Heap overrun in XBM image processing
jackerror reports that an improperly terminated XBM image
ending with space characters instead of the expected end
tag can lead to a heap buffer overrun. This appears to be
exploitable to install or run malicious code on the user's
machine.
Thunderbird does not support the XBM format and is not
affected by this flaw.
Crash on "zero-width non-joiner" sequence
Mats Palmgren discovered that a reported crash on Unicode
sequences with "zero-width non-joiner" characters was due
to stack corruption that may be exploitable.
XMLHttpRequest header spoofing
It was possible to add illegal and malformed headers to
an XMLHttpRequest. This could have been used to exploit
server or proxy flaws from the user's machine, or to fool
a server or proxy into thinking a single request was a
stream of separate requests. The severity of this
vulnerability depends on the value of servers which might
be vulnerable to HTTP request smuggling and similar
attacks, or which share an IP address (virtual hosting)
with the attacker's page.
For users connecting to the web through a proxy this flaw
could be used to bypass the same-origin restriction on
XMLHttpRequests by fooling the proxy into handling a
single request as multiple pipe-lined requests directed at
arbitrary hosts. This could be used, for example, to read
files on intranet servers behind a firewall.
Object spoofing using XBL <implements>
moz_bug_r_a4 demonstrated a DOM object spoofing bug
similar to MFSA
2005-55 using an XBL control that <implements>
an internal interface. The severity depends on the version
of Firefox: investigation so far indicates Firefox 1.0.x
releases don't expose any vulnerable functionality to
interfaces spoofed in this way, but that early Deer Park
Alpha 1 versions did.
XBL was changed to no longer allow unprivileged controls
from web content to implement XPCOM interfaces.
JavaScript integer overflow
Georgi Guninski reported an integer overflow in the
JavaScript engine. We presume this could be exploited to
run arbitrary code under favorable conditions.
Privilege escalation using about: scheme
heatsync and shutdown report two different ways to bypass
the restriction on loading high privileged "chrome" pages
from an unprivileged "about:" page. By itself this is
harmless--once the "about" page's privilege is raised the
original page no longer has access--but should this be
combined with a same-origin violation this could lead to
arbitrary code execution.
Chrome window spoofing
moz_bug_r_a4 demonstrates a way to get a blank "chrome"
canvas by opening a window from a reference to a closed
window. The resulting window is not privileged, but the
normal browser UI is missing and can be used to construct
a spoof page without any of the safety features of the
browser chrome designed to alert users to phishing sites,
such as the address bar and the status bar.