Mozilla Firefox before 16.0 on Android assigns chrome privileges to Reader Mode pages, which allows user-assisted remote attackers to bypass intended access restrictions via a crafted web site.

Mozilla Firefox was updated to the 10.0.9ESR security release which fixes bugs and security issues :

MFSA 2012-73 / CVE-2012-3977: Security researchers Thai Duong and Juliano Rizzo reported that SPDY's request header compression leads to information leakage, which can allow the extraction of private data such as session cookies, even over an encrypted SSL connection. (This does not affect Firefox 10 as it does not feature the SPDY extension.
It was silently fixed for Firefox 15.)

MFSA 2012-74: Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code.

In general these flaws cannot be exploited through email in the Thunderbird and SeaMonkey products because scripting is disabled, but are potentially a risk in browser or browser-like contexts in those products.

CVE-2012-3983: Henrik Skupin, Jesse Ruderman and moz_bug_r_a4 reported memory safety problems and crashes that affect Firefox 15.

CVE-2012-3982: Christian Holler and Jesse Ruderman reported memory safety problems and crashes that affect Firefox ESR 10 and Firefox 15.

MFSA 2012-75 / CVE-2012-3984: Security researcher David Bloom of Cue discovered that 'select' elements are always-on-top chromeless windows and that navigation away from a page with an active 'select' menu does not remove this window.When another menu is opened programmatically on a new page, the original 'select' menu can be retained and arbitrary HTML content within it rendered, allowing an attacker to cover arbitrary portions of the new page through absolute positioning/scrolling, leading to spoofing attacks.
Security researcher Jordi Chancel found a variation that would allow for click-jacking attacks was well.

In general these flaws cannot be exploited through email in the Thunderbird and SeaMonkey products because scripting is disabled, but are potentially a risk in browser or browser-like contexts in those products. References

Navigation away from a page with an active 'select' dropdown menu can be used for URL spoofing, other evil

Firefox 10.0.1 : Navigation away from a page with multiple active 'select' dropdown menu can be used for Spoofing And ClickJacking with XPI using window.open and geolocalisation

MFSA 2012-76 / CVE-2012-3985: Security researcher Collin Jackson reported a violation of the HTML5 specifications for document.domain behavior. Specified behavior requires pages to only have access to windows in a new document.domain but the observed violation allowed pages to retain access to windows from the page's initial origin in addition to the new document.domain. This could potentially lead to cross-site scripting (XSS) attacks.

MFSA 2012-77 / CVE-2012-3986: Mozilla developer Johnny Stenback discovered that several methods of a feature used for testing (DOMWindowUtils) are not protected by existing security checks, allowing these methods to be called through script by web pages. This was addressed by adding the existing security checks to these methods.

MFSA 2012-78 / CVE-2012-3987: Security researcher Warren He reported that when a page is transitioned into Reader Mode in Firefox for Android, the resulting page has chrome privileges and its content is not thoroughly sanitized. A successful attack requires user enabling of reader mode for a malicious page, which could then perform an attack similar to cross-site scripting (XSS) to gain the privileges allowed to Firefox on an Android device. This has been fixed by changing the Reader Mode page into an unprivileged page.

This vulnerability only affects Firefox for Android.

MFSA 2012-79 / CVE-2012-3988: Security researcher Soroush Dalili reported that a combination of invoking full screen mode and navigating backwards in history could, in some circumstances, cause a hang or crash due to a timing dependent use-after-free pointer reference. This crash may be potentially exploitable.

MFSA 2012-80 / CVE-2012-3989: Mozilla community member Ms2ger reported a crash due to an invalid cast when using the instanceof operator on certain types of JavaScript objects. This can lead to a potentially exploitable crash.

MFSA 2012-81 / CVE-2012-3991: Mozilla community member Alice White reported that when the GetProperty function is invoked through JSAPI, security checking can be bypassed when getting cross-origin properties. This potentially allowed for arbitrary code execution.

MFSA 2012-82 / CVE-2012-3994: Security researcher Mariusz Mlynski reported that the location property can be accessed by binary plugins through top.location and top can be shadowed by Object.defineProperty as well. This can allow for possible cross-site scripting (XSS) attacks through plugins.

