Security Advisories for Firefox 3.5

Firefox 3.5 is unsupported. Please upgrade to the latest version.

Impact key

• Critical Vulnerability can be used to run attacker code and install software, requiring no user interaction beyond normal browsing.
• High Vulnerability can be used to gather sensitive data from sites in other windows or inject data or code into those sites, requiring no more than normal browsing actions.
• Moderate Vulnerabilities that would otherwise be High or Critical except they only work in uncommon non-default configurations or require the user to perform complicated and/or unlikely steps.
• Low Minor security vulnerabilities such as Denial of Service attacks, minor data leaks, or spoofs. (Undetectable spoofs of SSL indicia would have "High" impact because those are generally used to steal sensitive data intended for other sites.)

# Fixed in Firefox 3.5.19

• 2011-18 XSLT generate-id() function heap address leak
• 2011-16 Directory traversal in resource: protocol
• 2011-15 Escalation of privilege through Java Embedding Plugin
• 2011-14 Information stealing via form history
• 2011-13 Multiple dangling pointer vulnerabilities
• 2011-12 Miscellaneous memory safety hazards (rv:2.0.1/ 1.9.2.17/ 1.9.1.19)

# Fixed in Firefox 3.5.18

• 2011-11 Update to HTTPS certificate blacklist

# Fixed in Firefox 3.5.17

• 2011-10 CSRF risk with plugins and 307 redirects
• 2011-08 ParanoidFragmentSink allows javascript: URLs in chrome documents
• 2011-07 Memory corruption during text run construction (Windows)
• 2011-06 Use-after-free error using Web Workers
• 2011-05 Buffer overflow in JavaScript atom map
• 2011-04 Buffer overflow in JavaScript upvarMap
• 2011-03 Use-after-free error in JSON.stringify
• 2011-02 Recursive eval call causes confirm dialogs to evaluate to true
• 2011-01 Miscellaneous memory safety hazards (rv:1.9.2.14/ 1.9.1.17)
• 2010-74 Miscellaneous memory safety hazards (rv:1.9.2.13/ 1.9.1.16)

# Fixed in Firefox 3.5.16

• 2010-84 XSS hazard in multiple character encodings
• 2010-83 Location bar SSL spoofing using network error page
• 2010-82 Incomplete fix for CVE-2010-0179
• 2010-81 Integer overflow vulnerability in NewIdArray
• 2010-80 Use-after-free error with nsDOMAttribute MutationObserver
• 2010-79 Java security bypass from LiveConnect loaded via data: URL meta refresh
• 2010-78 Add support for OTS font sanitizer
• 2010-77 Crash and remote code execution using HTML tags inside a XUL tree
• 2010-76 Chrome privilege escalation with window.open and <isindex> element
• 2010-75 Buffer overflow while line breaking after document.write with long string
• 2010-74 Miscellaneous memory safety hazards (rv:1.9.2.13/ 1.9.1.16)

# Fixed in Firefox 3.5.15

• 2010-73 Heap buffer overflow mixing document.write and DOM insertion

# Fixed in Firefox 3.5.14

• 2010-72 Insecure Diffie-Hellman key exchange
• 2010-71 Unsafe library loading vulnerabilities
• 2010-70 SSL wildcard certificate matching IP addresses
• 2010-69 Cross-site information disclosure via modal calls
• 2010-68 XSS in gopher parser when parsing hrefs
• 2010-67 Dangling pointer vulnerability in LookupGetterOrSetter
• 2010-66 Use-after-free error in nsBarProp
• 2010-65 Buffer overflow and memory corruption using document.write
• 2010-64 Miscellaneous memory safety hazards (rv:1.9.2.11/ 1.9.1.14)

# Fixed in Firefox 3.5.12

• 2010-63 Information leak via XMLHttpRequest statusText
• 2010-62 Copy-and-paste or drag-and-drop into designMode document allows XSS
• 2010-61 UTF-7 XSS by overriding document charset using <object> type attribute
• 2010-60 XSS using SJOW scripted function
• 2010-58 Crash on Mac using fuzzed font in data: URL
• 2010-57 Crash and remote code execution in normalizeDocument
• 2010-56 Dangling pointer vulnerability in nsTreeContentView
• 2010-55 XUL tree removal crash and remote code execution
• 2010-54 Dangling pointer vulnerability in nsTreeSelection
• 2010-53 Heap buffer overflow in nsTextFrameUtils::TransformText
• 2010-52 Windows XP DLL loading vulnerability
• 2010-51 Dangling pointer vulnerability using DOM plugin array
• 2010-50 Frameset integer overflow vulnerability
• 2010-49 Miscellaneous memory safety hazards (rv:1.9.2.9/ 1.9.1.12)
• 2010-33 User tracking across sites using Math.random()

# Fixed in Firefox 3.5.11

• 2010-47 Cross-origin data leakage from script filename in error messages
• 2010-46 Cross-domain data theft using CSS
• 2010-45 Multiple location bar spoofing vulnerabilities
• 2010-42 Cross-origin data disclosure via Web Workers and importScripts
• 2010-41 Remote code execution using malformed PNG image
• 2010-40 nsTreeSelection dangling pointer remote code execution vulnerability
• 2010-39 nsCSSValue::Array index integer overflow
• 2010-37 Plugin parameter EnsureCachedAttrParamArrays remote code execution vulnerability
• 2010-36 Use-after-free error in NodeIterator
• 2010-35 DOM attribute cloning remote code execution vulnerability
• 2010-34 Miscellaneous memory safety hazards (rv:1.9.2.7/ 1.9.1.11)

