Jump to content

Advisories MDVSA-2010:251: firefox


Recommended Posts

Security issues were identified and fixed in firefox:


Security researchers Yosuke Hasegawa and Masatoshi Kimura reported that

the x-mac-arabic, x-mac-farsi and x-mac-hebrew character encodings are

vulnerable to XSS attacks due to some characters being converted to

angle brackets when displayed by the rendering engine. Sites using

these character encodings would thus be potentially vulnerable to

script injection attacks if their script filtering code fails to

strip out these specific characters (CVE-2010-3770).


Google security researcher Michal Zalewski reported that when a

window was opened to a site resulting in a network or certificate

error page, the opening site could access the document inside the

opened window and inject arbitrary content. An attacker could use

this bug to spoof the location bar and trick a user into thinking

they were on a different site than they actually were (CVE-2010-3774).


Mozilla security researcher moz_bug_r_a4 reported that the fix for

CVE-2010-0179 could be circumvented permitting the execution of

arbitrary JavaScript with chrome privileges (CVE-2010-3773).


Security researcher regenrecht reported via TippingPoint's Zero

Day Initiative that JavaScript arrays were vulnerable to an integer

overflow vulnerability. The report demonstrated that an array could

be constructed containing a very large number of items such that when

memory was allocated to store the array items, the integer value used

to calculate the buffer size would overflow resulting in too small a

buffer being allocated. Subsequent use of the array object could then

result in data being written past the end of the buffer and causing

memory corruption (CVE-2010-3767).


Security researcher regenrecht reported via TippingPoint's Zero Day

Initiative that a nsDOMAttribute node can be modified without informing

the iterator object responsible for various DOM traversals. This

flaw could lead to a inconsistent state where the iterator points

to an object it believes is part of the DOM but actually points to

some other object. If such an object had been deleted and its memory

reclaimed by the system, then the iterator could be used to call into

attacker-controlled memory (CVE-2010-3766).


Security researcher Gregory Fleischer reported that when a Java

LiveConnect script was loaded via a data: URL which redirects via a

meta refresh, then the resulting plugin object was created with the

wrong security principal and thus received elevated privileges such

as the abilities to read local files, launch processes, and create

network connections (CVE-2010-3775).


Mozilla added the OTS font sanitizing library to prevent downloadable

fonts from exposing vulnerabilities in the underlying OS font

code. This library mitigates against several issues independently

reported by Red Hat Security Response Team member Marc Schoenefeld

and Mozilla security researcher Christoph Diehl (CVE-2010-3768).


Security researcher wushi of team509 reported that when a XUL

tree had an HTML <div> element nested inside a

element then code attempting to display content in the XUL tree would

incorrectly treat the <div> element as a parent node to tree content

underneath it resulting in incorrect indexes being calculated for the

child content. These incorrect indexes were used in subsequent array

operations which resulted in writing data past the end of an allocated

buffer. An attacker could use this issue to crash a victim's browser

and run arbitrary code on their machine (CVE-2010-3772).


Security researcher echo reported that a web page could open a window

with an about:blank location and then inject an element

into that page which upon submission would redirect to a chrome:

document. The effect of this defect was that the original page would

wind up with a reference to a chrome-privileged object, the opened

window, which could be leveraged for privilege escalation attacks



Dirk Heinrich reported that on Windows platforms when document.write()

was called with a very long string a buffer overflow was caused in line

breaking routines attempting to process the string for display. Such

cases triggered an invalid read past the end of an array causing a

crash which an attacker could potentially use to run arbitrary code

on a victim's computer (CVE-2010-3769).


Mozilla developers identified and fixed several memory safety

bugs in the browser engine used in Firefox and other Mozilla-based

products. Some of these bugs showed evidence of memory corruption

under certain circumstances, and we presume that with enough effort

at least some of these could be exploited to run arbitrary code

(CVE-2010-3776, CVE-2010-3777).


Packages for 2009.0 are provided as of the Extended Maintenance

Program. Please visit this link to learn more:



Additionally, some packages which require so, have been rebuilt and

are being provided as updates.

Link to comment
Share on other sites

This topic is now closed to further replies.

  • Create New...