Mozilla Foundation Security Advisory 2010-36

Use-after-free error in NodeIterator

Announced
July 20, 2010
Reporter
regenrecht (via TippingPoint's Zero Day Initiative)
Impact
Critical
Products
Firefox, SeaMonkey
Fixed in
  • Firefox 3.5.11
  • Firefox 3.6.7
  • SeaMonkey 2.0.6

Description

Security researcher regenrecht reported via TippingPoint's Zero Day Initiative an error in Mozilla's implementation of NodeIterator in which a malicious NodeFilter could be created which would detach nodes from the DOM tree while it was being traversed. The use of a detached and subsequently deleted node could result in the execution of attacker-controlled memory.

References