Older Vulnerabilities in Mozilla Products

This page archives security announcements made for older versions of Mozilla projects. Please see the active Known Vulnerabilities page for more recent security advisories.

Fixed in Firefox Preview Release update (0.10.1)

# Title Severity / Risk Type Description Reported by Date Fixed
94 Downloading link deletes files high / high dataloss Firefox simplifies the task of saving files by automatically using a filename based on the original link. A specific link format triggers a bug in this feature and can cause the deletion of files in the download directory. An attacker would need to convince a victim to click the "Save" button to download a file from their site.
Workaround: Cancel unexpected file save prompts and any from untrusted sites. When saving files, right-click on the link and select "Save link as" from the context menu.
Alex Vincent 2004-09-29

Fixed in Firefox Preview Release, Mozilla 1.7.3, Thunderbird 0.8

# Title Severity / Risk Type Description Reported by Date Fixed
93 "Send page" heap overrun (258005) critical / moderate remote execution The "send page" function can overrun the heap on very long links. With compelling content that people will want to forward to all their friends and the right link this could be used to execute arbitrary code. Georgi Guninski 2004-09-07
92 javascript clipboard access (257523) moderate / high clipboard leak Untrusted javascript code can read and write to the clipboard, stealing any sensitive data the user might have copied. Workaround: disable javascript Wladimir Palant 2004-09-01
91 Privilege request confusion (253942) critical / low remote execution Signed scripts requesting enhanced abilities could construct the request in a way that led to a confusing grant dialog, possibly fooling the user into thinking the privilege requested was inconsequential while actually obtaining explicit permission to run and install software. Workaround: Never grant enhanced abilities of any kind to untrusted web pages. Jesse Ruderman 2004-09-01
90 Buffer overflow when displaying VCard (257314) critical / high remote execution A stack buffer overrun in VCard display routines could be exploited to run arbitrary code supplied by the attacker. Workaround: Disable in-line display of attachments, don't open VCard attachments. Georgi Guninski 2004-08-30
89 BMP integer overflow (255067) critical / high heap overrun extremely wide BMP images trigger an integer overflow, leading to heap overruns that are potentially exploitable to run arbitrary code. Workaround: Disable images. Gael Delalleau 2004-08-27
88 javascript: link dragging (250862) critical / moderate cross-domain scripting, possibly remote execution javascript; links dragged onto another frame or page allows an attacker to steal or modify sensitive information from other sites. The user could be convinced to drag obscurred links in the context of a game or even a fake scrollbar. If the user could be convinced to drag two links in sequence into a separate window (not frame) the attacker would be able to run arbitrary programs. Jesse Ruderman 2004-08-26
87 non-ascii hostname heap overrun (256316) critical / high remote execution A link with a non-ascii hostname can cause a heap buffer overrun that could potentially be exploited to run arbitrary programs. Mats Palmgren, Gael Delalleau 2004-08-24
86 Malicious POP3 server III (245066, 226669) critical / moderate remote execution Responses from a malicious POP3 mail server can trigger heap overruns that can be exploited to run arbitrary code. Gael Delalleau 2004-08-17
85 Wrong file permissions after installing on Linux (231083, 235781) moderate / low local exploit The Linux installers could create files world readable and writable, allowing another local user to replace them with malicious versions. Workaround: chmod the installed files Daniel Koukola, Andrew Schultz 2004-08-16
84 Wrong file permissions in linux archive (254303) moderate / low local exploit File permissions and owner were set wrong in the Linux install .tar.gz archives. If unpacked with an option to ignore the user's umask setting (or with a permissive umask) the resulting files could be secretly replaced with malicious versions by any other user on the system. Workaround: chmod and chown the files after unpacking. Harald Milz 2004-08-16

