May 17, 2020

Mozilla Fixes Critical Vulnerability in Firefox and Thunderbird

(LiveHacking.Com) – Mozilla has released new versions of Firefox and Thunderbird to fix a “use after free” crash which is potentially exploitable. According to the security advisory Mozilla developers Andrew McCreight and Olli Pettay found that the ReadPrototypeBindings code leaves a XBL binding in a hash table even when the function fails. If this occurs, when the cycle collector reads this hash table and attempts to do a virtual method on this binding a crash will occur. This crash may be potentially exploitable.

The Mozilla Foundation said Firefox 9 and earlier browser versions are not affected by this vulnerability.

Mozilla Releases Firefox 10 and Firefox 3.6.26 to Address Multiple Vulnerabilities

(LiveHacking.Com) – The Mozilla Foundation has released Firefox 10 and Firefox 3.6.26 to address multiple security vulnerabilities. These vulnerabilities, if exploited, could allow an attacker to execute arbitrary code, cause a denial-of-service condition, obtain sensitive information, or perform a cross-site scripting attack.

Firefox 10 fixes 8 security issues of which 5 are rated as “Critical”. A “Critical” vulnerability can be exploited to run attacker code and install software, requiring no user interaction beyond normal browsing. These include fixes for a possible memory corruption during the decoding of Ogg Vorbis files that could cause a crash during decoding and has the potential for remote code execution. There are also several memory safety bugs in the browser engine. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code.

The full list of fixes is:

  • MFSA 2012-09 Firefox Recovery Key.html is saved with unsafe permission
  • MFSA 2012-08 Crash with malformed embedded XSLT stylesheets
  • MFSA 2012-07 Potential Memory Corruption When Decoding Ogg Vorbis files
  • MFSA 2012-06 Uninitialized memory appended when encoding icon images may cause information disclosure
  • MFSA 2012-05 Frame scripts calling into untrusted objects bypass security checks
  • MFSA 2012-04 Child nodes from nsDOMAttribute still accessible after removal of nodes
  • MFSA 2012-03 <iframe> element exposed across domains via name attribute
  • MFSA 2012-01 Miscellaneous memory safety hazards (rv:10.0/ rv:1.9.2.26)

New features in Firefox 10 include:

  • The forward button is now hidden until you navigate back
  • Most add-ons are now compatible with new versions of Firefox by default
  • Anti-Aliasing for WebGL is now implemented (see bug 615976)
  • CSS3 3D-Transforms are now supported (see bug 505115)
  • New <bdi> element for bi-directional text isolation, along with supporting CSS properties (see bugs 613149 and 662288)
  • Full Screen APIs allow you to build a web application that runs full screen (see the feature page)

The fixes for 3.6.26 are backports of fixes applied to Firefox 10 including:

  • MFSA 2012-08 Crash with malformed embedded XSLT stylesheets
  • MFSA 2012-07 Potential Memory Corruption When Decoding Ogg Vorbis files
  • MFSA 2012-04 Child nodes from nsDOMAttribute still accessible after removal of nodes
  • MFSA 2012-01 Miscellaneous memory safety hazards (rv:10.0/ rv:1.9.2.26)

The only unique fix to the 3.6 series is MFSA 2012-02 Overly permissive IPv6 literal syntax. This was fixed previously for Firefox 7.0 but only fixed in Firefox 3.6.26 now.

Mozilla Releases Firefox 8 and Firefox 3.6.24 to Fix Critical Security Vulnerabilities

(LiveHacking.Com) – Mozilla has released Firefox 8 which includes better user control of add-ons and integrated Twitter search. But more importantly it contains several ‘Critical’ security related bug fixes. Mozilla also updated Firefox 3.6.24 with many of the same fixes.

A ‘Critical’ vulnerability can be used to run arbitrary code and install software, without user interaction or knowledge.

The ‘Critical’ bugs fixed in Firefox 8 include:

  • MFSA 2011-52 – Code execution via NoWaiverWrapper
  • MFSA 2011-49 – Memory corruption while profiling using Firebug
  • MFSA 2011-48 – Miscellaneous memory safety hazards (rv:8.0)

The memory safety bugs, fixed by the Mozilla engineers, showed evidence of memory corruption under certain circumstances, and Mozilla presume that with enough effort at least some of these could be exploited to run arbitrary code. However there are no known exploits today for these bugs.

An additional ‘Critical’ bug was squashed in Firefox 3.6.24:

  • MFSA 2011-46 – loadSubScript unwraps XPCNativeWrapper scope parameter (1.9.2 branch)

MFSA 2011-43 was fixed in Firefox 7 but it has now been discovered that it affects Firefox 3.6. The error could allow a malicious page to potentially exploit a Firefox user who had installed an add-on that used loadSubscript in vulnerable ways.

