Mozilla Firefox before 3.0.11 is affected by multiple vulnerabilities:
Crashes with evidence of memory corruption (MFSA 2009-24).
Several stability bugs were identified and fixed in the browser engine used in Firefox
and other Mozilla-based products. Some of these crashes showed evidence of memory
corruption under certain circumstances and we presume that with enough effort at least
some of these could be exploited to run arbitrary code.
URL spoofing with invalid unicode characters (MFSA 2009-25).
Certain invalid unicode characters, when used as part of an IDN, are displayed as
whitespace in the location bar. This whitespace could be used to force part of the
URL out of view in the location bar. An attacker could use this vulnerability to
spoof the location bar and display a misleading URL for their malicious web page.
Arbitrary domain cookie access by local file: resources (MFSA 2009-26).
Local resources loaded via the file: protocol can access any domain's cookies which
have been saved on a user's machine. Fleischer demonstrated that a local document's
domain was being calculated incorrectly from its URL. If a victim could be persuaded
to download a malicious file and then open that file in their browser, the malicious
file could then steal arbitrary cookies from the victim's computer. Due to the
interaction required for this attack, the severity of the issue was determined to be
SSL tampering via non-200 responses to proxy CONNECT requests (MFSA 2009-27).
When a CONNECT request is sent to a proxy server and a non-200 response is returned,
then the body of the response is incorrectly rendered within the context of the request
Host: header. An active network attacker could use this vulnerability to intercept a
CONNECT request and reply with a non-200 response containing malicious code which would
be executed within the context of the victim's requested SSL-protected domain. Since
this attack requires the victim to have a proxy configured, the severity of this issue
was determined to be high.
Race condition while accessing the private data of a NPObject JS wrapper class object
(MFSA 2009-28). A race condition has been reported in NPObjWrapper_NewResolve when
accessing the properties of a NPObject, a wrapped JSObject. It has been demonstrated
that this condition could be reached by navigating away from a web page during the
loading of a Java applet. Under such conditions the Java object would be destroyed
but later called into resulting in a free memory read. It might be possible for an
attacker to write to the freed memory before it is reused and run arbitrary code on
the victim's computer.
Arbitrary code execution using event listeners attached to an element whose owner
document is null (MFSA 2009-29). The owner document of an element can become null
after garbage collection. In such cases, event listeners may be executed within
Incorrect principal set for file: resources loaded via location bar (MFSA 2009-30).
When a file: resource is loaded via the location bar it inherits the principal of
the previously loaded document. This vulnerability can potentially give the newly
loaded document additional privileges to access the contents of other local files
that it wouldn't otherwise have permission to read.
XUL scripts bypass content-policy checks (MFSA 2009-31).
Content-loading policies were not checked before loading external script files
into XUL documents. The severity of this problem would depend on the reasons
behind the content policy check, which include privacy from "web bugs" in
Thunderbird mail messages, blocking of Ads and Ad-server tracking in AdBlock Plus.
A vulnerability has been reported which allows scripts from page content to run
with elevated privileges. Using this vulnerability, an attacker could cause a
chrome privileged object, such as the browser sidebar or the FeedWriter, to
interact with web content in such a way that attacker controlled code may be
executed with the object's chrome privileges.