Mozilla Foundation Security Advisory 2010-55

XUL tree removal crash and remote code execution

September 7, 2010
Low (Critical in Gecko 1.9.1 and earlier)
Firefox, SeaMonkey, Thunderbird
Fixed in
  • Firefox 3.5.12
  • Firefox 3.6.9
  • SeaMonkey 2.0.7
  • Thunderbird 3.0.7
  • Thunderbird 3.1.3


Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that XUL <tree> objects could be manipulated such that the setting of certain properties on the object would trigger the removal of the tree from the DOM and cause certain sections of deleted memory to be accessed. In products based on Gecko version 1.9.2 (Firefox 3.6, Thunderbird 3.1) and newer this memory has been overwritten by a value that will cause an unexploitable crash. In products based on Gecko version 1.9.1 (Firefox 3.5, Thunderbird 3.0, and SeaMonkey 2.0) and older an attacker could potentially use this vulnerability to crash a victim's browser and run arbitrary code on their computer.