You are here: Security Center > Mozilla Foundation Security Advisories > MFSA 2010-67

Mozilla Foundation Security Advisory 2010-67

Title: Dangling pointer vulnerability in LookupGetterOrSetter
Impact: Critical
Announced: October 19, 2010
Reporter: regenrecht
Products: Firefox, Thunderbird, SeaMonkey

Fixed in: Firefox 3.6.11
  Firefox 3.5.14
  Thunderbird 3.1.5
  Thunderbird 3.0.9
  SeaMonkey 2.0.9

Description

Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that when window.__lookupGetter__ is called with no arguments the code assumes the top JavaScript stack value is a property name. Since there were no arguments passed into the function, the top value could represent uninitialized memory or a pointer to a previously freed JavaScript object. Under such circumstances the value is passed to another subroutine which calls through the dangling pointer, potentially executing attacker-controlled memory.

References