Mozilla Foundation Security Advisory 2015-29

Code execution through incorrect JavaScript bounds checking elimination

Announced
March 20, 2015
Reporter
ilxu1a
Impact
Critical
Products
Firefox, Firefox ESR, SeaMonkey
Fixed in
  • Firefox 36.0.3
  • Firefox ESR 31.5.2
  • SeaMonkey 2.33.1

Description

Security researcher ilxu1a reported, through HP Zero Day Initiative's Pwn2Own contest, a flaw in Mozilla's implementation of typed array bounds checking in JavaScript just-in-time compilation (JIT) and its management of bounds checking for heap access. This flaw can be leveraged into the reading and writing of memory allowing for arbitary code execution on the local system.

References