Some vulnerabilities have been reported in Mozilla Firefox, Thunderbird, and SeaMonkey, which can be exploited by malicious people to bypass certain security restrictions and compromise a user's system.
1) The protected "location" object is accessible by other domain objects, which can be exploited to bypass the same origin policy and gain access to sensitive information.
2) An unspecified error within the "FT2FontEntry::CreateFontEntry()" function can be exploited to corrupt memory.
3) An unspecified error within the "mozilla::net::FailDelayManager::Lookup()" function when handling certain websockets can be exploited to corrupt memory.
4) An error within security wrappers does not unwrap the "defaultValue" properly and can be exploited to gain access to the "location" object.
The vulnerabilities are reported in Firefox and Thunderbird versions prior to 16.0.1 and SeaMonkey versions prior to 2.13.1.
Solution: Update Firefox and Thunderbird to versions 16.0.1 and SeaMonkey to version 2.13.1.
Provided and/or discovered by: 1) Gareth Heyes
2, 3) Reported by the vendor.
4) The vendor credits moz_bug_r_a4.
Original Advisory: Mozilla:
Do you have additional information related to this advisory?
Please provide information about patches, mitigating factors, new versions, exploits, faulty patches, links, and other relevant data by posting comments to this Advisory. You can also send this
information to firstname.lastname@example.org
Subject: Mozilla Firefox / Thunderbird / SeaMonkey Multiple Vulnerabilities
RE: Mozilla Firefox Cross-Domain "location" Object Access Vulnerability
11th Oct, 2012 11:55
Score: -10 Posts: 11 User Since: 14th Dec 2011 System Score: N/A Location: UK Last edited on 11th Oct, 2012 11:55
Just seen this http://www.pcadvisor.co.uk/news/security/3404407/f... so if you upgraded any PCs to FF16 then roll them back to FF15 ASAP. So to downgrade get the Firefox 15.0.1 installable and run that. It will seem as if you are upgrading but it will roll back to 15.0.1 safely with no loss of data or settings.
PSI will report an insecurity in FF but you will have to ignore that until Mozilla issue an updated and fixed version of FF.