MFSA 2012-83: Security researcher Mariusz Mlynski reported that when InstallTrigger fails, it throws an error wrapped in a Chrome Object Wrapper (COW) that fails to specify exposed properties. These can then be added to the resulting object by an attacker, allowing access to chrome privileged functions through script.

While investigating this issue, Mozilla security researcher moz_bug_r_a4 found that COW did not disallow accessing of properties from a standard prototype in some situations, even when the original issue had been fixed.

These issues could allow for a cross-site scripting (XSS) attack or arbitrary code execution.

CVE-2012-3993: XrayWrapper pollution via unsafe COW

CVE-2012-4184: ChromeObjectWrapper is not implemented as intended

MFSA 2012-84 / CVE-2012-3992: Security researcher Mariusz Mlynski reported an issue with spoofing of the location property. In this issue, writes to location.hash can be used in concert with scripted history navigation to cause a specific website to be loaded into the history object. The baseURI can then be changed to this stored site, allowing an attacker to inject a script or intercept posted data posted to a location specified with a relative path.

MFSA 2012-85: Security researcher Abhishek Arya (Inferno) of the Google Chrome Security Team discovered a series of use-after-free, buffer overflow, and out of bounds read issues using the Address Sanitizer tool in shipped software.
These issues are potentially exploitable, allowing for remote code execution. We would also like to thank Abhishek for reporting two additional use-after-free flaws introduced during Firefox 16 development and fixed before general release.

CVE-2012-3995: Out of bounds read in IsCSSWordSpacingSpace

CVE-2012-4179: Heap-use-after-free in nsHTMLCSSUtils::CreateCSSPropertyTxn

CVE-2012-4180: Heap-buffer-overflow in nsHTMLEditor::IsPrevCharInNodeWhitespace

CVE-2012-4181: Heap-use-after-free in nsSMILAnimationController::DoSample

CVE-2012-4182: Heap-use-after-free in nsTextEditRules::WillInsert

CVE-2012-4183: Heap-use-after-free in DOMSVGTests::GetRequiredFeatures

MFSA 2012-86: Security researcher Atte Kettunen from OUSPG reported several heap memory corruption issues found using the Address Sanitizer tool. These issues are potentially exploitable, allowing for remote code execution.

CVE-2012-4185: Global-buffer-overflow in nsCharTraits::length

CVE-2012-4186: Heap-buffer-overflow in nsWaveReader::DecodeAudioData

CVE-2012-4187: Crash with ASSERTION: insPos too small

CVE-2012-4188: Heap-buffer-overflow in Convolve3x3

MFSA 2012-87 / CVE-2012-3990: Security researcher miaubiz used the Address Sanitizer tool to discover a use-after-free in the IME State Manager code. This could lead to a potentially exploitable crash.

MFSA 2012-89 / CVE-2012-4192 / CVE-2012-4193: Mozilla security researcher moz_bug_r_a4 reported a regression where security wrappers are unwrapped without doing a security check in defaultValue(). This can allow for improper access access to the Location object. In versions 15 and earlier of affected products, there was also the potential for arbitrary code execution.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Mozilla Firefox was updated to the 10.0.9ESR security release which fixes bugs and security issues :

  - Security researchers Thai Duong and Juliano Rizzo     reported that SPDY's request header compression leads to     information leakage, which can allow the extraction of     private data such as session cookies, even over an     encrypted SSL connection. (This does not affect Firefox     10 as it does not feature the SPDY extension. It was     silently fixed for Firefox 15.). (MFSA 2012-73 /     CVE-2012-3977)

  - Mozilla developers identified and fixed several memory     safety bugs in the browser engine used in Firefox and     other Mozilla-based products. Some of these bugs showed     evidence of memory corruption under certain     circumstances, and we presume that with enough effort at     least some of these could be exploited to run arbitrary     code. (MFSA 2012-74)

    In general these flaws cannot be exploited through email     in the Thunderbird and SeaMonkey products because     scripting is disabled, but are potentially a risk in     browser or browser-like contexts in those products.

