Mozilla Foundation Security Advisory 2006-53

UniversalBrowserRead privilege escalation

Announced
July 25, 2006
Reporter
shutdown
Impact
Moderate
Products
Firefox, SeaMonkey, Thunderbird
Fixed in
  • Firefox 1.5.0.5
  • SeaMonkey 1.0.3
  • Thunderbird 1.5.0.5

Description

shutdown reports that scripts granted the UniversalBrowserRead privilege can leverage that into the equivalent of the far more powerful UniversalXPConnect since they are allowed to "read" into a privileged context. This allows the attacker the ability to run scripts with the full privelege of the user running the browser, possibly installing malware or snooping on private data. This has been fixed so that UniversalBrowserRead and UniversalBrowserWrite are limited to reading from and writing into only normally-privileged browser windows and frames.

Thunderbird shares the browser engine with Firefox and would be vulnerable if JavaScript were to be enabled in mail. This is not the default setting and we strongly discourage users from enabling JavaScript in mail.

Workaround

UniversalBrowserRead privileges should not be granted to sites found on the internet. Even after fixing this vulnerability that permission by design allows the privileged script to read potentially sensitive data from any other site it wishes, including those it opens without your knowledge (in a hidden frame, for example). You should grant enhanced privileges only when a trusted system administrator tells you that it is safe to do so.

References