Mozilla Foundation Security Advisory 2012-83
Title: Chrome Object Wrapper (COW) does not
disallow access to privileged functions or properties
Announced: October 9, 2012
Reporter: Mariusz Mlynski
Products: Firefox, Thunderbird, SeaMonkey
Fixed in: Firefox 16
Firefox ESR 10.0.8
Thunderbird ESR 10.0.8
Security researcher Mariusz Mlynski reported that when InstallTrigger fails, it throws an error wrapped in a Chrome Object Wrapper (COW) that fails to specify exposed properties. These can then be added to the resulting object by an attacker, allowing access to chrome privileged functions through script.
While investigating this issue, Mozilla security researcher moz_bug_r_a4 found that COW did not disallow accessing of properties from a standard prototype in some situations, even when the original issue had been fixed.
These issues could allow for a cross-site scripting (XSS) attack or arbitrary code execution.
In general these flaws cannot be exploited through email in the Thunderbird and SeaMonkey products because scripting is disabled, but are potentially a risk in browser or browser-like contexts in those products.