Mozilla Foundation Security Advisory 2010-56
Title: Dangling pointer vulnerability in nsTreeContentView
Announced: September 7, 2010
Products: Firefox, Thunderbird, SeaMonkey
Fixed in: Firefox 3.6.9
Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that the implementation of XUL <tree>'s content view contains a dangling pointer vulnerability. One of the content view's methods for accessing the internal structure of the tree could be manipulated into removing a node prior to accessing it, resulting in the accessing of deleted memory. If an attacker can control the contents of the deleted memory prior to its access they could use this vulnerability to run arbitrary code on a victim's machine.