Mozilla Foundation Security Advisory 2009-28
Title: Race condition while accessing the private data of a NPObject JS wrapper class object
Announced: June 11, 2009
Reporter: Jakob Balle, Carsten Eiram
Products: Firefox 3
Fixed in: Firefox 3.0.11
Jakob Balle and Carsten Eiram of
Secunia Research reported a race condition
NPObjWrapper_NewResolve when accessing the properties
NPObject, a wrapped
and Eiram demonstrated that this condition could be reached by
navigating away from a web page during the loading of a Java applet.
Under such conditions the Java object would be destroyed but later
called into resulting in a free memory read. It might be possible
for an attacker to write to the freed memory before it is reused and run
arbitrary code on the victim's computer.
This vulnerability does not affect Firefox 2 nor other products built using the "Gecko 1.8" version of Mozilla code.
Disable Java until a version containing these fixes can be installed.