Fixed in Mozilla 1.7.2/Firefox 0.9.3/Thunderbird 0.7.3

# Title Severity / Risk Type Description Reported by Date Fixed
83 buffer and integer overflows in libpng (251381) critical / high remote execution Multiple flaws in libpng were announced, the worst of which could lead to remote code execution via buffer overflow. CAN-2004-0597, CAN-2004-0598, CAN-2004-0599 Chris Evans 2004-08-03
82 lock icon and certificate spoof with onunload document.write (253121) moderate / moderate spoof The lock icon and certificate from a previous secure site can persist if a page is re-written using an onunload handler. Combined with redirects this could be used to spoof secure sites. The location bar, if shown, displays the true URL. CAN-2004-0763 Emmanouel Kellinis 2004-07-27
81 Malicious certificates can permanently break HTTPS/SSL (249004) critical / high persistent DOS Malicious email certificates could mask built-in Certificate Authority (CA) certificates. Once imported anything signed by the masked CA would not validate, which could be used to permanently block all SSL (https:) sites with certs issued by that CA. CAN-2004-0758 Marcel Boesch 2004-07-27

Fixed in Mozilla 1.7.1/Firefox 0.9.2/Thunderbird 0.7.2

# Title Severity / Risk Type Description Reported by Date Fixed
80 Windows shell: protocol handler (250180) critical / high remote execution shell: URLs were passed to windows for handling which could result in launching programs. This could theoretically be combined with an unpatched exploit in some default windows filetype handler to run arbitrary code Keith McCanless 2004-07-07

Fixed in Mozilla 1.7/Firefox 0.9/Thunderbird 0.7

# Title Severity / Risk Type Description Reported by Date Fixed
79 Spoof contents of framed site (246448) moderate / moderate spoof The contents of a frames within a document could be replaced by an attacker with a reference to that window, while leaving the address in the location bar. On a secure site the lock icon would change to broken, but otherwise it could be a successful spoof. Jesse Ruderman 2004-06-16
78 security dialog popup (162020) critical / high remote code execution An attacker who could lure users into clicking in particular places, or typing specific text, could cause a security permission or software installation dialog to pop up under the user's mouse click, clicking on the grant (or install) button. Jesse Ruderman 2004-06-05
77 Untrusted content displayed with "chrome" flag (244965) moderate / low spoof Untrusted web content can open windows with the "chrome" style. This suppresses the normal browser frame and makes spoofed dialogs easy (such as the master password dialog). Affects Mozilla 1.6 through 1.7rc2. James Ross 2004-06-02
76 POP3 mail server heap overrun (229374) critical / low heap overrun A variant of bug 157644 (see #27 below), malicious POP server could overwrite memory and execute arbitrary code. zen parse 2004-05-29
75 Mac remote code execution via help: and disk: (243699) critical / high remote code execution lixlpixel reported vulnerabilities in the help: and disk: URI schemes in some versions of Mac OS X. Web content could access those schemes through Mozilla.
Workaround: install the latest OS patches.
Mike Calmus 2004-05-17
74 PNG out-of-bounds read (242915) minor / low DOS The libpng project announced a bug that could be exploited as a denial of service attack. See CAN-2004-0421 Glenn Randers-Pehrson 2004-05-07
73 automatic file upload (241924) high / moderate file access Regression in Mozilla 1.7-beta only: file upload control value can be pre-filled using document.write() and innerHTML, allowing attacker to programmatically submit the form and capture a file at a known location.
Workaround: disable Javascript
Met - Martin Hassman 2004-04-28
72 SSL Certificate Spoof (240053) high / high spoof A malicious page can use redirects to turn on the SSL lock icon and appear secure. This could be used to further phishing scams. Tolga Tarhan 2004-04-10
71 Stealing secure HTTP Auth passwords via DNS spoof (226278) high / low password theft HTTP auth passwords were cached by site and port but did not store whether the protocol used was secure (SSL) or not. An attacker who could spoof your DNS could wait until you authenticate to a secure site then redirect a later connection to that site and port during that session to a non-SSL machine under their control, thus stealing the secure password. Christopher Nebergall 2004-04-07
70 non-FQDN cert name matching is insecure (234058) minor / low spoof A non-FQDN URI hostname can match part of a cert name w/out a warning dialog. Could be used for spoofing if an attacker had control of machines on your default DNS search path. Tim Dierks 2004-04-07
69 remote access to local files through Liveconnect (239122) high / high remote reading Mozilla 1.7beta allowed remote web pages to read local files in known locations using Liveconnect (requires Java; 1.7alpha and earlier are safe) Darin Fisher 2004-04-05
68 redefine focus()/blur() on another window (86028) minor / low DOS Attacker can replace some functions on windows he opened. Replaced functions run in the attacker's domain so can't steal data, but could interfere with the operation of the other window. Jesse Ruderman 2004-03-25
67 SOAPParameter overflow (236618) critical / high remote code execution An integer overflow passing a large js array to the SOAPParameter constructor results in a controlled overwriting of the heap, which can be exploited to run arbitary code of the attacker's choice.
Workaround: disable Javascript
zen parse / iDEFENSE 2004-03-08
66 drag into file upload control (206859) high / low file access A clever attacker might be able to trick a user into dragging disguised text into an obscured file upload control, resulting in the capture of a user's file at a known location. Jesse Ruderman 2004-02-11

