Mozilla Foundation Security Advisory 2013-98
Title: Use-after-free when updating offline
Announced: October 29, 2013
Reporter: Byoungyoung Lee
Products: Firefox, Thunderbird, Seamonkey
Fixed in: Firefox 25.0
Firefox ESR 24.1
Firefox ESR 17.0.10
Thunderbird ESR 17.0.10
Security researcher Byoungyoung Lee of Georgia Tech Information Security Center (GTISC) used the Address Sanitizer tool to discover a use-after-free during state change events while updating the offline cache. This leads to a potentially exploitable crash.
In general this flaw cannot be exploited through email in the Thunderbird and Seamonkey products because scripting is disabled, but is potentially a risk in browser or browser-like contexts.