Mozilla Foundation Security Advisory 2010-17
Title: Remote code execution with use-after-free in nsTreeSelection
Announced: March 30, 2010
Reporter: regenrecht (via TippingPoint's Zero Day Initiative)
Products: Firefox, Thunderbird, SeaMonkey
Fixed in: Firefox 3.5.9
Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that a select event handler for XUL tree items could be called after the tree item was deleted. This results in the execution of previously freed memory which an attacker could use to crash a victim's browser and run arbitrary code on the victim's computer.
This vulnerability does not affect Firefox 3.6