Fixed in Mozilla 1.6

# Title Severity / Risk Type Description Reported by Date Fixed
65 %00 status bar spoof (228176) minor / low spoof %00 in an href truncates the status bar display when you mouse over the link. This could be used to further phishing scams in mail where Javascript is disabled and the status bar might be trusted more than in normal web content. Secunia 2004-01-06
64 Cross-domain exploit on zombie document with event handlers (227417) moderate / low same-origin violation During page transition it was possible to run event handlers from the old page in the context of the new page. This has been demonstrated to allow cookie stealing, and potentially any sensitive account information displayed by the new site. Andreas Sandblad 2003-12-03

November 2003 Update

# Type Fixed Milestones Affected Severity Description Bug Number(s) Workarounds Date Fixed
63 heap overflow 1.5 1.4.2 through 1.4 Run arbitrary code Malicious PPM image can cause a heap overrun, possibly allowing execution of arbitrary code 220721 Disable images 2003-12-16
62 JavaScript 1.5, 1.4.1 M1 to 1.4 Run arbitrary code Script.prototype.freeze/thaw could allow an attacker to run arbitrary code your computer. 221526 Disable JavaScript 2003-10-07
61 Running Executables 1.5 1.4.2 M1 to 1.4.1 *.hta files could be executed on Windows *.hta files were not treated as executable, and could be used to gain full access to a user's system 220257 Don't open *.hta or application/hta files 2003-09-29
60 Networking
1.5 1.4.2 M1 to 1.4.1 Reading passwords A malicious website could gain access to a user's authentication credentials to a proxy server. 220122 None 2003-09-24
59 JavaScript firebird 0.7 Firebird 0.6 Run arbitrary code A website could gain chrome privileges by overriding the setter of a property on an HTML link, if the user could be convinced to click on it. 217195 Disable JavaScript 2003-09-23
58 Mail 1.5 M1 to 1.4 Storing passwords on disk POP3 account passwords are saved to disk even when the user explicitly requests them not to be. 217625 Disable Password Manager 2003-08-28
57 Cookies 1.5 1.4.1 M1 to 1.4 Read cookies set by another path By requesting a cookie with a path containing the escape sequence "%2E%2E", a malicious web site would be able to read cookies from different paths. 213012 Disable Cookies 2003-07-28
56 JavaScript 1.4 M1 to 1.3 Determine whether a variable exists on a different domain Cross-domain variable detection is possible using scopes (eval, with) 158049 Disable JavaScript 2003-06-02
55 JavaScript 1.4 M1 to 1.3 Cross-domain scripting Executing custom setters or getters on a different domain is possible. 92773 Disable JavaScript 2003-03-06
54 DOM 1.4 M1 to 1.3 Determine whether a URL was visited A website can use history.goURL to determine whether a URL was previously visited 163549 Disable JavaScript 2003-02-25
53 Cookies 1.3 M1 to 1.2 Read cookies set by another path Cookies set to path "abc" were able to be read by a page with path "abcd" 155114 Disable Cookies 2002-08-11

