Memory corruption via QueryInterface on Location, Navigator objects
- February 1, 2006
- Georgi Guninski
- Firefox, SeaMonkey, Thunderbird
- Fixed in
- Firefox 184.108.40.206
- SeaMonkey 1
- Thunderbird 220.127.116.11
QueryInterface method of the built-in
Location and Navigator objects causes memory corruption
that might be exploitable to run arbitrary code.
This flaw appears to have been introduced during development of Firefox 1.5/SeaMonkey 1.0 -- Firefox 1.0 and the older Mozilla Suite 1.7 do not appear to be vulnerable.
Update (7 February 2006)
H D Moore of the Metasploit Project published a working exploit on milw0rm for the Linux and Mac OS X versions of Firefox 1.5. Severity upgraded to critical.
Update (13 April 2006)
This flaw has been fixed in Thunderbird 18.104.22.168