Some vulnerabilities have been reported in Mozilla Firefox, which can be exploited by malicious people to disclose sensitive information, bypass certain security restrictions, or to compromise a user's system.
1) Multiple errors in the browser engine can be exploited to corrupt memory and potentially execute arbitrary code.
2) An error in the handling of multipart/x-mixed-replace resources can be exploited to corrupt memory and potentially execute arbitrary code.
This vulnerability only affects version 3.5.x.
These errors only affect version 3.6.x.
5) A use-after-free error exists in "nsCycleCollector::MarkRoots()", which can result in the use of an invalid pointer and allows execution of arbitrary code.
6) A use-after-free error in the handling of object references among multiple plugin instances can be exploited to trigger the use of an invalid pointer and execute arbitrary code.
7) An integer overflow error exists in "nsGenericDOMDataNode::SetTextInternal" within the handling of text values for certain types of DOM nodes. This can be exploited to cause a heap-based buffer overflow via overly large strings.
8) An integer overflow error in a XSLT node sorting routine can be exploited to cause a buffer overflow and potentially execute arbitrary code via a node containing an overly large text value.
9) A weakness is caused due to "focus()" allowing to direct user input to unintended locations, e.g. an embedded iframe from another domain.
10) The HTTP "Content-Disposition: attachment" header is ignored when "Content-Type: multipart" is also present. This can result in security features being bypassed in sites that allow users to upload arbitrary files and specify a "Content-Type" but rely on "Content-Disposition: attachment" to prevent the content from being displayed inline.
11) A weakness exists due to the pseudo-random number generator being seeded only once per browsing session, which can be exploited to disclose the value used to seed "Math.random()" and potentially identify and track users across different web sites.
Solution: Update to version 3.5.10 or 3.6.4.
Provided and/or discovered by: 8) Martin Barbella, reported via ZDI.
9) Michal Zalewski
The vendor credits:
1) Olli Pettay, Martijn Wargers, Justin Lebar, Jesse Ruderman, Ben Turner, Jonathan Kew, and David Humphrey
2) boardraider and stedenon
3) Bob Clary, Igor Bukanov, Gary Kwong, and Andreas Gal
4) Gary Kwong and David Anderson
5) wushi of team509
6) Microsoft Vulnerability Research
7) Nils of MWR InfoSecurity
10) Ilja van Sprundel of IOActive
11) Amit Klein
Original Advisory: Mozilla Foundation:
Do you have additional information related to this advisory?
Please provide information about patches, mitigating factors, new versions, exploits, faulty patches, links, and other relevant data by posting comments to this Advisory. You can also send this
information to email@example.com