MFSA 2005-56 CAN-2005-2270 impact=important,source=mozilla,public=20050712 Improper cloning of base objects allowed web content scripts to get to a privileged object by walking up the prototype chain. This could be used to execute code with enhanced privileges. https://bugzilla.mozilla.org/show_bug.cgi?id=294795 https://bugzilla.mozilla.org/show_bug.cgi?id=294799 https://bugzilla.mozilla.org/show_bug.cgi?id=295011 https://bugzilla.mozilla.org/show_bug.cgi?id=296397 MFSA 2005-55 CAN-2005-2269 impact=moderate,source=mozilla,public=20050712 Parts of the browser UI relied too much on DOM node names without taking different namespaces into account and verifying that the node was really of the expected type. An XHTML document could be used, for example, to create fake <IMG> elements with content-defined properties that will be accessed as if they were the trusted built-in properties of the expected HTML elements. https://bugzilla.mozilla.org/show_bug.cgi?id=298892 MFSA 2005-52 CAN-2005-2266 impact=moderate,source=mozilla,public=20050712 A child frame can call top.focus() even if the framing page comes from a different origin and has overridden the focus() routine. The call is made in the context of the child frame. The attacker would look for a target site with a framed page that makes this call but doesn't verify that its parent comes from the same site. By framing this page the attacker could steal cookies and passwords, or take actions on the site on behalf of a signed-in user. http://secunia.com/advisories/15549/ https://bugzilla.mozilla.org/show_bug.cgi?id=296830 MFSA 2005-50 CAN-2005-2265 impact=moderate,source=mozilla,public=20050712 When InstallVersion.compareTo() is passed an object rather than a string it assumed the object was another InstallVersion without verifying it. When passed a different kind of object the browser would generally crash with an access violation. MFSA 2005-46 CAN-2005-2261 impact=low,source=mozilla,public=20050712 Scripts in XBL controls from web content continued to be run even when Javascript was disabled. By itself this causes no harm, but it could be combined with most script-based exploits to attack people running vulnerable versions who thought disabling javascript would protect them. https://bugzilla.mozilla.org/show_bug.cgi?id=292591 https://bugzilla.mozilla.org/show_bug.cgi?id=292589 MFSA 2005-44 CAN-2005-1532 impact=moderate,source=mozilla,public=20050518 Additional checks were added to make sure Javascript eval and Script objects are run with the privileges of the context that created them, not the potentially elevated privilege of the context calling them in order to protect against an additional variant of MFSA 2005-41. https://bugzilla.mozilla.org/show_bug.cgi?id=290908 MFSA 2005-41 CAN-2005-1160 impact=moderate,source=mozilla,public=20050415 moz_bug_r_a4 reported several exploits giving an attacker the ability to install malicious code or steal data, requiring only that the user do commonplace actions like click on a link or open the context menu. The common cause in each case was privileged UI code ("chrome") being overly trusting of DOM nodes from the content window. Scripts in the web page can override properties and methods of DOM nodes and shadow the native values, unless steps are taken to get the true underlying values. https://bugzilla.mozilla.org/show_bug.cgi?id=289074 https://bugzilla.mozilla.org/show_bug.cgi?id=289083 https://bugzilla.mozilla.org/show_bug.cgi?id=289961 MFSA 2005-40 CAN-2005-1159 impact=moderate,source=mozilla,public=20050415 The native implementations of InstallTrigger and other XPInstall-related javascript objects did not properly validate that they were called on instances of the correct type. By passing other objects, even raw numbers, the javascript interpreter would jump to the wrong place in memory. Although no proof of concept has been developed we believe this could be exploited. https://bugzilla.mozilla.org/show_bug.cgi?id=290162 MFSA 2005-33 CAN-2005-0989 impact=low,source=mozilla,public=20050415 A bug in javascript's regular expression string replacement when using an anonymous function as the replacement argument allows a malicious script to capture blocks of memory allocated to the browser. A web site could capture data and transmit it to a server without user interaction or knowledge. https://bugzilla.mozilla.org/show_bug.cgi?id=288688
fixed by RHSA-2005:601 (auto bug closing isn't working)