Escalation of privilege with Javascript: URL as home page

Escalation of privilege with Javascript: URL as home page

Announced

March 13, 2012

Reporter

Mariusz Mlynski

Impact

Critical

Products

Firefox, Firefox ESR, SeaMonkey, Thunderbird, Thunderbird ESR

Fixed in

• Firefox 11
• Firefox 3.6.28
• Firefox ESR 10.0.3
• SeaMonkey 2.8
• Thunderbird 11
• Thunderbird 3.1.20
• Thunderbird ESR 10.0.3

Description

Security researcher Mariusz Mlynski reported that an attacker able to convince a potential victim to set a new home page by dragging a link to the "home" button can set that user's home page to a javascript: URL. Once this is done the attacker's page can cause repeated crashes of the browser, eventually getting the script URL loaded in the privileged about:sessionrestore context.

References

• loads of principal-inheriting URIs (e.g. javascript:) on chrome-privileged pages (e.g. about:sessionstore) allows unexpected privilege escalation
• prevent self-XSS in homepage icon (disallow javascript: drops)
• disallow inheriting of system principal in type=content docshells
• CVE-2012-0458