Mozilla Foundation Security Advisory 2014-61

Use-after-free with FireOnStateChange event

Announced
July 22, 2014
Reporter
Jethro Beekman
Impact
High
Products
Firefox, Firefox ESR, Thunderbird
Fixed in
  • Firefox 31
  • Firefox ESR 24.7
  • Thunderbird 24.7
  • Thunderbird 31

Description

Security researcher Jethro Beekman of the University of California, Berkeley reported a crash when the FireOnStateChange event is triggered in some circumstances. This leads to a use-after-free and a potentially exploitable crash when it occurs.

In general this flaw cannot be exploited through email in the Thunderbird product because scripting is disabled, but is potentially a risk in browser or browser-like contexts.

References