  - Henrik Skupin, Jesse Ruderman and moz_bug_r_a4 reported     memory safety problems and crashes that affect Firefox     15. (CVE-2012-3983)

  - Christian Holler and Jesse Ruderman reported memory     safety problems and crashes that affect Firefox ESR 10     and Firefox 15. (CVE-2012-3982)

  - Security researcher David Bloom of Cue discovered that     'select' elements are always-on-top chromeless windows     and that navigation away from a page with an active     'select' menu does not remove this window.When another     menu is opened programmatically on a new page, the     original 'select' menu can be retained and arbitrary     HTML content within it rendered, allowing an attacker to     cover arbitrary portions of the new page through     absolute positioning/scrolling, leading to spoofing     attacks. Security researcher Jordi Chancel found a     variation that would allow for click-jacking attacks was     well. (MFSA 2012-75 / CVE-2012-3984)

    In general these flaws cannot be exploited through email     in the Thunderbird and SeaMonkey products because     scripting is disabled, but are potentially a risk in     browser or browser-like contexts in those products.
    References

    Navigation away from a page with an active 'select'     dropdown menu can be used for URL spoofing, other evil

    Firefox 10.0.1 : Navigation away from a page with     multiple active 'select' dropdown menu can be used for     Spoofing And ClickJacking with XPI using window.open and     geolocalisation

  - Security researcher Collin Jackson reported a violation     of the HTML5 specifications for document.domain     behavior. Specified behavior requires pages to only have     access to windows in a new document.domain but the     observed violation allowed pages to retain access to     windows from the page's initial origin in addition to     the new document.domain. This could potentially lead to     cross-site scripting (XSS) attacks. (MFSA 2012-76 /     CVE-2012-3985)

  - Mozilla developer Johnny Stenback discovered that     several methods of a feature used for testing     (DOMWindowUtils) are not protected by existing security     checks, allowing these methods to be called through     script by web pages. This was addressed by adding the     existing security checks to these methods. (MFSA 2012-77     / CVE-2012-3986)

  - Security researcher Warren He reported that when a page     is transitioned into Reader Mode in Firefox for Android,     the resulting page has chrome privileges and its content     is not thoroughly sanitized. A successful attack     requires user enabling of reader mode for a malicious     page, which could then perform an attack similar to     cross-site scripting (XSS) to gain the privileges     allowed to Firefox on an Android device. This has been     fixed by changing the Reader Mode page into an     unprivileged page. (MFSA 2012-78 / CVE-2012-3987)

    This vulnerability only affects Firefox for Android.

  - Security researcher Soroush Dalili reported that a     combination of invoking full screen mode and navigating     backwards in history could, in some circumstances, cause     a hang or crash due to a timing dependent use-after-free     pointer reference. This crash may be potentially     exploitable. (MFSA 2012-79 / CVE-2012-3988)

  - Mozilla community member Ms2ger reported a crash due to     an invalid cast when using the instanceof operator on     certain types of JavaScript objects. This can lead to a     potentially exploitable crash. (MFSA 2012-80 /     CVE-2012-3989)

  - Mozilla community member Alice White reported that when     the GetProperty function is invoked through JSAPI,     security checking can be bypassed when getting     cross-origin properties. This potentially allowed for     arbitrary code execution. (MFSA 2012-81 / CVE-2012-3991)

  - Security researcher Mariusz Mlynski reported that the     location property can be accessed by binary plugins     through top.location and top can be shadowed by     Object.defineProperty as well. This can allow for     possible cross-site scripting (XSS) attacks through     plugins. (MFSA 2012-82 / CVE-2012-3994)

  - Security researcher Mariusz Mlynski reported that when     InstallTrigger fails, it throws an error wrapped in a     Chrome Object Wrapper (COW) that fails to specify     exposed properties. These can then be added to the     resulting object by an attacker, allowing access to     chrome privileged functions through script. (MFSA     2012-83)

    While investigating this issue, Mozilla security     researcher moz_bug_r_a4 found that COW did not disallow     accessing of properties from a standard prototype in     some situations, even when the original issue had been     fixed.

    These issues could allow for a cross-site scripting     (XSS) attack or arbitrary code execution.

