You are here: Security Center > Mozilla Foundation Security Advisories > MFSA 2010-18

Mozilla Foundation Security Advisory 2010-18

Title: Dangling pointer vulnerability in nsTreeContentView
Impact: Critical
Announced: March 30, 2010
Reporter: regenrecht (via TippingPoint's Zero Day Initiative)
Products: Firefox, Thunderbird, SeaMonkey

Fixed in: Firefox 3.6.2
  Firefox 3.5.9
  Firefox 3.0.19
  Thunderbird 3.0.4
  SeaMonkey 2.0.4

Description

Security researcher regenrecht reported via TippingPoint's Zero Day Initiative an error in the way <option> elements are inserted into a XUL tree <optgroup>. In certain cases, the number of references to an <option> element is under-counted so that when the element is deleted, a live pointer to its old location is kept around and may later be used. An attacker could potentially use these conditions to run arbitrary code on a victim's computer.

Workaround

Disable JavaScript until a version containing these fixes can be installed.

References