Mozilla Foundation Security Advisory 2013-51

Privileged content access and execution via XBL

Announced
June 25, 2013
Reporter
Mariusz Mlynski
Impact
Critical
Products
Firefox, Firefox ESR, SeaMonkey, Thunderbird, Thunderbird ESR
Fixed in
  • Firefox 22
  • Firefox ESR 17.0.7
  • SeaMonkey 2.19
  • Thunderbird 17.0.7
  • Thunderbird ESR 17.0.7

Description

Security researcher Mariusz Mlynski reported that it is possible to compile a user-defined function in the XBL scope of a specific element and then trigger an event within this scope to run code. In some circumstances, when this code is run, it can access content protected by System Only Wrappers (SOW) and chrome-privileged pages. This could potentially lead to arbitrary code execution. Additionally, Chrome Object Wrappers (COW) can be bypassed by web content to access privileged methods, leading to a cross-site scripting (XSS) attack from privileged pages.

In general these flaws cannot be exploited through email in the Thunderbird and SeaMonkey products because scripting is disabled, but are potentially a risk in browser or browser-like contexts in those products.

References