  - XrayWrapper pollution via unsafe COW. (CVE-2012-3993)

  - ChromeObjectWrapper is not implemented as intended.
    (CVE-2012-4184)

  - Security researcher Mariusz Mlynski reported an issue     with spoofing of the location property. In this issue,     writes to location.hash can be used in concert with     scripted history navigation to cause a specific website     to be loaded into the history object. The baseURI can     then be changed to this stored site, allowing an     attacker to inject a script or intercept posted data     posted to a location specified with a relative path.
    (MFSA 2012-84 / CVE-2012-3992)

  - Security researcher Abhishek Arya (Inferno) of the     Google Chrome Security Team discovered a series of     use-after-free, buffer overflow, and out of bounds read     issues using the Address Sanitizer tool in shipped     software. These issues are potentially exploitable,     allowing for remote code execution. We would also like     to thank Abhishek for reporting two additional     use-after-free flaws introduced during Firefox 16     development and fixed before general release. (MFSA     2012-85)

  - Out of bounds read in IsCSSWordSpacingSpace.
    (CVE-2012-3995)

  - Heap-use-after-free in     nsHTMLCSSUtils::CreateCSSPropertyTxn. (CVE-2012-4179)

  - Heap-buffer-overflow in     nsHTMLEditor::IsPrevCharInNodeWhitespace.
    (CVE-2012-4180)

  - Heap-use-after-free in     nsSMILAnimationController::DoSample. (CVE-2012-4181)

  - Heap-use-after-free in nsTextEditRules::WillInsert.
    (CVE-2012-4182)

  - Heap-use-after-free in DOMSVGTests::GetRequiredFeatures.
    (CVE-2012-4183)

  - Security researcher Atte Kettunen from OUSPG reported     several heap memory corruption issues found using the     Address Sanitizer tool. These issues are potentially     exploitable, allowing for remote code execution. (MFSA     2012-86)

  - Global-buffer-overflow in nsCharTraits::length.
    (CVE-2012-4185)

  - Heap-buffer-overflow in nsWaveReader::DecodeAudioData.
    (CVE-2012-4186)

  - Crash with ASSERTION: insPos too small. (CVE-2012-4187)

  - Heap-buffer-overflow in Convolve3x3. (CVE-2012-4188)

  - Security researcher miaubiz used the Address Sanitizer     tool to discover a use-after-free in the IME State     Manager code. This could lead to a potentially     exploitable crash. (MFSA 2012-87 / CVE-2012-3990)

  - Mozilla security researcher moz_bug_r_a4 reported a     regression where security wrappers are unwrapped without     doing a security check in defaultValue(). This can allow     for improper access access to the Location object. In     versions 15 and earlier of affected products, there was     also the potential for arbitrary code execution. (MFSA     2012-89 / CVE-2012-4192 / CVE-2012-4193)

MozillaFirefox was updated to the 10.0.9ESR security release which fixes bugs and security issues :

  - Security researchers Thai Duong and Juliano Rizzo     reported that SPDY's request header compression leads to     information leakage, which can allow the extraction of     private data such as session cookies, even over an     encrypted SSL connection. (This does not affect Firefox     10 as it does not feature the SPDY extension. It was     silently fixed for Firefox 15.). (MFSA 2012-73 /     CVE-2012-3977)

  - Mozilla developers identified and fixed several memory     safety bugs in the browser engine used in Firefox and     other Mozilla-based products. Some of these bugs showed     evidence of memory corruption under certain     circumstances, and we presume that with enough effort at     least some of these could be exploited to run arbitrary     code. (MFSA 2012-74)

    In general these flaws cannot be exploited through email     in the Thunderbird and SeaMonkey products because     scripting is disabled, but are potentially a risk in     browser or browser-like contexts in those products.

  - Henrik Skupin, Jesse Ruderman and moz_bug_r_a4 reported     memory safety problems and crashes that affect Firefox     15. (CVE-2012-3983)

  - Christian Holler and Jesse Ruderman reported memory     safety problems and crashes that affect Firefox ESR 10     and Firefox 15. (CVE-2012-3982)

  - Security researcher David Bloom of Cue discovered that     'select' elements are always-on-top chromeless windows     and that navigation away from a page with an active     'select' menu does not remove this window.When another     menu is opened programmatically on a new page, the     original 'select' menu can be retained and arbitrary     HTML content within it rendered, allowing an attacker to     cover arbitrary portions of the new page through     absolute positioning/scrolling, leading to spoofing     attacks. Security researcher Jordi Chancel found a     variation that would allow for click-jacking attacks was     well. (MFSA 2012-75 / CVE-2012-3984)

