Mozilla Foundation Security Advisory 2006-51
Privilege escalation using named-functions and redefined "new Object()"
- Announced
- July 25, 2006
- Reporter
- moz_bug_r_a4
- Impact
- Critical
- Products
- Firefox, SeaMonkey, Thunderbird
- Fixed in
-
- Firefox 1.5.0.5
- SeaMonkey 1.0.3
- Thunderbird 1.5.0.5
Description
moz_bug_r_a4 discovered that named JavaScript functions have a parent object created using the standard Object() constructor (ECMA-specified behavior) and that this constructor can be redefined by script (also ECMA-specified behavior). If the Object() constructor is changed to return a reference to a privileged object with useful properties it is possible to have attacker-supplied script excuted with elevated privileges by calling the function. This could be used to install malware or take other malicious actions.
Our fix involves calling the internal Object constructor which appears to be what other ECMA-compatible interpreters do.
Thunderbird shares the browser engine with Firefox and would be vulnerable if JavaScript were to be enabled in mail. This is not the default setting and we strongly discourage users from enabling JavaScript in mail.
Workaround
Disable JavaScript until you can upgrade to a fixed version. Do not enable JavaScript in mail clients such as Thunderbird.
References
-
https://bugzilla.mozilla.org/show_bug.cgi?id=340727
CVE-2006-3807