Security Advisories for Firefox 3.0
Firefox 3.0 is unsupported. Please upgrade to the latest version.
Impact key
- Critical Vulnerability can be used to run attacker code and install software, requiring no user interaction beyond normal browsing.
- High Vulnerability can be used to gather sensitive data from sites in other windows or inject data or code into those sites, requiring no more than normal browsing actions.
- Moderate Vulnerabilities that would otherwise be High or Critical except they only work in uncommon non-default configurations or require the user to perform complicated and/or unlikely steps.
- Low Minor security vulnerabilities such as Denial of Service attacks, minor data leaks, or spoofs. (Undetectable spoofs of SSL indicia would have "High" impact because those are generally used to steal sensitive data intended for other sites.)
# Fixed in Firefox 3.0.19
- 2010-21 Arbitrary code execution with Firebug XMLHttpRequestSpy
- 2010-20 Chrome privilege escalation via forced URL drag and drop
- 2010-19 Dangling pointer vulnerability in nsPluginArray
- 2010-18 Dangling pointer vulnerability in nsTreeContentView
- 2010-17 Remote code execution with use-after-free in nsTreeSelection
- 2010-16 Crashes with evidence of memory corruption (rv:1.9.2.2/ 1.9.1.9/ 1.9.0.19)
# Fixed in Firefox 3.0.18
- 2010-14 Browser chrome defacement via cached XUL stylesheets
- 2010-12 XSS using addEventListener and setTimeout on a wrapped object
- 2010-11 Crashes with evidence of memory corruption (rv:1.9.2.2/ 1.9.1.8/ 1.9.0.18)
- 2010-05 XSS hazard using SVG document and binary Content-Type
- 2010-04 XSS due to window.dialogArguments being readable cross-domain
- 2010-03 Use-after-free crash in HTML parser
- 2010-01 Crashes with evidence of memory corruption (rv:1.9.1.8/ 1.9.0.18)
# Fixed in Firefox 3.0.16
- 2009-71 GeckoActiveXObject exception messages can be used to enumerate installed COM objects
- 2009-70 Privilege escalation via chrome window.opener
- 2009-69 Location bar spoofing vulnerabilities
- 2009-68 NTLM reflection vulnerability
- 2009-65 Crashes with evidence of memory corruption (rv:1.9.1.6/ 1.9.0.16)
# Fixed in Firefox 3.0.15
- 2009-64 Crashes with evidence of memory corruption (rv:1.9.1.4/ 1.9.0.15)
- 2009-62 Download filename spoofing with RTL override
- 2009-61 Cross-origin data theft through document.getSelection()
- 2009-59 Heap buffer overflow in string to number conversion
- 2009-57 Chrome privilege escalation in XPCVariant::VariantDataToJS()
- 2009-56 Heap buffer overflow in GIF color map parser
- 2009-55 Crash in proxy auto-configuration regexp parsing
- 2009-53 Local downloaded file tampering
- 2009-52 Form history vulnerable to stealing
# Fixed in Firefox 3.0.14
- 2009-51 Chrome privilege escalation with FeedWriter
- 2009-50 Location bar spoofing via tall line-height Unicode characters
- 2009-49 TreeColumns dangling pointer vulnerability
- 2009-48 Insufficient warning for PKCS11 module installation and removal
- 2009-47 Crashes with evidence of memory corruption (rv:1.9.1.3/ 1.9.0.14)
# Fixed in Firefox 3.0.13
- 2009-45 Crashes with evidence of memory corruption (rv:1.9.1.2/1.9.0.13)
- 2009-44 Location bar and SSL indicator spoofing via window.open() on invalid URL
- 2009-43 Heap overflow in certificate regexp parsing
- 2009-42 Compromise of SSL-protected communication
# Fixed in Firefox 3.0.12
- 2009-40 Multiple cross origin wrapper bypasses
- 2009-39 setTimeout loses XPCNativeWrappers
- 2009-38 Data corruption with SOCKS5 reply containing DNS name longer than 15 characters
- 2009-37 Crash and remote code execution using watch and __defineSetter__ on SVG element
- 2009-36 Heap/integer overflows in font glyph rendering libraries
- 2009-35 Crash and remote code execution during Flash player unloading
- 2009-34 Crashes with evidence of memory corruption (rv:1.9.1/1.9.0.12)
# Fixed in Firefox 3.0.11
- 2009-32 JavaScript chrome privilege escalation
- 2009-31 XUL scripts bypass content-policy checks
- 2009-30 Incorrect principal set for file: resources loaded via location bar