July 2003 Update


# Type Milestones Affected Severity Description Bug Number(s) Workarounds Date Fixed
52 DOM M1 to 1.3 Read local JavaScript files XUL script can read local JavaScript files 180748 Disable JavaScript 2003-06-02
51 DOM M1 to 1.3 Executing arbitrary JavaScript on a page IMG tags can be misused to load and run arbitrary JavaScript on a page 195201 Disable JavaScript 2003-05-29
50 XBL M1 to 1.3 Read local files A bug in XBL handling, and the feature that external applications create files with known names in well-known locations can be exploited to read local files 200691 Disable JavaScript 2003-05-01
49 DOM M1 to 1.3 Read data from third-party site document.domain can be set improperly to gain access to third-party site 204682 Disable JavaScript 2003-05-09
48 DOM M1 to 1.3 Track URLs as they are visited javascript: URL return values are converted to strings without security checks 202994 Disable JavaScript 2003-05-02
47 XUL M1 to 1.3 Reading XML files from known locations XUL overlays can be loaded from third-party sites 159450 None 2003-05-02
46 Spoofing M1 to 1.3 Reading passwords HTTP authentication password prompt could be confused for the mail server password prompt 51631 Memorize the real mail server password prompt and do not enter your password if the dialog is not exactly the same 2003-04-25
45 Buffer Overrun M1 to 1.3 Run arbitrary code Reading a maliciously crafted email could cause an exploitable buffer overrun 202546 None 2003-04-25
44 Buffer Overrun M1 to 1.3 Run arbitrary code Reading a maliciously crafted email could cause an exploitable buffer overrun 201547 None 2003-04-23
43 DOM M1 to 1.3 Read data from third-party sites Clicking a javascript: links as a page is loading can cause the JavaScript to execute with wrong privileges which can enable reading data from third-party sites 201839 Disable JavaScript 2003-04-18
42 DOM M1 to 1.3 Read data from third-party sites It's possible to read small amounts of data from pages from other hosts using the find() command; extremely slow and difficult in practice 118657 Disable JavaScript 2003-04-18
41 DOM M1 to 1.3 Read data from third-party sites A malicious script can steal data from third-party sites using event handlers 201132 Disable JavaScript 2003-04-17
40 Java M1 to 1.3 Read local files When Sun JRE is installed on the system, Java applets can read local files 59767 Disable Java 2003-04-03
39 Buffer Overrun M1 to 1.3 Run arbitrary code When Sun JRE 1.4.1 and earlier is installed on the system it may be possible to cause an exploitable buffer overrun calling from JavaScript into Java 183092 Disable Java 2003-03-31
38 DOM M1 to 1.3 Reading limited data from 3rd-party websites Getters/setters on script-defined properties in third-party pages can be read by scripts which allows limited data stealing 92773 Disable JavaScript 2003-03-06
37 IRC/Mail 0.8 to 1.2 Make user send faked mail without knowing The IRC protocol could be used to trick an SMTP server into sending mail in the user's name; works only if Chatzilla installed 190532 None 2003-02-04
36 Spoofing M1 to 1.2 URLbar can display incorrect address The HTTP 305 redirect command could be used by an attacker to spoof other sites' pages; only works when browsing through a proxy 187996 Do not use proxy, or Check the Page Info dialog and lock icon before entering sensitive data on a web page 2003-01-28
35 Configurable Security Policies M1 to 1.2 Optional Configurable Security Policies can be bypassed Using a username section in URL it is possible to bypass the user-created, optional configurable security policies 189799 Do not add or change configurable security policies; the defaults are safe 2003-01-24
34 Spoofing M1 to 1.0.1/1.2 URLbar can display incorrect address XUL can be used to make the URL bar display an incorrect address 171274 Check the Page Info dialog and lock icon before entering sensitive data on a web page 2003-01-10
33 Networking M1 to 1.2 On some platforms use old cached data Some non-tier1 platforms (BeOS) do not truncate cache files properly which could result in a page that is a mix of old and new, which could result in unwanted purchases 162588 Clear cache before going to a page you have visited before 2002-12-18
32 XSLT 0.8 to 1.2 Reading XSLT files from known locations within a firewall An XML file can load an XSLT stylesheet from a different host 165532 Disable XSLT 2002-12-03
31 DOM M1 to 1.0.1/1.1 Arbitrarily modify or read another document A script that calls document.write while another page is loading can steal data from a third-party site 91043 Disable JavaScript 2002-11-14

