Use-after-free in event listeners
- December 10, 2013
- Tyson Smith, Jesse Schwartzentruber
- Firefox, Firefox ESR, SeaMonkey, Thunderbird
- Fixed in
- Firefox 26
- Firefox ESR 24.2
- SeaMonkey 2.23
- Thunderbird 24.2
Security researchers Tyson Smith and Jesse
Schwartzentruber of the BlackBerry Security Automated Analysis Team
used the Address Sanitizer tool while fuzzing to discover a user-after-free when
interacting with event listeners from the
mListeners array. This
leads to a potentially exploitable crash.
In general these flaws cannot be exploited through email in the Thunderbird and Seamonkey products because scripting is disabled, but are potentially a risk in browser or browser-like contexts.