You are here: Security Center > Mozilla Foundation Security Advisories > MFSA 2012-12

Mozilla Foundation Security Advisory 2012-12

Title: Use-after-free in shlwapi.dll
Impact: Critical
Announced: March 13, 2012
Reporter: Blair Strang, Scott Bell
Products: Firefox, Thunderbird, SeaMonkey

Fixed in: Firefox 11.0
  Firefox ESR 10.0.3
  Thunderbird 11.0
  Thunderbird ESR 10.0.3
  SeaMonkey 2.8

Description

Security researchers Blair Strang and Scott Bell of Security Assessment found that when a parent window spawns and closes a child window that uses the file open dialog, a crash can be induced in shlwapi.dll on 32-bit Windows 7 systems. This crash may be potentially exploitable.

Firefox 3.6 and Thunderbird 3.1 are not affected by this vulnerability.

References