Mozilla Foundation Security Advisory 2010-18

Dangling pointer vulnerability in nsTreeContentView

Announced
March 30, 2010
Reporter
regenrecht (via TippingPoint's Zero Day Initiative)
Impact
Critical
Products
Firefox, SeaMonkey, Thunderbird
Fixed in
  • Firefox 3.0.19
  • Firefox 3.5.9
  • Firefox 3.6.2
  • SeaMonkey 2.0.4
  • Thunderbird 3.0.4

Description

Security researcher regenrecht reported via TippingPoint's Zero Day Initiative an error in the way <option> elements are inserted into a XUL tree <optgroup>. In certain cases, the number of references to an <option> element is under-counted so that when the element is deleted, a live pointer to its old location is kept around and may later be used. An attacker could potentially use these conditions to run arbitrary code on a victim's computer.

Workaround

Disable JavaScript until a version containing these fixes can be installed.

References