Download Firefox

Firefox is no longer supported on Windows 8.1 and below.

Please download Firefox ESR (Extended Support Release) to use Firefox.

Firefox is no longer supported on macOS 10.14 and below.

Please download Firefox ESR (Extended Support Release) to use Firefox.

Firefox Privacy Notice

Mozilla Foundation Security Advisory 2009-13

Arbitrary code execution via XUL tree element

Announced
March 27, 2009
Reporter
Nils
Impact
Critical
Products
Firefox
Fixed in
  • Firefox 3.0.8

Description

Security researcher Nils reported via TippingPoint's Zero Day Initiative that the XUL tree method _moveToEdgeShift was in some cases triggering garbage collection routines on objects which were still in use. In such cases, the browser would crash when attempting to access a previously destroyed object and this crash could be used by an attacker to run arbitrary code on a victim's computer.

This vulnerability was used by the reporter to win the 2009 CanSecWest Pwn2Own contest.

This vulnerability does not affect Firefox 2, Thunderbird 2, or released versions of SeaMonkey.

References