 

Firefox 7 Fixes Security Related Bugs While Reducing Memory Footprint

(LiveHacking.Com) – Mozilla has fixed half a dozen critical security flaws in its popular web browser with the release of Firefox 7.  The patches fix buffer overruns, potentially exploitable crashes and arbitrary extension installations.

The critical level security related bugs fixed in Firefox 7 include:

  • MFSA 2011-44 Use after free reading OGG headers
  • MFSA 2011-43 loadSubScript unwraps XPCNativeWrapper scope parameter
  • MFSA 2011-42 Potentially exploitable crash in the YARR regular expression library
  • MFSA 2011-41 Potentially exploitable WebGL crashes
  • MFSA 2011-40 Code installation through holding down Enter
  • MFSA 2011-36 Miscellaneous memory safety hazards (rv:7.0 / rv:1.9.2.23)

Firefox 7 also brings some new features, the most notable of which is that Firefox now uses 20% to 30% less memory  which increases overall performance and also means that Firefox is less likely to crash or abort due to running out of memory.

The new memory efficiency is due to an effort called MemShrink where Mozilla’s engineers strarted to reduce Firefox’s memory consumption by slimming down memory usage with more space-efficient data structures and by  avoiding memory leaks (including lifetime issues, where memory is not reclaimed until you close the page/tab/window/process).

As well as stability bug fixes, Firefox 7 includes:

  • Added a new rendering backend to speed up Canvas operations on Windows systems
  • Bookmark and password changes now sync almost instantly when using Firefox Sync
  • The ‘http://’ URL prefix is now hidden by default
  • Added support for text-overflow: ellipsis
  • Added support for the Web Timing specification
  • Enhanced support for MathML
  • The WebSocket protocol has been updated from version 7 to version 8
  • Added an opt-in system for users to send performance data back to Mozilla to improve future versions of Firefox

Mozilla Releases Firefox 6, Patches Critical Vulnerabilities

(LiveHacking.Com) – Mozilla has shipped a new version of its Firefox web browser with increased support for HTML5, faster startup times and improved per-site permission management. But most importantly it fixes a number of critical vulnerabilities, some serious enough to expose web surfers to drive-by download attacks.

The Critical and High impact bugs include:

  • Mozilla identified and fixed several memory safety bugs in the browser engine used in Firefox 4, Firefox 5 and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code.
  • Rafael Gieschke reported that unsigned JavaScript could call into script inside a signed JAR thereby inheriting the identity of the site that signed the JAR as well as any permissions that a user had granted the signed JAR.
  • Michael Jordon of Context IS reported that an overly long shader program could cause a buffer overrun and crash in a string class used to store the shader source code.
  • Michael Jordon of Context IS reported a potentially exploitable heap overflow in the ANGLE library used by Mozilla’s WebGL implementation.
  • Security researcher regenrecht reported via TippingPoint’s Zero Day Initiative that a SVG text manipulation routine contained a dangling pointer vulnerability.
  • Mike Cardwell reported that Content Security Policy violation reports failed to strip out proxy authorization credentials from the list of request headers. Daniel Veditz reported that redirecting to a website with Content Security Policy resulted in the incorrect resolution of hosts in the constructed policy.
  • nasalislarvatus3000 reported that when using Windows D2D hardware acceleration, image data from one domain could be inserted into a canvas and read by a different domain.

Mozilla Updates Firefox 3.5, 3.6 and 4.0

Mozilla has released a series of security updates for all currently supported versions of Firefox. Firefox 4.0.1, 3.6.17 and 3.5.19 are now available for Windows, Mac, and Linux. Mozilla is recommending that users update to the latest versions but also encourage all users to upgrade to Firefox 4 as this is the last planned security and stability release for Firefox 3.5.

The first fixes are for several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and Mozilla presume that with enough effort at least some of these could be exploited to run arbitrary code.

A minor security vulnerability was fixed in the XSLT generate-id() function as it was revealing a specific valid address of an object on the memory heap. It is theoretical that this information could have been used in combination with other heap corruption exploits.

There is also a fix for a vulnerability in the Java Embedding Plugin (JEP) shipped with the Mac OS X versions of Firefox 3.5 and 3.6 that if exploited could allow an attacker to obtain elevated access to resources on a user’s system.

Specific to Firefox 4 is an additional fix to its WebGL feature. Two crashes that could potentially be exploited to run malicious code were found in the WebGL feature. Also there is a fix for a vulnerability that could potentially be used to bypass a security feature of recent Windows versions.

Mozilla has also released Thunderbird 3.1.10. The release notes are available here.