    In general these flaws cannot be exploited through email     in the Thunderbird and SeaMonkey products because     scripting is disabled, but are potentially a risk in     browser or browser-like contexts in those products.
    References

    Navigation away from a page with an active 'select'     dropdown menu can be used for URL spoofing, other evil

    Firefox 10.0.1 : Navigation away from a page with     multiple active 'select' dropdown menu can be used for     Spoofing And ClickJacking with XPI using window.open and     geolocalisation

  - Security researcher Collin Jackson reported a violation     of the HTML5 specifications for document.domain     behavior. Specified behavior requires pages to only have     access to windows in a new document.domain but the     observed violation allowed pages to retain access to     windows from the page's initial origin in addition to     the new document.domain. This could potentially lead to     cross-site scripting (XSS) attacks. (MFSA 2012-76 /     CVE-2012-3985)

  - Mozilla developer Johnny Stenback discovered that     several methods of a feature used for testing     (DOMWindowUtils) are not protected by existing security     checks, allowing these methods to be called through     script by web pages. This was addressed by adding the     existing security checks to these methods. (MFSA 2012-77     / CVE-2012-3986)

  - Security researcher Warren He reported that when a page     is transitioned into Reader Mode in Firefox for Android,     the resulting page has chrome privileges and its content     is not thoroughly sanitized. A successful attack     requires user enabling of reader mode for a malicious     page, which could then perform an attack similar to     cross-site scripting (XSS) to gain the privileges     allowed to Firefox on an Android device. This has been     fixed by changing the Reader Mode page into an     unprivileged page. (MFSA 2012-78 / CVE-2012-3987)

    This vulnerability only affects Firefox for Android.

  - Security researcher Soroush Dalili reported that a     combination of invoking full screen mode and navigating     backwards in history could, in some circumstances, cause     a hang or crash due to a timing dependent use-after-free     pointer reference. This crash may be potentially     exploitable. (MFSA 2012-79 / CVE-2012-3988)

  - Mozilla community member Ms2ger reported a crash due to     an invalid cast when using the instanceof operator on     certain types of JavaScript objects. This can lead to a     potentially exploitable crash. (MFSA 2012-80 /     CVE-2012-3989)

  - Mozilla community member Alice White reported that when     the GetProperty function is invoked through JSAPI,     security checking can be bypassed when getting     cross-origin properties. This potentially allowed for     arbitrary code execution. (MFSA 2012-81 / CVE-2012-3991)

  - Security researcher Mariusz Mlynski reported that the     location property can be accessed by binary plugins     through top.location and top can be shadowed by     Object.defineProperty as well. This can allow for     possible cross-site scripting (XSS) attacks through     plugins. (MFSA 2012-82 / CVE-2012-3994)

  - Security researcher Mariusz Mlynski reported that when     InstallTrigger fails, it throws an error wrapped in a     Chrome Object Wrapper (COW) that fails to specify     exposed properties. These can then be added to the     resulting object by an attacker, allowing access to     chrome privileged functions through script. (MFSA     2012-83)

    While investigating this issue, Mozilla security     researcher moz_bug_r_a4 found that COW did not disallow     accessing of properties from a standard prototype in     some situations, even when the original issue had been     fixed.

    These issues could allow for a cross-site scripting     (XSS) attack or arbitrary code execution.

  - XrayWrapper pollution via unsafe COW. (CVE-2012-3993)

  - ChromeObjectWrapper is not implemented as intended.
    (CVE-2012-4184)

  - Security researcher Mariusz Mlynski reported an issue     with spoofing of the location property. In this issue,     writes to location.hash can be used in concert with     scripted history navigation to cause a specific website     to be loaded into the history object. The baseURI can     then be changed to this stored site, allowing an     attacker to inject a script or intercept posted data     posted to a location specified with a relative path.
    (MFSA 2012-84 / CVE-2012-3992)

  - Security researcher Abhishek Arya (Inferno) of the     Google Chrome Security Team discovered a series of     use-after-free, buffer overflow, and out of bounds read     issues using the Address Sanitizer tool in shipped     software. These issues are potentially exploitable,     allowing for remote code execution. We would also like     to thank Abhishek for reporting two additional     use-after-free flaws introduced during Firefox 16     development and fixed before general release. (MFSA     2012-85)

