Mozilla Foundation Security Advisory 2010-40

nsTreeSelection dangling pointer remote code execution vulnerability

Announced

July 20, 2010

Reporter

regenrecht (via TippingPoint's Zero Day Initiative)

Impact

Critical

Products

Firefox, SeaMonkey, Thunderbird

Fixed in

Firefox 3.5.11
Firefox 3.6.7
SeaMonkey 2.0.6
Thunderbird 3.0.6
Thunderbird 3.1.1

Description

Security researcher regenrecht reported via TippingPoint's Zero Day Initiative an integer overflow vulnerability in the implementation of the XUL <tree> element's selection attribute. When the size of a new selection is sufficiently large the integer used in calculating the length of the selection can overflow, resulting in a bogus range being marked selected. When adjustSelection is then called on the bogus range the range is deleted leaving dangling references to the ranges which could be used by an attacker to call into deleted memory and run arbitrary code on a victim's computer.

References

https://bugzilla.mozilla.org/show_bug.cgi?id=571106
CVE-2010-2753

Firefox for Desktop

Firefox for Android

Firefox for iOS

Firefox Focus

Firefox Blog

Release Notes

Mozilla Monitor

Facebook Container

Pocket

Mozilla VPN

Firefox Relay

MDN Plus

Fakespot

Mozilla Manifesto

Mozilla Foundation

Leadership

Get involved

Careers

Mozilla Blog

Impact

Firefox Developer Edition

MDN Web Docs

Mozilla Innovation Projects

Common Voice

Mozilla Foundation Security Advisory 2010-40

nsTreeSelection dangling pointer remote code execution vulnerability

Description

References