Mozilla Foundation Security Advisory 2010-37

Plugin parameter EnsureCachedAttrParamArrays remote code execution vulnerability

Announced
July 20, 2010
Reporter
J23 (via TippingPoint's Zero Day Initiative)
Impact
Critical
Products
Firefox, SeaMonkey
Fixed in
  • Firefox 3.5.11
  • Firefox 3.6.7
  • SeaMonkey 2.0.6

Description

Security researcher J23 reported via TippingPoint's Zero Day Initiative an error in the code used to store the names and values of plugin parameter elements. A malicious page could embed plugin content containing a very large number of parameter elements which would cause an overflow in the integer value counting them. This integer is later used in allocating a memory buffer used to store the plugin parameters. Under such conditions, too small a buffer would be created and attacker-controlled data could be written past the end of the buffer, potentially resulting in code execution.

References