Firefox 3.0.11 fixes several security issues
Mozilla released Firefox 3.0.11 that fixes several security issues.
MFSA 2009-32 JavaScript chrome privilege escalation
Mozilla security researcher moz_bug_r_a4 reported a vulnerability which allows scripts from page content to run with elevated privileges. Using this vulnerability, an attacker could cause a chrome privileged object, such as the browser sidebar or the FeedWriter, to interact with web content in such a way that attacker controlled code may be executed with the object’s chrome privileges.
MFSA 2009-31 XUL scripts bypass content-policy checks
Mozilla add-on developer and community member Wladimir Palant reported that content-loading policies were not checked before loading external script files into XUL documents. The severity of this problem would depend on the reasons behind the content policy check, which include privacy from “web bugs” in Thunderbird mail messages, blocking of Ads and Ad-server tracking in AdBlock Plus, and preventing the running of scripts in NoScript.
MFSA 2009-30 Incorrect principal set for file: resources loaded via location bar
Security researchers Adam Barth and Collin Jackson reported that when a file: resource is loaded via the location bar it inherits the principal of the previously loaded document. This vulnerability can potentially give the newly loaded document additional privileges to access the contents of other local files that it wouldn’t otherwise have permission to read.
MFSA 2009-29 Arbitrary code execution using event listeners attached to an element whose owner document is null
Mozilla security researcher moz_bug_r_a4 reported that the owner document of an element can become null after garbage collection. In such cases, event listeners may be executed within the wrong JavaScript context. An attacker could potentially use this vulnerability to have a malicious event handler execute arbitrary JavaScript with chrome privileges.
MFSA 2009-28 Race condition while accessing the private data of a NPObject JS wrapper class object
Jakob Balle and Carsten Eiram of Secunia Research reported a race condition in NPObjWrapper_NewResolve when accessing the properties of a NPObject, a wrapped JSObject. Balle and Eiram demonstrated that this condition could be reached by navigating away from a web page during the loading of a Java applet. Under such conditions the Java object would be destroyed but later called into resulting in a free memory read. It might be possible for an attacker to write to the freed memory before it is reused and run arbitrary code on the victim’s computer.
MFSA 2009-27 SSL tampering via non-200 responses to proxy CONNECT requests
Microsoft security researchers Shuo Chen, Ziqing Mao, Yi-Min Wang, and Ming Zhang reported that when a CONNECT request is sent to a proxy server and a non-200 response is returned, then the body of the response is incorrectly rendered within the context of the request Host: header. An active network attacker could use this vulnerability to intercept a CONNECT request and reply with a non-200 response containing malicious code which would be executed within the context of the victim’s requested SSL-protected domain. Since this attack requires the victim to have a proxy configured, the severity of this issue was determined to be high.
MFSA 2009-26 Arbitrary domain cookie access by local file: resources
Security researcher Gregory Fleischer reported that local resources loaded via the file: protocol can access any domain’s cookies which have been saved on a user’s machine. Fleischer demonstrated that a local document’s domain was being calculated incorrectly from its URL. If a victim could be persuaded to download a malicious file and then open that file in their browser, the malicious file could then steal arbitrary cookies from the victim’s computer. Due to the interaction required for this attack, the severity of the issue was determined to be moderate.
MFSA 2009-25 URL spoofing with invalid unicode characters
Mozilla add-on developer Pavel Cvrcek reported that certain invalid unicode characters, when used as part of an IDN, are displayed as whitespace in the location bar. This whitespace could be used to force part of the URL out of view in the location bar. An attacker could use this vulnerability to spoof the location bar and display a misleading URL for their malicious web page.
MFSA 2009-24 Crashes with evidence of memory corruption (rv:1.9.0.11)
Mozilla developers and community members identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code.