Memory corruption via QueryInterface on Location, Navigator objects
- February 1, 2006
- Georgi Guninski
- Firefox, SeaMonkey, Thunderbird
- Fixed in
- Firefox 18.104.22.168
- SeaMonkey 1
- Thunderbird 22.214.171.124
QueryInterface method of the built-in
Location and Navigator objects causes memory corruption
that might be exploitable to run arbitrary code.
This flaw appears to have been introduced during development of Firefox 1.5/SeaMonkey 1.0 -- Firefox 1.0 and the older Mozilla Suite 1.7 do not appear to be vulnerable.
Update (7 February 2006)
H D Moore of the Metasploit Project published a working exploit on milw0rm for the Linux and Mac OS X versions of Firefox 1.5. Severity upgraded to critical.
Update (13 April 2006)
This flaw has been fixed in Thunderbird 126.96.36.199