Security Advisories for Firefox 3.6

Firefox 3.6 is unsupported. Please upgrade to the latest version.

Impact key

• Critical Vulnerability can be used to run attacker code and install software, requiring no user interaction beyond normal browsing.
• High Vulnerability can be used to gather sensitive data from sites in other windows or inject data or code into those sites, requiring no more than normal browsing actions.
• Moderate Vulnerabilities that would otherwise be High or Critical except they only work in uncommon non-default configurations or require the user to perform complicated and/or unlikely steps.
• Low Minor security vulnerabilities such as Denial of Service attacks, minor data leaks, or spoofs. (Undetectable spoofs of SSL indicia would have "High" impact because those are generally used to steal sensitive data intended for other sites.)

# Fixed in Firefox 3.6.28

• 2012-19 Miscellaneous memory safety hazards (rv:11.0/ rv:10.0.3 / rv:1.9.2.28)
• 2012-16 Escalation of privilege with Javascript: URL as home page
• 2012-14 SVG issues found with Address Sanitizer
• 2012-13 XSS with Drag and Drop and Javascript: URL
• 2011-55 nsSVGValue out-of-bounds access

# Fixed in Firefox 3.6.27

• 2012-11 libpng integer overflow

# Fixed in Firefox 3.6.26

• 2012-08 Crash with malformed embedded XSLT stylesheets
• 2012-07 Potential Memory Corruption When Decoding Ogg Vorbis files
• 2012-04 Child nodes from nsDOMAttribute still accessible after removal of nodes
• 2012-02 Overly permissive IPv6 literal syntax
• 2012-01 Miscellaneous memory safety hazards (rv:10.0/ 1.9.2.26)

# Fixed in Firefox 3.6.25

• 2011-59 .jar not treated as executable in Firefox 3.6 on Mac

# Fixed in Firefox 3.6.24

• 2011-49 Memory corruption while profiling using Firebug
• 2011-47 Potential XSS against sites using Shift-JIS
• 2011-46 loadSubScript unwraps XPCNativeWrapper scope parameter (1.9.2 branch)

# Fixed in Firefox 3.6.23

• 2011-40 Code installation through holding down Enter
• 2011-39 Defense against multiple Location headers due to CRLF Injection
• 2011-38 XSS via plugins and shadowed window.location object
• 2011-37 Integer underflow when using JavaScript RegExp
• 2011-36 Miscellaneous memory safety hazards (rv:7.0 / rv:1.9.2.23)

# Fixed in Firefox 3.6.22

• 2011-35 Additional protection against fraudulent DigiNotar certificates

# Fixed in Firefox 3.6.21

• 2011-34 Protection against fraudulent DigiNotar certificates

# Fixed in Firefox 3.6.20

• 2011-30 Security issues addressed in Firefox 3.6.20

# Fixed in Firefox 3.6.18

• 2011-24 Cookie isolation error
• 2011-23 Multiple dangling pointer vulnerabilities
• 2011-22 Integer overflow and arbitrary code execution in Array.reduceRight()
• 2011-21 Memory corruption due to multipart/x-mixed-replace images
• 2011-20 Use-after-free vulnerability when viewing XUL document with script disabled
• 2011-19 Miscellaneous memory safety hazards (rv:3.0/1.9.2.18)

# Fixed in Firefox 3.6.17

• 2011-18 XSLT generate-id() function heap address leak
• 2011-16 Directory traversal in resource: protocol
• 2011-15 Escalation of privilege through Java Embedding Plugin
• 2011-14 Information stealing via form history
• 2011-13 Multiple dangling pointer vulnerabilities
• 2011-12 Miscellaneous memory safety hazards (rv:2.0.1/ 1.9.2.17/ 1.9.1.19)

# Fixed in Firefox 3.6.16

• 2011-11 Update to HTTPS certificate blacklist

# Fixed in Firefox 3.6.14

• 2011-10 CSRF risk with plugins and 307 redirects
• 2011-09 Crash caused by corrupted JPEG image
• 2011-08 ParanoidFragmentSink allows javascript: URLs in chrome documents
• 2011-07 Memory corruption during text run construction (Windows)
• 2011-06 Use-after-free error using Web Workers
• 2011-05 Buffer overflow in JavaScript atom map
• 2011-04 Buffer overflow in JavaScript upvarMap
• 2011-03 Use-after-free error in JSON.stringify
• 2011-02 Recursive eval call causes confirm dialogs to evaluate to true
• 2011-01 Miscellaneous memory safety hazards (rv:1.9.2.14/ 1.9.1.17)

# Fixed in Firefox 3.6.13

• 2010-84 XSS hazard in multiple character encodings
• 2010-83 Location bar SSL spoofing using network error page
• 2010-82 Incomplete fix for CVE-2010-0179
• 2010-81 Integer overflow vulnerability in NewIdArray
• 2010-80 Use-after-free error with nsDOMAttribute MutationObserver
• 2010-79 Java security bypass from LiveConnect loaded via data: URL meta refresh
• 2010-78 Add support for OTS font sanitizer
• 2010-77 Crash and remote code execution using HTML tags inside a XUL tree
• 2010-76 Chrome privilege escalation with window.open and <isindex> element
• 2010-75 Buffer overflow while line breaking after document.write with long string
• 2010-74 Miscellaneous memory safety hazards (rv:1.9.2.13/ 1.9.1.16)

