List of vulnerabilities fixed in the new 2.0.0.5 version of Firefox

Mozilla Firefox 2.0.0.5 web browser was just released. Here is a list of security vulnerabilities it fixes:

MFSA 2007-25 XPCNativeWrapper pollution

shutdown and moz_bug_r_a4 reported two separate ways to modify an XPCNativeWrapper such that subsequent access by the browser would result in executing user-supplied code.

MFSA 2007-24 Unauthorized access to wyciwyg:// documents

Michal Zalewski reported that it was possible to bypass the same-origin checks and read from cached (wyciwyg) documents It is possible to access wyciwyg:// documents without proper same domain policy checks through the use of HTTP 302 redirects. This enables the attacker to steal sensitive data displayed on dynamically generated pages; perform cache poisoning; and execute own code or display own content with URL bar and SSL certificate data of the attacked page (URL spoofing++).

MFSA 2007-23 Remote code execution by launching Firefox from Internet Explorer

Internet Explorer calls registered URL protocols without escaping quotes and may be used to pass unexpected and potentially dangerous data to the application that registers that URL Protocol.

The vulnerability is exposed when a user browses to a malicious web page in Internet Explorer and clicks on a specially crafted link. That link causes Internet Explorer to invoke another Windows program via the command line and then pass that program the URL from the malicious webpage without escaping the quotes. Firefox and Thunderbird are among those which can be launched, and both support a “-chrome” option that could be used to run malware.

MFSA 2007-22 File type confusion due to %00 in name

Ronald van den Heetkamp reported that a filename URL containing %00 (encoded null) can cause Firefox to interpret the file extension differently than the underlying Windows operating system potentially leading to unsafe actions such as running a program. This is only accessible locally.

MFSA 2007-21 Privilege escallation using an event handler attached to an element not in the document

An attecker can use an element outside of a document to call an event handler allowing content to run arbitrary code with chrome privileges.

MFSA 2007-20 Frame spoofing while window is loading

Ronen Zilberman and Michal Zalewski both reported that it was possible to exploit a timing issue to inject content into about:blank frames in a page. When opening a window from a script, it is possible to spoof the content of the newly opened window’s frames within a short time frame, while the window is loading.

MFSA 2007-19 XSS using addEventListener and setTimeout

moz_bug_r_a4 reported that scripts could be injected into another site’s context by exploiting a timing issue using addEventLstener or setTimeout.

MFSA 2007-18 Crashes with evidence of memory corruption

As part of the Firefox 2.0.0.5 update releases Mozilla developers fixed many bugs to improve the stability of the product. Some of these crashes that showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code.