Mozilla Foundation Security Advisory 2008-25
Arbitrary code execution in mozIJSSubScriptLoader.loadSubScript()
- Announced
- July 1, 2008
- Reporter
- moz_bug_r_a4
- Impact
- Critical
- Products
- Firefox, SeaMonkey, Thunderbird
- Fixed in
-
- Firefox 2.0.0.15
- Firefox 3
- SeaMonkey 1.1.10
- Thunderbird 2.0.0.16
Description
Mozilla security researcher moz_bug_r_a4 reported
that mozIJSSubScriptLoader.LoadScript() only applied XPCNativeWrappers to
scripts loaded from standard chrome:
URIs. Add-ons using
this feature to load scripts from other schemes such as file:
or data:
(typically dynamically generated scripts) and
chrome: URIs using non-canonical package names (e.g. uppercase) did
not have the protective wrappers applied. If the scripts interact
with web content in any way that content could exploit the unwrapped
scripts to run arbitrary code.
Firefox itself does not use this feature in a vulnerable way and users who have not installed any Add-ons are not at risk. We have, however, identified popular Add-ons using this feature whose users are at risk and there are no doubt others.
Thunderbird users are not at risk when JavaScript is disabled in mail. This is the default setting and we strongly discourage users from enabling JavaScript in mail.
Workaround
Disable JavaScript until a version containing these fixes can be installed.