  When a page
reloads, the plugins array would reallocate all of its members without
checking for existing references to each member.  This could result in
the deletion of objects for which valid pointers still exist.  An
attacker could use this vulnerability to crash a victim's browser and
run arbitrary code on the victim's machine.

Mozilla developer Blake Kaplan reported that the 
window.location object was made a normal overridable JavaScript object
in the Firefox 3.6 browser engine (Gecko 1.9.2) because new mechanisms
were developed to enforce the same-origin policy between windows and frames.
This object is unfortunately also used by some plugins to determine the page
origin used for access restrictions. A malicious page could override this
object to fool a plugin into granting access to data on another site or the
local file system. The behavior of older Firefox versions has been restored.
This flaw does not affect earlier versions of Firefox, or other
programs such as Thunderbird or SeaMonkey built on older versions
of the browser engine.

Mozilla developer Justin Dolske reported that the new
asynchronous Authorization Prompt (HTTP username and password) was not
always attached to the correct window. Although we have not
demonstrated this, it may be possible for a malicious page to convince
a user to open a new tab or popup to a trusted service and then have
the HTTP authorization prompt from the malicious page appear to be
the login prompt for the trusted page. This potential attack is greatly
mitigated by the fact that very few web sites use HTTP authorization,
preferring instead to use web forms and cookies.This issue does not affect older versions of Firefox or
products based on the Mozilla browser engine, such as Thunderbird and
SeaMonkey, using an older version of the engine.

Mozilla developer Wladimir Palant reported that
stylesheets used in remote XUL documents can wind up in the XUL cache
where it can later be accessed by browser chrome for use in styling
the user interface.  A malicious website could use this issue to
pollute a user's XUL cache and change style attributes of their
browser such as font size and color.

Mozilla developers identified and fixed several stability bugs in
the browser engine used in Firefox and other Mozilla-based
products. Some of these crashes showed evidence of memory corruption
under certain circumstances, and we presume that with enough effort at
least some of these could be exploited to run arbitrary code.

Security researcher regenrecht reported via
TippingPoint's Zero Day Initiative an error in the
way <option> elements are inserted into a XUL
tree <optgroup>.  In certain cases, the number of
references to an <option> element is under-counted so
that when the element is deleted, a live pointer to its old location
is kept around and may later be used.  An attacker could potentially
use these conditions to run arbitrary code on a victim's computer.

Security researcher Paul Stone reported that a
browser applet could be used to turn a simple mouse click into a
drag-and-drop action, potentially resulting in the unintended loading
of resources in a user's browser.  This behavior could be used twice
in succession to first load a privileged chrome: URL in a
victim's browser, then load a malicious javascript: URL
on top of the same document resulting in arbitrary script execution
with chrome privileges.

Security researcher regenrecht reported (via TippingPoint's
Zero Day Initiative) a potential reuse of a deleted image frame in Firefox
3.6's handling of multipart/x-mixed-replace images. Although
no exploit was shown, re-use of freed memory has led to exploitable
vulnerabilities in the past.