Mozilla Foundation Security Advisory 2008-41
Title: Privilege escalation via XPCnativeWrapper pollution
Announced: September 23, 2008
Reporter: moz_bug_r_a4, Olli Pettay
Products: Firefox, Thunderbird, SeaMonkey
Fixed in: Firefox 3.0.2
Mozilla security researcher moz_bug_r_a4 reported a series of vulnerabilities by which page content can pollute XPCNativeWrappers and have arbitrary code run with chrome privileges. One variant reported by moz_bug_r_a4 only affected Firefox 2.
Mozilla developer Olli Pettay reported that XSLT can
create documents which do not have script handling objects. moz_bug_r_a4
also reported that
document.loadBindingDocument() returns a
document that does not have a script handling object. These issues could
also be used by an attacker to run arbitrary script with chrome privileges.