# Fixed in Firefox 3.6.12

• 2010-73 Heap buffer overflow mixing document.write and DOM insertion

# Fixed in Firefox 3.6.11

• 2010-72 Insecure Diffie-Hellman key exchange
• 2010-71 Unsafe library loading vulnerabilities
• 2010-70 SSL wildcard certificate matching IP addresses
• 2010-69 Cross-site information disclosure via modal calls
• 2010-68 XSS in gopher parser when parsing hrefs
• 2010-67 Dangling pointer vulnerability in LookupGetterOrSetter
• 2010-66 Use-after-free error in nsBarProp
• 2010-65 Buffer overflow and memory corruption using document.write
• 2010-64 Miscellaneous memory safety hazards (rv:1.9.2.11/ 1.9.1.14)

# Fixed in Firefox 3.6.9

• 2010-63 Information leak via XMLHttpRequest statusText
• 2010-62 Copy-and-paste or drag-and-drop into designMode document allows XSS
• 2010-61 UTF-7 XSS by overriding document charset using <object> type attribute
• 2010-59 SJOW creates scope chains ending in outer object
• 2010-58 Crash on Mac using fuzzed font in data: URL
• 2010-57 Crash and remote code execution in normalizeDocument
• 2010-56 Dangling pointer vulnerability in nsTreeContentView
• 2010-55 XUL tree removal crash and remote code execution
• 2010-54 Dangling pointer vulnerability in nsTreeSelection
• 2010-53 Heap buffer overflow in nsTextFrameUtils::TransformText
• 2010-52 Windows XP DLL loading vulnerability
• 2010-51 Dangling pointer vulnerability using DOM plugin array
• 2010-50 Frameset integer overflow vulnerability
• 2010-49 Miscellaneous memory safety hazards (rv:1.9.2.9/ 1.9.1.12)
• 2010-33 User tracking across sites using Math.random()

# Fixed in Firefox 3.6.8

• 2010-48 Dangling pointer crash regression from plugin parameter array fix

# Fixed in Firefox 3.6.7

• 2010-47 Cross-origin data leakage from script filename in error messages
• 2010-46 Cross-domain data theft using CSS
• 2010-45 Multiple location bar spoofing vulnerabilities
• 2010-44 Characters mapped to U+FFFD in 8 bit encodings cause subsequent character to vanish
• 2010-43 Same-origin bypass using canvas context
• 2010-42 Cross-origin data disclosure via Web Workers and importScripts
• 2010-41 Remote code execution using malformed PNG image
• 2010-40 nsTreeSelection dangling pointer remote code execution vulnerability
• 2010-39 nsCSSValue::Array index integer overflow
• 2010-38 Arbitrary code execution using SJOW and fast native function
• 2010-37 Plugin parameter EnsureCachedAttrParamArrays remote code execution vulnerability
• 2010-36 Use-after-free error in NodeIterator
• 2010-35 DOM attribute cloning remote code execution vulnerability
• 2010-34 Miscellaneous memory safety hazards (rv:1.9.2.7/ 1.9.1.11)

# Fixed in Firefox 3.6.4

• 2010-33 User tracking across sites using Math.random()
• 2010-32 Content-Disposition: attachment ignored if Content-Type: multipart also present
• 2010-31 focus() behavior can be used to inject or steal keystrokes
• 2010-30 Integer Overflow in XSLT Node Sorting
• 2010-29 Heap buffer overflow in nsGenericDOMDataNode::SetTextInternal
• 2010-28 Freed object reuse across plugin instances
• 2010-26 Crashes with evidence of memory corruption (rv:1.9.2.4/ 1.9.1.10)

# Fixed in Firefox 3.6.3

• 2010-25 Re-use of freed object due to scope confusion

# Fixed in Firefox 3.6.2

• 2010-24 XMLDocument::load() doesn't check nsIContentPolicy
• 2010-23 Image src redirect to mailto: URL opens email editor
• 2010-22 Update NSS to support TLS renegotiation indication
• 2010-20 Chrome privilege escalation via forced URL drag and drop
• 2010-19 Dangling pointer vulnerability in nsPluginArray
• 2010-18 Dangling pointer vulnerability in nsTreeContentView
• 2010-16 Crashes with evidence of memory corruption (rv:1.9.2.2/ 1.9.1.9/ 1.9.0.19)
• 2010-15 Asynchronous Auth Prompt attaches to wrong window
• 2010-14 Browser chrome defacement via cached XUL stylesheets
• 2010-13 Content policy bypass with image preloading
• 2010-12 XSS using addEventListener and setTimeout on a wrapped object
• 2010-11 Crashes with evidence of memory corruption (rv:1.9.2.2/ 1.9.1.8/ 1.9.0.18)
• 2010-10 XSS via plugins and unprotected Location object
• 2010-09 Deleted frame reuse in multipart/x-mixed-replace image
• 2010-08 WOFF heap corruption due to integer overflow

# Fixed in Firefox 3.6

• 2010-05 XSS hazard using SVG document and binary Content-Type
• 2010-04 XSS due to window.dialogArguments being readable cross-domain
• 2010-03 Use-after-free crash in HTML parser
• 2010-02 Web Worker Array Handling Heap Corruption Vulnerability
• 2010-01 Crashes with evidence of memory corruption (rv:1.9.1.8/ 1.9.0.18)