Mozilla Foundation Security Advisory 2010-80

Use-after-free error with nsDOMAttribute MutationObserver

Announced
December 9, 2010
Reporter
regenrecht
Impact
Critical
Products
Firefox, SeaMonkey
Fixed in
  • Firefox 3.5.16
  • Firefox 3.6.13
  • SeaMonkey 2.0.11

Description

Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that a nsDOMAttribute node can be modified without informing the iterator object responsible for various DOM traversals. This flaw could lead to a inconsistent state where the iterator points to an object it believes is part of the DOM but actually points to some other object. If such an object had been deleted and its memory reclaimed by the system, then the iterator could be used to call into attacker-controlled memory.

References