Mozilla released Firefox 3.6.7 that fixes several security issues as well as stability issues.
Cross-origin data leakage from script filename in error messages
Security researcher Soroush Dalili reported that potentially sensitive URL parameters could be leaked across domains upon script errors when the script filename and line number is included in the error message.
Cross-domain data theft using CSS
Multiple location bar spoofing vulnerabilities
Google security researcher Michal Zalewski reported two methods for spoofing the contents of the location bar. The first method works by opening a new window containing a resource that responds with an HTTP 204 (no content) and then using the reference to the new window to insert HTML content into the blank document. The second location bar spoofing method does not require that the resource opened in a new window respond with 204, as long as the opener calls window.stop() before the document is loaded. In either case a user could be mislead as to the correct location of the document they are currently viewing.
Characters mapped to U+FFFD in 8 bit encodings cause subsequent character to vanish
Security researcher O. Andersen reported that undefined positions within various 8 bit character encodings are mapped to the sequence U+FFFD which when displayed causes the immediately following character to disappear from the text run. This could potentially contribute to XSS problems on sites which expected extra characters to be present within strings being sanitized on the server.
Same-origin bypass using canvas context
Mozilla developer Vladimir Vukicevic reported that a canvas element can be used to read data from another site, violating the same-origin policy. The read restriction placed on a canvas element which has had cross-origin data rendered into it can be bypassed by retaining a reference to the canvas element’s context and deleting the associated canvas node from the DOM.
Cross-origin data disclosure via Web Workers and importScripts
Remote code execution using malformed PNG image
OUSPG researcher Aki Helin reported a buffer overflow in Mozilla graphics code which consumes image data processed by libpng. A malformed PNG file could be created which would cause libpng to incorrectly report the size of the image to downstream consumers. When the dimensions of such images are underreported, the Mozilla code responsible for displaying the graphic will allocate too small a memory buffer to contain the image data and will wind up writing data past the end of the buffer. This could result in the execution of attacker-controlled memory.
nsTreeSelection dangling pointer remote code execution vulnerability
Security researcher regenrecht reported via TippingPoint’s Zero Day Initiative an integer overflow vulnerability in the implementation of the XUL
nsCSSValue::Array index integer overflow
Security researcher J23 reported via TippingPoint’s Zero Day Initiative that an array class used to store CSS values contained an integer overflow vulnerability. The 16 bit integer value used in allocating the size of the array could overflow, resulting in too small a memory buffer being created. When the array was later populated with CSS values data would be written past the end of the buffer potentially resulting in the execution of attacker-controlled memory.
Arbitrary code execution using SJOW and fast native function
Plugin parameter EnsureCachedAttrParamArrays remote code execution vulnerability
Security researcher J23 reported an error in the code used to store the names and values of plugin parameter elements. A malicious page could embed plugin content containing a very large number of parameter elements which would cause an overflow in the integer value counting them. This integer is later used in allocating a memory buffer used to store the plugin parameters. Under such conditions, too small a buffer would be created and attacker-controlled data could be written past the end of the buffer, potentially resulting in code execution.
Use-after-free error in NodeIterator
Security researcher regenrecht reported an error in Mozilla’s implementation of NodeIterator in which a malicious NodeFilter could be created which would detach nodes from the DOM tree while it was being traversed. The use of a detached and subsequently deleted node could result in the execution of attacker-controlled memory.
DOM attribute cloning remote code execution vulnerability
Security researcher regenrecht reported an error in the DOM attribute cloning routine where under certain circumstances an event attribute node can be deleted while another object still contains a reference to it. This reference could subsequently be accessed, potentially causing the execution of attacker controlled memory.
Miscellaneous memory safety hazards (rv:18.104.22.168/ 22.214.171.124)
Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code.