Firefox Hit by Drive-by Download Flaws

Mozilla has shipped a mega patch for Firefox to fix a total of 16 security flaws that expose Web surfers to drive-by download, data theft and local bar spoofing attacks.The latest Firefox 3.6.7 update includes fixes for nine “critical” issues that could be exploited to launch remote code execution attacks.  Two of the 16 bugs are rated “high risk” while five carry a “moderate” severity rating.

Mozilla has shipped a mega patch for Firefox to fix a total of 16 security flaws that expose Web surfers to drive-by download, data theft and local bar spoofing attacks.

The latest Firefox 3.6.7 update includes fixes for nine “critical” issues that could be exploited to launch remote code execution attacks.  Two of the 16 bugs are rated “high risk” while five carry a “moderate” severity rating.

Here’s the skinny on the critical fixes:

Remote code execution using malformed PNG image 

OUSPG researcher Aki Helin reported a buffer overflow in Mozilla graphics code which consumes image data processed by libpng. A malformed PNG file could be created which would cause libpng to incorrectly report the size of the image to downstream consumers. When the dimensions of such images are underreported, the Mozilla code responsible for displaying the graphic will allocate too small a memory buffer to contain the image data and will wind up writing data past the end of the buffer. This could result in the execution of attacker-controlled memory.

nsTreeSelection dangling pointer remote code execution vulnerability 

Security researcher regenrecht reported via TippingPoint’s Zero Day Initiative an integer overflow vulnerability in the implementation of the XUL <tree> element’s selection attribute. When the size of a new selection is sufficiently large the integer used in calculating the length of the selection can overflow, resulting in a bogus range being marked selected. When adjustSelection is then called on the bogus range the range is deleted leaving dangling references to the ranges which could be used by an attacker to call into deleted memory and run arbitrary code on a victim’s computer.

nsCSSValue::Array index integer overflow

Security researcher J23 reported via TippingPoint’s Zero Day Initiative that an array class used to store CSS values contained an integer overflow vulnerability. The 16 bit integer value used in allocating the size of the array could overflow, resulting in too small a memory buffer being created. When the array was later populated with CSS values data would be written past the end of the buffer potentially resulting in the execution of attacker-controlled memory.

Arbitrary code execution using SJOW and fast native function

Mozilla security researcher moz_bug_r_a4 reported that when content script which is running in a chrome context accesses a content object via SJOW, the content code can gain access to an object from the chrome scope and use that object to run arbitrary JavaScript with chrome privileges.

Plugin parameter EnsureCachedAttrParamArrays remote code execution vulnerability 

Security researcher J23 reported via TippingPoint’s Zero Day Initiative an error in the code used to store the names and values of plugin parameter elements. A malicious page could embed plugin content containing a very large number of parameter elements which would cause an overflow in the integer value counting them. This integer is later used in allocating a memory buffer used to store the plugin parameters. Under such conditions, too small a buffer would be created and attacker-controlled data could be written past the end of the buffer, potentially resulting in code execution.

Use-after-free error in NodeIterator 

Security researcher regenrecht reported via TippingPoint’s Zero Day Initiative an error in Mozilla’s implementation of NodeIterator in which a malicious NodeFilter could be created which would detach nodes from the DOM tree while it was being traversed. The use of a detached and subsequently deleted node could result in the execution of attacker-controlled memory.

DOM attribute cloning remote code execution vulnerability 

Security researcher regenrecht reported via TippingPoint’s Zero Day Initiative an error in the DOM attribute cloning routine where under certain circumstances an event attribute node can be deleted while another object still contains a reference to it. This reference could subsequently be accessed, potentially causing the execution of attacker controlled memory.

Miscellaneous memory safety hazards 

Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. 

Suggested articles