February 2003 Update


# Type Milestones Affected Severity Description Bug Number(s) Workarounds Date Fixed
30 Mail M1 to 1.2 Run arbitrary code Upon receiving a malicious email message, double-clicking an attachment could allow an attacker to run arbitrary code. 191817 Do not open attachments from untrusted sources 2003-02-06
29 Networking 0.9.1 to 1.2 Reading files from known locations within a firewall By sending a "305 Redirect" message in response to a request, a malicious Web server can read files from within a firewall. 187996 None 2003-01-28
28 Networking M1 to 1.2 Run arbitrary code Following a link to a maliciously crafted .jar archive file could allow an attacker to run arbitrary code. 164695 None 2002-10-30
27 Mail M1 to 1.2 Run arbitrary code Connecting to a maliciously modified POP3 mail server could allow an attacker to run arbitrary code your computer. 157644 Do not connect to untrusted POP3 mail servers 2002-10-21
26 Spoofing 0.9.9 to 1.2 Mistaking a malicious website for a legitimate one wyciwyg:// URLs may be used to "spoof" the URL bar, causing it to display an incorrect URL 159659 Check the Page Info dialog and lock icon before entering sensitive data on a web page 2002-09-20

Updates up to December 2002


# Type Milestones Affected Severity Description Bug Number(s) Workarounds Date Fixed
1 DOM Through 1.0 RC1 Local File Read If a user visits a web site maintained by a hostile attacker, the attacker's web site can cause Mozilla to be redirected to a local file (or files) on the user's system in a way that allows the attacker to read file contents. 141061 Disable JavaScript 1-May-2002
2 DOM Through 0.9.5 Read User Input (keystrokes) If a user visits a web site maintained by a hostile attacker, the attacker's page can eavesdrop on keyboard events occurring in other windows. 18553 Disable JavaScript 4-Oct-2001
3 Cookies Through 1.0.1 Read cookies set by another site Various attacks involving the insertion of illegal characters into cookie data can cause other cookies set by a legitimate server to be sent to an attacker's server. Some of these attacks work only when browsing through a proxy server. 104495, 146094 Disable Cookies 22-May-2002
4 Script Insertion Through 1.0.1 Run arbitrary code Various attacks involving the introduction of malicious scripts into dialogs that display information about the current page. When scripts from thes pages are inserted into dialogs, the scripts run with full system privileges. 143420,
144704,
149777,
123383
Do not click on "javascript:" links in dialogs, or bookmark them 21-May-2002
5 DOM Through 0.9.5 Modify browser settings A malicious Web page can create key events which are interpreted by the browser as menu commands. 108104 Disable JavaScript 11-Mar-2002
6 Networking Through 1.0.1 Modify or delete mail A malicious Web page or mail message can contain an imap:// URL which can be used to issue arbitrary commands to an IMAP mail server 127702 Disable JavaScript and do not click on imap: links 20-May-2002
7 Buffer Overrun Through 1.0.1 Run arbitrary code Attaching a specially formatted file to a message can cause an exploitable buffer overrun 140133 Do not attach files of unknown content to mail/news messages 25-Apr-2002
8 Networking Through 1.0.1 Denial of Access to Mail Account Downloading a malicious email message can cause all future POP message downloads to fail, effectively denying access to a POP mail account until the malicious message ie removed by other means. 144228 Do not use POP mail 5-Jun-2002
9 Buffer Overrun Through 1.0.1 Run arbitrary code Viewing several types of malformed image files from a malicious web page could cause exploitable heap corruption 155222, 157989 Turn off images 10-Jul-2002
