Mozilla Foundation Security Advisory 2012-83

Chrome Object Wrapper (COW) does not disallow access to privileged functions or properties

October 9, 2012
Mariusz Mlynski
Firefox, Firefox ESR, SeaMonkey, Thunderbird, Thunderbird ESR
Fixed in
  • Firefox 16
  • Firefox ESR 10.0.8
  • SeaMonkey 2.13
  • Thunderbird 16
  • Thunderbird ESR 10.0.8


Security researcher Mariusz Mlynski reported that when InstallTrigger fails, it throws an error wrapped in a Chrome Object Wrapper (COW) that fails to specify exposed properties. These can then be added to the resulting object by an attacker, allowing access to chrome privileged functions through script.

While investigating this issue, Mozilla security researcher moz_bug_r_a4 found that COW did not disallow accessing of properties from a standard prototype in some situations, even when the original issue had been fixed.

These issues could allow for a cross-site scripting (XSS) attack or arbitrary code execution.

In general these flaws cannot be exploited through email in the Thunderbird and SeaMonkey products because scripting is disabled, but are potentially a risk in browser or browser-like contexts in those products.