Mozilla

Mozilla

Mozilla Foundation Security Advisory 2006-43

Privilege escalation using addSelectionListener

Announced
June 1, 2006
Reporter
moz_bug_r_a4
Impact
Critical
Products
Firefox, SeaMonkey
Fixed in
  • Firefox 1.5.0.4
  • SeaMonkey 1.0.2

Description

Web content could access the nsISelectionPrivate interface of the Selection object and use it to add a SelectionListener. The listener would be called when the user did a "Find" on the page or a "select all", and as intended this shouldn't cause any problems. But as with escaping the PAC sandbox in MFSA 2006-31 and content-defined DOM setters in MFSA 2006-37 moz_bug_r_a4 figured a way to leverage the fact that the notifications were created in a privileged context into arbitrary code execution.

Workaround

Disable JavaScript until you've upgraded to a fixed version.

References