  - Out of bounds read in IsCSSWordSpacingSpace.
    (CVE-2012-3995)

  - Heap-use-after-free in     nsHTMLCSSUtils::CreateCSSPropertyTxn. (CVE-2012-4179)

  - Heap-buffer-overflow in     nsHTMLEditor::IsPrevCharInNodeWhitespace.
    (CVE-2012-4180)

  - Heap-use-after-free in     nsSMILAnimationController::DoSample. (CVE-2012-4181)

  - Heap-use-after-free in nsTextEditRules::WillInsert.
    (CVE-2012-4182)

  - Heap-use-after-free in DOMSVGTests::GetRequiredFeatures.
    (CVE-2012-4183)

  - Security researcher Atte Kettunen from OUSPG reported     several heap memory corruption issues found using the     Address Sanitizer tool. These issues are potentially     exploitable, allowing for remote code execution. (MFSA     2012-86)

  - Global-buffer-overflow in nsCharTraits::length.
    (CVE-2012-4185)

  - Heap-buffer-overflow in nsWaveReader::DecodeAudioData.
    (CVE-2012-4186)

  - Crash with ASSERTION: insPos too small. (CVE-2012-4187)

  - Heap-buffer-overflow in Convolve3x3. (CVE-2012-4188)

  - Security researcher miaubiz used the Address Sanitizer     tool to discover a use-after-free in the IME State     Manager code. This could lead to a potentially     exploitable crash. (MFSA 2012-87 / CVE-2012-3990)

  - Mozilla security researcher moz_bug_r_a4 reported a     regression where security wrappers are unwrapped without     doing a security check in defaultValue(). This can allow     for improper access access to the Location object. In     versions 15 and earlier of affected products, there was     also the potential for arbitrary code execution. (MFSA     2012-89 / CVE-2012-4192 / CVE-2012-4193)

Versions of Firefox prior to 16.0.1 are affected by the following security issues :

 - Multiple memory-corruption vulnerabilities in the browser engine that could lead to arbitrary code execution. (CVE-2012-3982, CVE-2012-3983, CVE-2012-4191)
 - A URI-spoofing vulnerability due to an error when handling the '<select>' dropdown menu. This issue can be exploited to display arbitrary content while showing the URL of another site. An attacker can also exploit this issue to cause click jacking attacks. (CVE-2012-3984, CVE-2012-5354)
 - A security-bypass vulnerability exists because it fails to properly enforce the same-origin policy. Specifically, the error occurs when handling 'document.domain'. An attacker can exploit this issue to execute cross-site scripting attacks. (CVE-2012-3985)
 - Multiple security bypass vulnerabilities exists in the 'nsDOMWindowUtils' methods. (CVE-2012-3986)
 - A cross-site scripting vulnerability exists because it fails to sufficiently sanitize user-supplied input. Specifically, this issue occurs when transitioning into Reader Mode. Note: This issue affects only Firefox for Android. CVE-2012-3987)
 - A use-after-free issue occurs when invoking full screen mode and navigating backwards in history. (CVE-2012-3988)
 - A denial-of-service vulnerability that occurs due to invalid cast error. Specifically, this issue occurs when using the instanceof operator on certain JavaScript objects. (CVE-2012-3989)
 - A security-bypass vulnerability exists because it fails to properly enforce the cross-origin policy. Specifically, this issue occurs when invoking the 'GetProperty()' function through JSAPI. An attacker can exploit this issue to perform arbitrary code-execution. (CVE-2012-3991)
 - A cross-site scripting vulnerability exists because it fails to sufficiently sanitize user-supplied input. Specifically, this issue occurs when handling the 'location' property through binary plugins. (CVE-2012-3994)
 - A security-bypass vulnerability exists because of an error in the Chrome Object Wrapper (COW) when handling the 'InstallTrigger' object. An attacker can exploit this issue to access certain privileged functions and properties. (CVE-2012-4184, CVE-2012-3993)
 - An arbitrary code-execution occurs when handling the 'location.hash' property and history navigation. (CVE-2012-3992)
 - An out-of-bounds read error affects the 'IsCSSWordSpacingSpace()' function. (CVE-2012-3995)
 - A use-after-free error affects the 'nsHTMLCSSUtils::CreateCSSPropertyTxn()' function. (CVE-2012-4179)
 - A heap-based buffer-overflow vulnerability exists in the 'nsHTMLEditor::IsPrevCharInNodeWhitespace()' function. (CVE-2012-4180)
 - A use-after-free error affects the 'nsSMILAnimationController::DoSample()' function. (CVE-2012-4181)
 - A use-after-free error affects the 'nsTextEditRules::WillInsert()' function. (CVE-2012-4182)
 - A use-after-free error affects the 'DOMSVGTests::GetRequiredFeatures()' function. (CVE-2012-4183)
 - A buffer-overflow vulnerability exists in the 'nsCharTraits::length()' function. (CVE-2012-4185)
 - A heap-based buffer-overflow vulnerability exists in the 'nsWaveReader::DecodeAudioData()' function. (CVE-2012-4186)
 - A memory-corruption vulnerability exists in the 'insPos' property. (CVE-2012-4187)
 - A heap-based buffer-overflow exists in the 'Convolve3x3()' function. (CVE-2012-4188)
 - A use-after-free error affects the 'nsIContent::GetNameSpaceID()' function. (CVE-2012-3990)
 - A cross domain information disclosure exists due to improper access to the 'location' object. (CVE-2012-4192)
 - A security-bypass vulnerability exists due to an error in security wrappers does not unwrap the 'defaultValue()' function properly. An attacker can exploit this issue to gain access to the 'location' object. (CVE-2012-4193)
 These vulnerabilities allow attackers to execute arbitrary script or HTML code, steal cookie-based authentication credentials, conduct phishing attacks, execute arbitrary code in the context of the vulnerable application, crash affected applications, obtain potentially sensitive information, gain escalated privileges, bypass security restrictions, and perform unauthorized actions; other attacks may also be possible.

