Mozilla Foundation Security Advisory 2013-98
Use-after-free when updating offline cache
- October 29, 2013
- Byoungyoung Lee
- Firefox, Firefox ESR, SeaMonkey, Thunderbird, Thunderbird ESR
- Fixed in
- Firefox 25
- Firefox ESR 17.0.10
- Firefox ESR 24.1
- SeaMonkey 2.22
- Thunderbird 24.1
- Thunderbird ESR 17.0.10
Security researcher Byoungyoung Lee of Georgia Tech Information Security Center (GTISC) used the Address Sanitizer tool to discover a use-after-free during state change events while updating the offline cache. This leads to a potentially exploitable crash.
In general this flaw cannot be exploited through email in the Thunderbird and Seamonkey products because scripting is disabled, but is potentially a risk in browser or browser-like contexts.