Security Advisories for Firefox 2.0

Firefox 2.0 is unsupported. Please upgrade to the latest version.

Impact key

• Critical Vulnerability can be used to run attacker code and install software, requiring no user interaction beyond normal browsing.
• High Vulnerability can be used to gather sensitive data from sites in other windows or inject data or code into those sites, requiring no more than normal browsing actions.
• Moderate Vulnerabilities that would otherwise be High or Critical except they only work in uncommon non-default configurations or require the user to perform complicated and/or unlikely steps.
• Low Minor security vulnerabilities such as Denial of Service attacks, minor data leaks, or spoofs. (Undetectable spoofs of SSL indicia would have "High" impact because those are generally used to steal sensitive data intended for other sites.)

# Fixed in Firefox 2.0.0.20

• 2008-65 Cross-domain data theft via script redirect error message

# Fixed in Firefox 2.0.0.19

• 2008-69 XSS vulnerabilities in SessionStore
• 2008-68 XSS and JavaScript privilege escalation
• 2008-67 Escaped null characters ignored by CSS parser
• 2008-66 Errors parsing URLs with leading whitespace and control characters
• 2008-65 Cross-domain data theft via script redirect error message
• 2008-64 XMLHttpRequest 302 response disclosure
• 2008-62 Additional XSS attack vectors in feed preview
• 2008-61 Information stealing via loadBindingDocument
• 2008-60 Crashes with evidence of memory corruption (rv:1.9.0.5/1.8.1.19)

# Fixed in Firefox 2.0.0.18

• 2008-58 Parsing error in E4X default namespace
• 2008-57 -moz-binding property bypasses security checks on codebase principals
• 2008-56 nsXMLHttpRequest::NotifyEventListeners() same-origin violation
• 2008-55 Crash and remote code execution in nsFrameManager
• 2008-54 Buffer overflow in http-index-format parser
• 2008-53 XSS and JavaScript privilege escalation via session restore
• 2008-52 Crashes with evidence of memory corruption (rv:1.9.0.4/1.8.1.18)
• 2008-50 Crash and remote code execution via __proto__ tampering
• 2008-49 Arbitrary code execution via Flash Player dynamic module unloading
• 2008-48 Image stealing via canvas and HTTP redirect
• 2008-47 Information stealing via local shortcut files

# Fixed in Firefox 2.0.0.17

• 2008-45 XBM image uninitialized memory reading
• 2008-44 resource: traversal vulnerabilities
• 2008-43 BOM characters, low surrogates stripped from JavaScript before execution
• 2008-42 Crashes with evidence of memory corruption (rv:1.9.0.2/1.8.1.17)
• 2008-41 Privilege escalation via XPCnativeWrapper pollution
• 2008-40 Forced mouse drag
• 2008-39 Privilege escalation using feed preview page and XSS flaw
• 2008-38 nsXMLDocument::OnChannelRedirect() same-origin violation
• 2008-37 UTF-8 URL stack buffer overflow

# Fixed in Firefox 2.0.0.16

• 2008-35 Command-line URLs launch multiple tabs when Firefox not running
• 2008-34 Remote code execution by overflowing CSS reference counter

# Fixed in Firefox 2.0.0.15

• 2008-33 Crash and remote code execution in block reflow
• 2008-32 Remote site run as local file via Windows URL shortcut
• 2008-31 Peer-trusted certs can use alt names to spoof
• 2008-30 File location URL in directory listings not escaped properly
• 2008-29 Faulty .properties file results in uninitialized memory being used
• 2008-28 Arbitrary socket connections with Java LiveConnect on Mac OS X
• 2008-27 Arbitrary file upload via originalTarget and DOM Range
• 2008-25 Arbitrary code execution in mozIJSSubScriptLoader.loadSubScript()
• 2008-24 Chrome script loading from fastload file
• 2008-23 Signed JAR tampering
• 2008-22 XSS through JavaScript same-origin violation
• 2008-21 Crashes with evidence of memory corruption (rv:1.8.1.15)

# Fixed in Firefox 2.0.0.14

• 2008-20 Crash in JavaScript garbage collector

# Fixed in Firefox 2.0.0.13

• 2008-19 XUL popup spoofing variant (cross-tab popups)
• 2008-18 Java socket connection to any local port via LiveConnect
• 2008-17 Privacy issue with SSL Client Authentication
• 2008-16 HTTP Referrer spoofing with malformed URLs
• 2008-15 Crashes with evidence of memory corruption (rv:1.8.1.13)
• 2008-14 JavaScript privilege escalation and arbitrary code execution