- 2009-29 Arbitrary code execution using event listeners attached to an element whose owner document is null
- 2009-28 Race condition while accessing the private data of a NPObject JS wrapper class object
- 2009-26 Arbitrary domain cookie access by local file: resources
- 2009-25 URL spoofing with invalid unicode characters
- 2009-24 Crashes with evidence of memory corruption (rv:1.9.0.11)
# Fixed in Firefox 3.0.10
- 2009-27 SSL tampering via non-200 responses to proxy CONNECT requests
- 2009-23 Crash in nsTextFrame::ClearTextRun()
# Fixed in Firefox 3.0.9
- 2009-22 Firefox allows Refresh header to redirect to javascript: URIs
- 2009-21 POST data sent to wrong site when saving web page with embedded frame
- 2009-20 Malicious search plugins can inject code into arbitrary sites
- 2009-19 Same-origin violations in XMLHttpRequest and XPCNativeWrapper.toString
- 2009-18 XSS hazard using third-party stylesheets and XBL bindings
- 2009-17 Same-origin violations when Adobe Flash loaded via view-source: scheme
- 2009-16 jar: scheme ignores the content-disposition: header on the inner URI
- 2009-15 URL spoofing with box drawing character
- 2009-14 Crashes with evidence of memory corruption (rv:1.9.0.9)
# Fixed in Firefox 3.0.8
# Fixed in Firefox 3.0.7
- 2009-11 URL spoofing with invisible control characters
- 2009-10 Upgrade PNG library to fix memory safety hazards
- 2009-09 XML data theft via RDFXMLDataSource and cross-domain redirect
- 2009-08 Mozilla Firefox XUL Linked Clones Double Free Vulnerability
- 2009-07 Crashes with evidence of memory corruption (rv:1.9.0.7)
# Fixed in Firefox 3.0.6
- 2009-06 Directives to not cache pages ignored
- 2009-05 XMLHttpRequest allows reading HTTPOnly cookies
- 2009-04 Chrome privilege escalation via local .desktop files
- 2009-03 Local file stealing with SessionStore
- 2009-02 XSS using a chrome XBL method and window.eval
- 2009-01 Crashes with evidence of memory corruption (rv:1.9.0.6)
# Fixed in Firefox 3.0.5
- 2008-69 XSS vulnerabilities in SessionStore
- 2008-68 XSS and JavaScript privilege escalation
- 2008-67 Escaped null characters ignored by CSS parser
- 2008-66 Errors parsing URLs with leading whitespace and control characters
- 2008-65 Cross-domain data theft via script redirect error message
- 2008-64 XMLHttpRequest 302 response disclosure
- 2008-63 User tracking via XUL persist attribute
- 2008-60 Crashes with evidence of memory corruption (rv:1.9.0.5/1.8.1.19)
# Fixed in Firefox 3.0.4
- 2008-58 Parsing error in E4X default namespace
- 2008-57 -moz-binding property bypasses security checks on codebase principals
- 2008-56 nsXMLHttpRequest::NotifyEventListeners() same-origin violation
- 2008-55 Crash and remote code execution in nsFrameManager
- 2008-54 Buffer overflow in http-index-format parser
- 2008-53 XSS and JavaScript privilege escalation via session restore
- 2008-52 Crashes with evidence of memory corruption (rv:1.9.0.4/1.8.1.18)
- 2008-51 file: URIs inherit chrome privileges when opened from chrome
- 2008-47 Information stealing via local shortcut files
# Fixed in Firefox 3.0.2
- 2008-50 Crash and remote code execution via __proto__ tampering
- 2008-44 resource: traversal vulnerabilities
- 2008-43 BOM characters, low surrogates stripped from JavaScript before execution
- 2008-42 Crashes with evidence of memory corruption (rv:1.9.0.2/1.8.1.17)
- 2008-41 Privilege escalation via XPCnativeWrapper pollution
- 2008-40 Forced mouse drag
# Fixed in Firefox 3.0.1
- 2008-36 Crash with malformed GIF file on Mac OS X
- 2008-35 Command-line URLs launch multiple tabs when Firefox not running
- 2008-34 Remote code execution by overflowing CSS reference counter
# Fixed in Firefox 3
- 2008-28 Arbitrary socket connections with Java LiveConnect on Mac OS X
- 2008-25 Arbitrary code execution in mozIJSSubScriptLoader.loadSubScript()
- 2008-24 Chrome script loading from fastload file
- 2008-23 Signed JAR tampering
- 2008-22 XSS through JavaScript same-origin violation
- 2008-21 Crashes with evidence of memory corruption (rv:1.8.1.15)