# Fixed in Firefox 3.5.10

• 2010-33 User tracking across sites using Math.random()
• 2010-32 Content-Disposition: attachment ignored if Content-Type: multipart also present
• 2010-31 focus() behavior can be used to inject or steal keystrokes
• 2010-30 Integer Overflow in XSLT Node Sorting
• 2010-29 Heap buffer overflow in nsGenericDOMDataNode::SetTextInternal
• 2010-28 Freed object reuse across plugin instances
• 2010-27 Use-after-free error in nsCycleCollector::MarkRoots()
• 2010-26 Crashes with evidence of memory corruption (rv:1.9.2.4/ 1.9.1.10)
• 2010-25 Re-use of freed object due to scope confusion

# Fixed in Firefox 3.5.9

• 2010-24 XMLDocument::load() doesn't check nsIContentPolicy
• 2010-23 Image src redirect to mailto: URL opens email editor
• 2010-22 Update NSS to support TLS renegotiation indication
• 2010-20 Chrome privilege escalation via forced URL drag and drop
• 2010-19 Dangling pointer vulnerability in nsPluginArray
• 2010-18 Dangling pointer vulnerability in nsTreeContentView
• 2010-17 Remote code execution with use-after-free in nsTreeSelection
• 2010-16 Crashes with evidence of memory corruption (rv:1.9.2.2/ 1.9.1.9/ 1.9.0.19)

# Fixed in Firefox 3.5.8

• 2010-21 Arbitrary code execution with Firebug XMLHttpRequestSpy
• 2010-14 Browser chrome defacement via cached XUL stylesheets
• 2010-12 XSS using addEventListener and setTimeout on a wrapped object
• 2010-11 Crashes with evidence of memory corruption (rv:1.9.2.2/ 1.9.1.8/ 1.9.0.18)
• 2010-05 XSS hazard using SVG document and binary Content-Type
• 2010-04 XSS due to window.dialogArguments being readable cross-domain
• 2010-03 Use-after-free crash in HTML parser
• 2010-02 Web Worker Array Handling Heap Corruption Vulnerability
• 2010-01 Crashes with evidence of memory corruption (rv:1.9.1.8/ 1.9.0.18)

# Fixed in Firefox 3.5.6

• 2009-71 GeckoActiveXObject exception messages can be used to enumerate installed COM objects
• 2009-70 Privilege escalation via chrome window.opener
• 2009-69 Location bar spoofing vulnerabilities
• 2009-68 NTLM reflection vulnerability
• 2009-67 Integer overflow, crash in libtheora video library
• 2009-66 Memory safety fixes in liboggplay media library
• 2009-65 Crashes with evidence of memory corruption (rv:1.9.1.6/ 1.9.0.16)

# Fixed in Firefox 3.5.4

• 2009-64 Crashes with evidence of memory corruption (rv:1.9.1.4/ 1.9.0.15)
• 2009-63 Upgrade media libraries to fix memory safety bugs
• 2009-62 Download filename spoofing with RTL override
• 2009-61 Cross-origin data theft through document.getSelection()
• 2009-59 Heap buffer overflow in string to number conversion
• 2009-57 Chrome privilege escalation in XPCVariant::VariantDataToJS()
• 2009-56 Heap buffer overflow in GIF color map parser
• 2009-55 Crash in proxy auto-configuration regexp parsing
• 2009-54 Crash with recursive web-worker calls
• 2009-53 Local downloaded file tampering
• 2009-52 Form history vulnerable to stealing

# Fixed in Firefox 3.5.3

• 2009-51 Chrome privilege escalation with FeedWriter
• 2009-50 Location bar spoofing via tall line-height Unicode characters
• 2009-49 TreeColumns dangling pointer vulnerability
• 2009-47 Crashes with evidence of memory corruption (rv:1.9.1.3/ 1.9.0.14)

# Fixed in Firefox 3.5.2

• 2009-46 Chrome privilege escalation due to incorrectly cached wrapper
• 2009-45 Crashes with evidence of memory corruption (rv:1.9.1.2/1.9.0.13)
• 2009-44 Location bar and SSL indicator spoofing via window.open() on invalid URL
• 2009-38 Data corruption with SOCKS5 reply containing DNS name longer than 15 characters

# Fixed in Firefox 3.5.1

• 2009-41 Corrupt JIT state after deep return from native function
• 2009-35 Crash and remote code execution during Flash player unloading

# Fixed in Firefox 3.5

• 2009-43 Heap overflow in certificate regexp parsing
• 2009-42 Compromise of SSL-protected communication
• 2009-40 Multiple cross origin wrapper bypasses
• 2009-39 setTimeout loses XPCNativeWrappers
• 2009-37 Crash and remote code execution using watch and __defineSetter__ on SVG element
• 2009-36 Heap/integer overflows in font glyph rendering libraries
• 2009-34 Crashes with evidence of memory corruption (rv:1.9.1/1.9.0.12)