Package Instance

Mozilla developers identified and fixed several stability bugs in
the browser engine used in Firefox and other Mozilla-based
products. Some of these crashes showed evidence of memory corruption
under certain circumstances, and we presume that with enough effort at
least some of these could be exploited to run arbitrary code.

Security researcher Ilja van Sprundel of IOActive
reported that the Content-Disposition: attachment HTTP
header was ignored when Content-Type: multipart was also
present.  This issue could potentially lead to XSS problems in sites
that allow users to upload arbitrary files and specify a Content-Type
but rely on Content-Disposition: attachment to prevent
the content from being displayed inline.

Security researcher Nils of MWR InfoSecurity
reported that the routine for setting the text value for certain types
of DOM nodes contained an integer overflow vulnerability.  When a very
long string was passed to this routine, the integer value used in
creating a new memory buffer to hold the string would overflow,
resulting in too small a buffer being allocated.  An attacker could
use this vulnerability to write data past the end of the buffer,
causing a crash and potentially running arbitrary code on a victim's
computer.

Microsoft Vulnerability Research reported that two
plugin instances could interact in a way in which one plugin gets a
reference to an object owned by a second plugin and continues to hold
that reference after the second plugin is unloaded and its object is
destroyed.  In these cases, the first plugin would contain a pointer
to freed memory which, if accessed, could be used by an attacker to
execute arbitrary code on a victim's computer.

A memory corruption flaw leading to code execution was reported by
security researcher Nils of MWR InfoSecurity during the
2010 Pwn2Own contest sponsored by TippingPoint's Zero Day Initiative.
By moving DOM nodes between documents Nils found a case where the moved
node incorrectly retained its old scope. If garbage collection could
be triggered at the right time then Firefox would later use this freed
object.The contest winning exploit only affects Firefox 3.6
and not earlier versions.Updated (June 22, 2010):  Firefox 3.5, SeaMonkey 2.0, and
Thunderbird 3.0 based on earlier versions of the browser
engine were patched just in case there
is an alternate way of triggering the underlying flaw.

Security researcher Amit Klein reported that it
was possible to reverse engineer the value used to
seed Math.random().  Since the pseudo-random number
generator was only seeded once per browsing session, this seed value
could be used as a unique token to identify and track users across
different web sites.Update (October 27, 2010): After the Firefox 3.6.4
and Firefox 3.5.10 releases, Amit Klein reported that there was an
additional unfixed case where user tracking could occur using the
above-mentioned technique and a pop-up window or iframe that was
subsequently navigated by the user.  This additional variant is
identified as CVE-2010-3171.

Security researcher Martin Barbella reported via
TippingPoint's Zero Day Initiative that an XSLT node sorting routine
contained an integer overflow vulnerability.  In cases where one of
the nodes to be sorted contained a very large text value, the integer
used to allocate a memory buffer to store its value would overflow,
resulting in too small a buffer being created.  An attacker could use
this vulnerability to write data past the end of the buffer, causing
the browser to crash and potentially running arbitrary code on a
victim's computer.

Google security researcher Michal Zalewski
reported that focus() could be used to change a user's
cursor focus while they are typing, potentially directing their
keyboard input to an unintended location.  This behavior was also
present across origins when content from one domain was embedded
within another via an iframe.  A malicious web page could use this
behavior to steal keystrokes from a victim while they were typing
sensitive information such as a password.

Security researcher wushi of team509 reported that
the frame construction process for certain types of menus could result
in a menu containing a pointer to a previously freed menu item.
During the cycle collection process, this freed item could be accessed,
resulting in the execution of a section of code potentially controlled
by an attacker.