10 DOM Through 1.0.1 Modify arbitrary files Viewing a malicious page could cause an install operation to occur when the space bar is pressed. 161721 Disable JavaScript 8-Aug-2002
11 DOM Through 1.0.2, 1.2 Tracking of browsing A malicious page can determine the URL of the page visited after it 145579 Disable JavaScript 17-Sep-2002
12 DOM Through 1.0.1 Reading data from 3rd-party websites A malicious page can read data from a third-party webpage (perhaps inside a firewall) using the XMLSerializer interface 147754 Disable JavaScript 14-Jun-2002
13 DOM 0.9.6 to 1.0.1/1.2 Reading data from 3rd-party websites A malicious page can read data from a third-party webpage using the DOM TreeWalker interface 156452 Disable JavaScript 1-Aug-2002
14 DOM 0.9.5 to 1.0.1/1.2 Reading data from 3rd-party websites A malicious page can read data from a third-party webpage (perhaps inside a firewall) using the XMLSerializer interface 169982 147754 Disable JavaScript 30-Sep-2002
15 Networking M17 to 1.0.1/1.2 Deleting local files / run arbitrary code Visiting a malicious URL with the vbscript: or vnd: protocol exposes Windows security problems and could be used to run arbitrary code. 161357, 163648 Disable JavaScript, do not visit vbscript: or vnd: URLs from untrusted sources 10-Oct-2002
16 Networking 0.9.7 to 1.0.1/1.2 Minor - saving sensitive data locally A webpage created by a document.write command in a script on a secure page is stored in the browser cache even though the original page is not. This could cause private information to be saved on the local disk (the information is not accessible by a third party on the network) 151478 Disable JavaScript 21-Oct-2002
17 DOM M1 to 1.0.1/1.2 Reading data from 3rd-party websites A malicious Java applet can read data from a third-party webpage 168316 Disable Java 29-Oct-2002
18 Networking M1 to 1.0.1/1.2 Reading passwords "Princeton Attack" DNS spoofing can be used to steal passwords. The exploit requires many preconditions and is probably impractical for real use. 162520 Do not store passwords 30-Oct-2002
19 Spoofing M1 to 1.0.1/1.2 Incorrect URL in URL bar A malicious page can display a misleading URL in the browser URL bar 171274 None 4-Nov-2002
20 DOM 0.9.7 to 1.0.1/1.2 Reading data from 3rd-party websites A mailcious page can insert scripts or other content into a 3rd-party page and read or modify information. 91043 Disable JavaScript 14-Nov-2002
21 XSLT 0.9.1 to 1.0.1/1.2 Reading XML files from 3rd party sites A malicious page can read XML data from third-party websites using the XSLT processor 113351 Disable JavaScript 14-Jun-2002
22 Password Mgr M1 to 1.0.1/1.2 Reading passwords A malicious page can use a specially crafted javascript: URL to steal passwords the user has stored for other sites 159484 Disable JavaScript 30-Jul-2002
23 DOM/Forms M1 to 1.0.1/1.2 Reading local files from known locations Using a specially crafted form element name, a malicious page can set the value of a file upload form control, causing a file to be uploaded from the user's disk. 162409 Disable JavaScript 14-Aug-2002
24 DOM/Forms M1 to 1.0.1/1.2 Reading local files from known locations Using a specially crafted event object, a malicious page can set the value of a file upload form control, causing a file to be uploaded from the user's disk. 164086, 164023, 163598 Disable JavaScript 28-Aug-2002
25 HTML M1 to 1.0.1/1.2 Loss of browser preferences A malicious page can corrupt the Mozilla preferences file, causing user settings to be lost 143459 None 13-Sep-2002