Versions of Firefox prior to 16.0 are potentially affected by the following security issues :

 - Multiple memory-corruption vulnerabilities in the browser engine that could lead to arbitrary code execution. (CVE-2012-3982, CVE-2012-3983, CVE-2012-4191)
 - A URI-spoofing vulnerability due to an error when handling the '<select>' dropdown menu. This issue can be exploited to display arbitrary content while showing the URL of another site. An attacker can also exploit this issue to cause click jacking attacks. (CVE-2012-3984, CVE-2012-5354)
 - A security-bypass vulnerability exists because it fails to properly enforce the same-origin policy. Specifically, the error occurs when handling 'document.domain'. An attacker can exploit this issue to execute cross-site scripting attacks. (CVE-2012-3985)
 - Multiple security bypass vulnerabilities exists in the 'nsDOMWindowUtils' methods. (CVE-2012-3986)
 - A cross-site scripting vulnerability exists because it fails to sufficiently sanitize user-supplied input. Specifically, this issue occurs when transitioning into Reader Mode. Note: This issue affects only Firefox for Android. CVE-2012-3987)
 - A use-after-free issue occurs when invoking full screen mode and navigating backwards in history. (CVE-2012-3988)
 - A denial-of-service vulnerability that occurs due to invalid cast error. Specifically, this issue occurs when using the instanceof operator on certain JavaScript objects. (CVE-2012-3989)
 - A security-bypass vulnerability exists because it fails to properly enforce the cross-origin policy. Specifically, this issue occurs when invoking the 'GetProperty()' function through JSAPI. An attacker can exploit this issue to perform arbitrary code-execution. (CVE-2012-3991)
 - A cross-site scripting vulnerability exists because it fails to sufficiently sanitize user-supplied input. Specifically, this issue occurs when handling the 'location' property through binary plugins. (CVE-2012-3994)
 - A security-bypass vulnerability exists because of an error in the Chrome Object Wrapper (COW) when handling the 'InstallTrigger' object. An attacker can exploit this issue to access certain privileged functions and properties. (CVE-2012-4184, CVE-2012-3993)
 - An arbitrary code-execution occurs when handling the 'location.hash' property and history navigation. (CVE-2012-3992)
 - An out-of-bounds read error affects the 'IsCSSWordSpacingSpace()' function. (CVE-2012-3995)
 - A use-after-free error affects the 'nsHTMLCSSUtils::CreateCSSPropertyTxn()' function. (CVE-2012-4179)
 - A heap-based buffer-overflow vulnerability exists in the 'nsHTMLEditor::IsPrevCharInNodeWhitespace()' function. (CVE-2012-4180)
 - A use-after-free error affects the 'nsSMILAnimationController::DoSample()' function. (CVE-2012-4181)
 - A use-after-free error affects the 'nsTextEditRules::WillInsert()' function. (CVE-2012-4182)
 - A use-after-free error affects the 'DOMSVGTests::GetRequiredFeatures()' function. (CVE-2012-4183)
 - A buffer-overflow vulnerability exists in the 'nsCharTraits::length()' function. (CVE-2012-4185)
 - A heap-based buffer-overflow vulnerability exists in the 'nsWaveReader::DecodeAudioData()" function. (CVE-2012-4186)
 - A memory-corruption vulnerability exists in the 'insPos' property. (CVE-2012-4187)
 - A heap-based buffer-overflow exists in the 'Convolve3x3()' function. (CVE-2012-4188)
 - A use-after-free error affects the 'nsIContent::GetNameSpaceID()' function. (CVE-2012-3990)

