Mozilla Foundation Security Advisory 2011-51

Cross-origin image theft on Mac with integrated Intel GPU

Announced

November 8, 2011

Reporter

Claus Wahlers

Impact

High

Products

Firefox, SeaMonkey, Thunderbird

Fixed in

Firefox 8
SeaMonkey 2.5
Thunderbird 8

Description

Claus Wahlers reported that random images from GPU memory were showing up in WebGL textures. Once incorporated into the WebGL graphics it is possible for a site to programatically read the image data and potentially gain sensitive data from other things that had been displayed earlier. This problem is due to a bug in the driver for Intel integrated GPUs on recent Mac OS X hardware, and the problem can be seen in WebGL implementations from other vendors. Mozilla has implemented a work-around to prevent this from happening with this hardware-driver combination.

References

https://bugzilla.mozilla.org/show_bug_cgi?id=684882
CVE-2011-3653

Mozilla VPN

Mozilla Monitor

Firefox Relay

MDN Plus

Thunderbird

About Mozilla

The Mozilla Manifesto

Get Involved

Blog