Mozilla Foundation Security Advisory 2009-28

Race condition while accessing the private data of a NPObject JS wrapper class object

Announced
June 11, 2009
Reporter
Jakob Balle, Carsten Eiram
Impact
Critical
Products
Firefox
Fixed in
  • Firefox 3.0.11

Description

Jakob Balle and Carsten Eiram of Secunia Research reported a race condition in NPObjWrapper_NewResolve when accessing the properties of a NPObject, a wrapped JSObject. Balle and Eiram demonstrated that this condition could be reached by navigating away from a web page during the loading of a Java applet. Under such conditions the Java object would be destroyed but later called into resulting in a free memory read. It might be possible for an attacker to write to the freed memory before it is reused and run arbitrary code on the victim's computer.

This vulnerability does not affect Firefox 2 nor other products built using the "Gecko 1.8" version of Mozilla code.

Workaround

Disable Java until a version containing these fixes can be installed.

References