Mozilla Foundation Security Advisory 2011-23
Title: Multiple dangling pointer vulnerabilities
Announced: June 21, 2011
Products: Firefox, Thunderbird
Fixed in: Firefox 3.6.18
Security researcher regenrecht reported via TippingPoint's Zero Day Initiative two instances of code which modifies SVG element lists failed to account for changes made to the list by user-supplied callbacks before accessing list elements. If a user-supplied callback deleted such an object, the element-modifying code could wind up accessing deleted memory and potentially executing attacker-controlled memory.
regenrecht also reported via TippingPoint's Zero Day Initiative that a XUL document could force the nsXULCommandDispatcher to remove all command updaters from the queue, including the one currently in use. This could result in the execution of deleted memory which an attacker could use to run arbitrary code on a victim's computer.
Firefox 4 and SeaMonkey 2.1 and newer were not affected by these issues.