Mozilla Foundation Security Advisory 2011-30
Security issues addressed in Firefox 3.6.20
- Announced
- August 16, 2011
- Impact
- Critical
- Products
- Firefox
- Fixed in
-
- Firefox 3.6.20
Miscellaneous memory safety hazards (rv:1.9.2.20)
Impact: Critical
Description: Mozilla developers and community
members identified and fixed several memory safety bugs in the browser engine
used in Firefox 3.6 and other Mozilla-based products. Some of these bugs showed
evidence of memory corruption under certain circumstances, and we presume that
with enough effort at least some of these could be exploited to run arbitrary
code.
References:
Gary Kwong, Igor Bukanov, Nils and Bob Clary reported memory safety issues which affected Firefox 3.6.
Crash in SVGTextElement.getCharNumAtPosition()
Impact: Critical
Description: Security
researcher regenrecht reported via TippingPoint's Zero Day
Initiative that a SVG text manipulation routine contained a dangling pointer
vulnerability.
References:
Privilege escalation using event handlers
Impact: Critical
Description: Mozilla security
researcher moz_bug_r_a_4 reported a vulnerability in event
management code that would permit JavaScript to be run in the wrong context,
including that of a different website or potentially in a chrome-privileged
context.
References:
Dangling pointer vulnerability in appendChild
Impact: Critical
Description: Security
researcher regenrecht reported via TippingPoint's Zero Day
Initiative that appendChild
did not correctly account for DOM
objects it operated upon and could be exploited to dereference an invalid
pointer.
References:
Privilege escalation dropping a tab element in content area
Impact: Critical
Description: Mozilla security
researcher moz_bug_r_a4 reported that web content could receive
chrome privileges if it registered for drop events and a browser tab element was
dropped into the content area.
References:
Binary planting vulnerability in ThinkPadSensor::Startup
Impact: High
Description: Security researcher Mitja
Kolsek of Acros Security reported
that ThinkPadSensor::Startup
could potentially be exploited to load
a malicious DLL into the running process.
References:
Private data leakage using RegExp.input
Impact: High
Description: Security
researcher shutdown reported that data from other domains could
be read when RegExp.input
was set.
References: