You are here: Security Center > Mozilla Foundation Security Advisories > MFSA 2010-37

Mozilla Foundation Security Advisory 2010-37

Title: Plugin parameter EnsureCachedAttrParamArrays remote code execution vulnerability
Impact: Critical
Announced: July 20, 2010
Reporter: J23 (via TippingPoint's Zero Day Initiative)
Products: Firefox, SeaMonkey

Fixed in: Firefox 3.6.7
  Firefox 3.5.11
  SeaMonkey 2.0.6

Description

Security researcher J23 reported via TippingPoint's Zero Day Initiative an error in the code used to store the names and values of plugin parameter elements. A malicious page could embed plugin content containing a very large number of parameter elements which would cause an overflow in the integer value counting them. This integer is later used in allocating a memory buffer used to store the plugin parameters. Under such conditions, too small a buffer would be created and attacker-controlled data could be written past the end of the buffer, potentially resulting in code execution.

References