Mozilla Firefox versions before 3.0.13 and 3.5.2 are affected by multiple vulnerabilities:
Data corruption with SOCKS5 reply containing DNS name longer than 15 characters (MFSA 2009-38).
When Firefox receives a reply from a SOCKS5 proxy which contains a DNS name longer than 15
characters, the subsequent data stream in the response can become corrupted. There was no
evidence of memory corruption, however, and the severity of the issue was determined to be low.
Location bar and SSL indicator spoofing via window.open() on invalid URL (MFSA 2009-44).
An attacker could call window.open() on an invalid URL which looks similar to a legitimate URL
and then use document.write() to place content within the new document, appearing to have come
from the spoofed location. Additionally, if the spoofed document was created by a document with
a valid SSL certificate, the SSL indicators would be carried over into the spoofed document. An
attacker could use these issues to display misleading location and SSL information for a
malicious web page.
Crashes with evidence of memory corruption (MFSA 2009-45).
Several stability bugs in the browser engine used in Firefox and other Mozilla-based products
have been identified and fixed. Some of these crashes showed evidence of memory corruption
under certain circumstances and we presume that with enough effort at least some of these
could be exploited to run arbitrary code.
Chrome privilege escalation due to incorrectly cached wrapper (MFSA 2009-46).
Broken functionality has been reported on pages that had a Link: HTTP header when an add-on
NoScript. Mozilla security researcher moz_bug_r_a4 demonstrated that the broken functionality
was due to the window's global object receiving an incorrect security wrapper and that this