• Security Center
  • Security Advisories
  • Known Vulnerabilities
  • Bug Bounty
  • Security Blog

You are here: Security Center > Mozilla Foundation Security Advisories > MFSA 2013-19

Mozilla Foundation Security Advisory 2013-19

Title: Use-after-free in Javascript Proxy objects
Impact: Critical
Announced: January 8, 2013
Reporter: regenrecht
Products: Firefox, Thunderbird, SeaMonkey

Fixed in: Firefox 18.0
  Firefox ESR 17.0.2
  Thunderbird 17.0.2
  Thunderbird ESR 17.0.2
  SeaMonkey 2.15

Description

Security researcher regenrecht reported, via TippingPoint's Zero Day Initiative, a garbage collection flaw in Javascript Proxy objects. This can lead to a use-after-free leading to arbitrary code execution.

In general these flaws cannot be exploited through email in the Thunderbird and SeaMonkey products because scripting is disabled, but are potentially a risk in browser or browser-like contexts in those products.

References

• obj_toSource Use-After-Free Remote Code Execution Vulnerability (CVE-2013-0756)