Mozilla released Firefox 3.6.13 that fixes several security issues.
Miscellaneous memory safety hazards (rv:188.8.131.52/ 184.108.40.206)
Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code.
Buffer overflow while line breaking after document.write with long string
On Windows platforms when document.write() was called with a very long string a buffer overflow was caused in line breaking routines attempting to process the string for display. Such cases triggered an invalid read past the end of an array causing a crash which an attacker could potentially use to run arbitrary code on a victim’s computer.
Chrome privilege escalation with window.open and isindex element
Security researcher echo reported that a web page could open a window with an about:blank location and then inject an isindex element into that page which upon submission would redirect to a chrome: document. The effect of this defect was that the original page would wind up with a reference to a chrome-privileged object, the opened window, which could be leveraged for privilege escalation attacks.
Crash and remote code execution using HTML tags inside a XUL tree
When a XUL tree had an HTML div element nested inside a treechildren element then code attempting to display content in the XUL tree would incorrectly treat the div element as a parent node to tree content underneath it resulting in incorrect indexes being calculated for the child content. These incorrect indexes were used in subsequent array operations which resulted in writing data past the end of an allocated buffer. An attacker could use this issue to crash a victim’s browser and run arbitrary code on their machine.
Add support for OTS font sanitizer
Mozilla added the OTS font sanitizing library to prevent downloadable fonts from exposing vulnerabilities in the underlying OS font code.
Java security bypass from LiveConnect loaded via data: URL meta refresh
When a Java LiveConnect script was loaded via a data: URL which redirects via a meta refresh, then the resulting plugin object was created with the wrong security principal and thus received elevated privileges such as the abilities to read local files, launch processes, and create network connections.
Use-after-free error with nsDOMAttribute MutationObserver
A nsDOMAttribute node can be modified without informing the iterator object responsible for various DOM traversals. This flaw could lead to a inconsistent state where the iterator points to an object it believes is part of the DOM but actually points to some other object. If such an object had been deleted and its memory reclaimed by the system, then the iterator could be used to call into attacker-controlled memory.
Integer overflow vulnerability in NewIdArray
Incomplete fix for CVE-2010-0179
Location bar SSL spoofing using network error page
When a window was opened to a site resulting in a network or certificate error page, the opening site could access the document inside the opened window and inject arbitrary content. An attacker could use this bug to spoof the location bar and trick a user into thinking they were on a different site than they actually were.
XSS hazard in multiple character encodings
The x-mac-arabic, x-mac-farsi and x-mac-hebrew character encodings are vulnerable to XSS attacks due to some characters being converted to angle brackets when displayed by the rendering engine. Sites using these character encodings would thus be potentially vulnerable to script injection attacks if their script filtering code fails to strip out these specific characters.