Mozilla Firefox Multiple Vulnerabilities Fixed in 3.0.11

Description

Mozilla Firefox before 3.0.11 is affected by multiple vulnerabilities:

• Crashes with evidence of memory corruption (MFSA 2009-24). Several stability bugs were identified and fixed in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code.
• URL spoofing with invalid unicode characters (MFSA 2009-25). Certain invalid unicode characters, when used as part of an IDN, are displayed as whitespace in the location bar. This whitespace could be used to force part of the URL out of view in the location bar. An attacker could use this vulnerability to spoof the location bar and display a misleading URL for their malicious web page.
• Arbitrary domain cookie access by local file: resources (MFSA 2009-26). Local resources loaded via the file: protocol can access any domain's cookies which have been saved on a user's machine. Fleischer demonstrated that a local document's domain was being calculated incorrectly from its URL. If a victim could be persuaded to download a malicious file and then open that file in their browser, the malicious file could then steal arbitrary cookies from the victim's computer. Due to the interaction required for this attack, the severity of the issue was determined to be moderate.
• SSL tampering via non-200 responses to proxy CONNECT requests (MFSA 2009-27). When a CONNECT request is sent to a proxy server and a non-200 response is returned, then the body of the response is incorrectly rendered within the context of the request Host: header. An active network attacker could use this vulnerability to intercept a CONNECT request and reply with a non-200 response containing malicious code which would be executed within the context of the victim's requested SSL-protected domain. Since this attack requires the victim to have a proxy configured, the severity of this issue was determined to be high.
• Race condition while accessing the private data of a NPObject JS wrapper class object (MFSA 2009-28). A race condition has been reported in NPObjWrapper_NewResolve when accessing the properties of a NPObject, a wrapped JSObject. It has been demonstrated that this condition could be reached by navigating away from a web page during the loading of a Java applet. Under such conditions the Java object would be destroyed but later called into resulting in a free memory read. It might be possible for an attacker to write to the freed memory before it is reused and run arbitrary code on the victim's computer.
• Arbitrary code execution using event listeners attached to an element whose owner document is null (MFSA 2009-29). The owner document of an element can become null after garbage collection. In such cases, event listeners may be executed within the wrong JavaScript context. An attacker could potentially use this vulnerability to have a malicious event handler execute arbitrary JavaScript with chrome privileges.
• Incorrect principal set for file: resources loaded via location bar (MFSA 2009-30). When a file: resource is loaded via the location bar it inherits the principal of the previously loaded document. This vulnerability can potentially give the newly loaded document additional privileges to access the contents of other local files that it wouldn't otherwise have permission to read.
• XUL scripts bypass content-policy checks (MFSA 2009-31). Content-loading policies were not checked before loading external script files into XUL documents. The severity of this problem would depend on the reasons behind the content policy check, which include privacy from "web bugs" in Thunderbird mail messages, blocking of Ads and Ad-server tracking in AdBlock Plus.
• JavaScript chrome privilege escalation (MFSA 2009-32). A vulnerability has been reported which allows scripts from page content to run with elevated privileges. Using this vulnerability, an attacker could cause a chrome privileged object, such as the browser sidebar or the FeedWriter, to interact with web content in such a way that attacker controlled code may be executed with the object's chrome privileges.