Mozilla Foundation Security Advisory 2009-49

TreeColumns dangling pointer vulnerability

Announced
September 9, 2009
Reporter
TippingPoint ZDI
Impact
Critical
Products
Firefox
Fixed in
  • Firefox 3.0.14
  • Firefox 3.5.3

Description

An anonymous security researcher, via TippingPoint's Zero Day Initiative, reported that the columns of a XUL tree element could be manipulated in a particular way which would leave a pointer owned by the column pointing to freed memory. An attacker could potentially use this vulnerability to crash a victim's browser and run arbitrary code on the victim's computer.

References