 - A cross domain information disclosure exists due to improper access to the 'location' object. (CVE-2012-4192)
 - A security-bypass vulnerability exists due to an error in security wrappers does not unwrap the 'defaultValue()' function properly. An attacker can exploit this issue to gain access to the 'location' object. (CVE-2012-4193)
These vulnerabilities allow attackers to execute arbitrary script or HTML code, steal cookie-based authentication credentials, conduct phishing attacks, execute arbitrary code in the context of the vulnerable application, crash affected applications, obtain potentially sensitive information, gain escalated privileges, bypass security restrictions, and perform unauthorized actions; other attacks may also be possible.

The Mozilla Project reports :

MFSA 2012-74 Miscellaneous memory safety hazards (rv:16.0/ rv:10.0.8)

MFSA 2012-75 select element persistance allows for attacks

MFSA 2012-76 Continued access to initial origin after setting document.domain

MFSA 2012-77 Some DOMWindowUtils methods bypass security checks

MFSA 2012-78 Reader Mode pages have chrome privileges

MFSA 2012-79 DOS and crash with full screen and history navigation

MFSA 2012-80 Crash with invalid cast when using instanceof operator

MFSA 2012-81 GetProperty function can bypass security checks

MFSA 2012-82 top object and location property accessible by plugins

MFSA 2012-83 Chrome Object Wrapper (COW) does not disallow access to privileged functions or properties

MFSA 2012-84 Spoofing and script injection through location.hash

MFSA 2012-85 Use-after-free, buffer overflow, and out of bounds read issues found using Address Sanitizer

MFSA 2012-86 Heap memory corruption issues found using Address Sanitizer

MFSA 2012-87 Use-after-free in the IME State Manager

MFSA 2012-88 Miscellaneous memory safety hazards (rv:16.0.1)

MFSA 2012-89 defaultValue security checks not applied

ID	Name	Product	Family	Severity
83562	SUSE SLED10 / SLED11 / SLES10 / SLES11 Security Update : Mozilla Firefox (SUSE-SU-2012:1351-1)	Nessus	SuSE Local Security Checks	critical
64133	SuSE 11.2 Security Update : Mozilla Firefox (SAT Patch Number 6951)	Nessus	SuSE Local Security Checks	critical
62573	SuSE 10 Security Update : Mozilla Firefox (ZYPP Patch Number 8327)	Nessus	SuSE Local Security Checks	critical
6604	Mozilla Thunderbird < 16.0.1 Multiple Vulnerabilities	Nessus Network Monitor	SMTP Clients	high
6602	Mozilla Firefox < 16.0 Multiple Vulnerabilities	Nessus Network Monitor	Web Clients	high
62490	FreeBSD : mozilla -- multiple vulnerabilities (6e5a9afd-12d3-11e2-b47d-c8600054b392)	Nessus	FreeBSD Local Security Checks	critical

Detections

Analytics

CVE-2012-3987

medium

Tenable Plugins

critical

critical

critical

high

high

critical