Privilege escalation via XPCnativeWrapper pollution
- September 23, 2008
- moz_bug_r_a4, Olli Pettay
- Firefox, SeaMonkey, Thunderbird
- Fixed in
- Firefox 220.127.116.11
- Firefox 3.0.2
- SeaMonkey 1.1.12
- Thunderbird 18.104.22.168
Mozilla security researcher moz_bug_r_a4 reported a series of vulnerabilities by which page content can pollute XPCNativeWrappers and have arbitrary code run with chrome privileges. One variant reported by moz_bug_r_a4 only affected Firefox 2.
Mozilla developer Olli Pettay reported that XSLT can
create documents which do not have script handling objects. moz_bug_r_a4
also reported that
document.loadBindingDocument() returns a
document that does not have a script handling object. These issues could
also be used by an attacker to run arbitrary script with chrome privileges.