# Fixed in Firefox 2.0.0.12

• 2008-13 Multiple XSS vulnerabilities from character encoding
• 2008-11 Web forgery overwrite with div overlay
• 2008-10 URL token stealing via stylesheet redirect
• 2008-09 Mishandling of locally-saved plain text files
• 2008-08 File action dialog tampering
• 2008-07 Possible information disclosure in BMP decoder
• 2008-06 Web browsing history and forward navigation stealing
• 2008-05 Directory traversal via chrome: URI
• 2008-04 Stored password corruption
• 2008-03 Privilege escalation, XSS, Remote Code Execution
• 2008-02 Multiple file input focus stealing vulnerabilities
• 2008-01 Crashes with evidence of memory corruption (rv:1.8.1.12)

# Fixed in Firefox 2.0.0.10

• 2007-39 Referer-spoofing via window.location race condition
• 2007-38 Memory corruption vulnerabilities (rv:1.8.1.10)
• 2007-37 jar: URI scheme XSS hazard

# Fixed in Firefox 2.0.0.8

• 2007-36 URIs with invalid %-encoding mishandled by Windows
• 2007-35 XPCNativeWraper pollution using Script object
• 2007-34 Possible file stealing through sftp protocol
• 2007-33 XUL pages can hide the window titlebar
• 2007-32 File input focus stealing vulnerability
• 2007-31 Digest authentication request splitting
• 2007-30 onUnload Tailgating
• 2007-29 Crashes with evidence of memory corruption (rv:1.8.1.8)

# Fixed in Firefox 2.0.0.7

• 2007-28 Code execution via QuickTime Media-link files

# Fixed in Firefox 2.0.0.6

• 2007-27 Unescaped URIs passed to external programs
• 2007-26 Privilege escalation through chrome-loaded about:blank windows

# Fixed in Firefox 2.0.0.5

• 2007-25 XPCNativeWrapper pollution
• 2007-24 Unauthorized access to wyciwyg:// documents
• 2007-23 Remote code execution by launching Firefox from Internet Explorer
• 2007-22 File type confusion due to %00 in name
• 2007-21 Privilege escallation using an event handler attached to an element not in the document
• 2007-20 Frame spoofing while window is loading
• 2007-19 XSS using addEventListener and setTimeout
• 2007-18 Crashes with evidence of memory corruption (rv:1.8.1.5)

# Fixed in Firefox 2.0.0.4

• 2007-17 XUL Popup Spoofing
• 2007-16 XSS using addEventListener
• 2007-14 Path Abuse in Cookies
• 2007-13 Persistent Autocomplete Denial of Service
• 2007-12 Crashes with evidence of memory corruption (rv:1.8.0.12/1.8.1.4)

# Fixed in Firefox 2.0.0.3

• 2007-11 FTP PASV port-scanning

# Fixed in Firefox 2.0.0.2

• 2007-09 Privilege escalation by setting img.src to javascript: URI
• 2007-08 onUnload + document.write() memory corruption
• 2007-07 Embedded nulls in location.hostname confuse same-domain checks
• 2007-06 Mozilla Network Security Services (NSS) SSLv2 buffer overflows
• 2007-05 XSS and local file access by opening blocked popupsand local file access by opening blocked popups
• 2007-04 Spoofing using custom cursor and CSS3 hotspot
• 2007-03 Information disclosure through cache collisions
• 2007-02 Improvements to help protect against Cross-Site Scripting attacks
• 2007-01 Crashes with evidence of memory corruption (rv:1.8.0.10/1.8.1.2)

# Fixed in Firefox 2.0.0.1

• 2006-76 XSS using outer window's Function object
• 2006-75 RSS Feed-preview referrer leak
• 2006-73 Mozilla SVG Processing Remote Code Execution
• 2006-72 XSS by setting img.src to javascript: URI
• 2006-71 LiveConnect crash finalizing JS objects
• 2006-70 Privilege escalation using watch point
• 2006-69 CSS cursor image buffer overflow (Windows only)
• 2006-68 Crashes with evidence of memory corruption (rv:1.8.0.9/1.8.1.1)