Firefox 3.0.9 fixes many security issues

Mozilla just released Firefox 3.0.9 that fixes several security issues.

Firefox allows Refresh header to redirect to javascript: URIs
When a server responds with a Refresh header containing a javascript: URI, Firefox will redirect to the javascript: URI. If an attacker could inject a Refresh header into a server response, or could control the value that a site places in the Refresh header, they could use this vulnerability to perform an XSS attack and execute arbitrary JavaScript within the context of that site.

POST data sent to wrong site when saving web page with embedded frame
When saving the inner frame of a web page as a file when the outer page has POST data associated with it, the POST data will be incorrectly sent to the URL of the inner frame. This could potentially result in a user’s sensitive data being sent to a site for which it was not intended.

Malicious search plugins can inject code into arbitrary sites
A malicious MozSearch plugin could be created using a javascript: URI in the SearchForm value. This URI is used as the default landing page when an empty search is performed. If an attacker could get a user to install the malicious plugin and perform an empty search, the SearchForm javascript: URI would be executed within the context of the currently open page.

Same-origin violations in XMLHttpRequest and XPCNativeWrapper.toString
it is possible to create a document whose URI does not match the document’s principal using XMLHttpRequest. This type of mismatch leads to incorrect results in principal-based security checks. An attacker could use this vulnerability to execute arbitrary JavaScript within the context of another site.

moz_bug_r_a4 separately reported that XPCNativeWrapper.toString’s __proto__ comes from the wrong scope which results in calls to that function being executed in the wrong context in certain circumstances. An attacker could use this vulnerability to run arbitrary code within the context of a different site. Alternatively, if chrome were to call content.toString.call(), then attacker-defined functions could be run with chrome privileges.

XSS hazard using third-party stylesheets and XBL bindings
sites which allow users to embed third-party stylesheets are vulnerable to script injection attacks using XBL bindings. While this behavior was documented previously, it was determined that this particular risk was not well-understood by some websites. To mitigate this risk Mozilla added a restriction that requires XBL bindings to come from the same origin as the bound document.

Same-origin violations when Adobe Flash loaded via view-source: scheme
when an Adobe Flash file is loaded via the view-source: scheme, the Flash plugin misinterprets the origin of the content as localhost, leading to two specific vulnerabilities:

1. The Flash file can bypass restrictions imposed by the crossdomain.xml mechanism and initiate HTTP requests to arbitrary third-party sites. This vulnerability could be used by an attacker to perform CSRF attacks against these sites.
2. The Flash file, being treated as a local resource, can read and write Local Shared Objects on a user’s machine. This vulnerability could be used by an attacker to place cookie-like objects on a user’s computer and track them across multiple sites.

Additonally, the jar: protocol could be used to bypass restrictions normally preventing content loaded via view-source: from being rendered.

jar: scheme ignores the content-disposition: header on the inner URI
when the jar: scheme is used to wrap a URI which serves the content with Content-Disposition: attachment, the HTTP header is ignored and the content is unpacked and displayed inline. A site may depend on this HTTP header to prevent potentially untrusted content that it serves from executing within the context of the site. An attacker could use this vulnerability to subvert sites using this mechanism to mitigate content injection attacks.

This vulnerability has not been fixed on the Mozilla 1.8.1 branch, which is used to build Firefox 2 and Thunderbird 2. However, note that there are several mitigating factors which prevent easy exploitation of this issue. In order for a website to be exploitable it must:

1. Allow users to upload arbitrary content
2. Allow users to set arbitrary MIME types, or specifically serve .jar files as application/java-archive or application/x-jar
3. Serve the .jar files from a domain containing sensitive content which would otherwise be protected using Content-Disposition: attachment.

URL spoofing with box drawing character
Unicode box drawing characters were allowed in Internationalized Domain Names (IDN) where they could be visually confused with punctuation used in valid web addresses. This could be combined with a phishing-type scam to trick a victim into thinking they were on a different website than they actually were.

Crashes with evidence of memory corruption (rv:1.9.0.9)
Mozilla developers identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code.