You are here: Security Center > Mozilla Foundation Security Advisories > MFSA 2009-28

Mozilla Foundation Security Advisory 2009-28

Title: Race condition while accessing the private data of a NPObject JS wrapper class object
Impact: Critical
Announced: June 11, 2009
Reporter: Jakob Balle, Carsten Eiram
Products: Firefox 3

Fixed in: Firefox 3.0.11

Description

Jakob Balle and Carsten Eiram of Secunia Research reported a race condition in NPObjWrapper_NewResolve when accessing the properties of a NPObject, a wrapped JSObject. Balle and Eiram demonstrated that this condition could be reached by navigating away from a web page during the loading of a Java applet. Under such conditions the Java object would be destroyed but later called into resulting in a free memory read. It might be possible for an attacker to write to the freed memory before it is reused and run arbitrary code on the victim's computer.

This vulnerability does not affect Firefox 2 nor other products built using the "Gecko 1.8" version of Mozilla code.

Workaround

Disable Java until a version containing these fixes can be installed.

References