Mozilla Foundation Security Advisory 2010-28

Freed object reuse across plugin instances

Announced
June 22, 2010
Reporter
Microsoft Vulnerability Research
Impact
Critical
Products
Firefox, SeaMonkey
Fixed in
  • Firefox 3.5.10
  • Firefox 3.6.4
  • SeaMonkey 2.0.5

Description

Microsoft Vulnerability Research reported that two plugin instances could interact in a way in which one plugin gets a reference to an object owned by a second plugin and continues to hold that reference after the second plugin is unloaded and its object is destroyed. In these cases, the first plugin would contain a pointer to freed memory which, if accessed, could be used by an attacker to execute arbitrary code on a victim's computer.

References