Privilege escalation via DOM property overrides

moz_bug_r_a4 reported several exploits giving an attacker the ability to install
malicious code or steal data, requiring only that the user do commonplace
actions like click on a link or open the context menu. The common cause in each
case was privileged UI code ("chrome") being overly trusting of DOM nodes from
the content window. Scripts in the web page can override properties and methods
of DOM nodes and shadow the native values, unless steps are taken to get the
true underlying values.

We found that most extensions also interacted with content DOM in a natural, but
unsafe, manner. Changes were made so that chrome code using this natural DOM
coding style will now automatically use the native DOM value if it exists
without having to use cumbersome wrapper objects.

Most of the specific exploits involved tricking the privileged code into calling
eval() on an attacker-supplied script string, or the equivalent using the
Script() object. Checks were added in the security manager to make sure eval and
Script objects are run with the privileges of the context that created them, not
the potentially elevated privileges of the context calling them.

Fixed in: Firefox 1.0.3 / Mozilla Suite 1.7.7

Workaround: Disable Javascript

References:

Bug details withheld until April 25, 2005

 - https://bugzilla.mozilla.org/show_bug.cgi?id=289074

 - https://bugzilla.mozilla.org/show_bug.cgi?id=289083

 - https://bugzilla.mozilla.org/show_bug.cgi?id=289961

http://www.mozilla.org/security/announce/mfsa2005-41.html: http://www.mozilla.org/security/announce/mfsa2005-41.html