Mozilla Foundation Security Advisory 2012-04

Child nodes from nsDOMAttribute still accessible after removal of nodes

Announced
January 31, 2012
Reporter
regenrecht
Impact
Critical
Products
Firefox, SeaMonkey, Thunderbird
Fixed in
  • Firefox 10
  • Firefox 3.6.26
  • SeaMonkey 2.7
  • Thunderbird 10
  • Thunderbird 3.1.18

Description

Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that removed child nodes of nsDOMAttribute can be accessed under certain circumstances because of a premature notification of AttributeChildRemoved. This use-after-free of the child nodes could possibly allow for remote code execution.

References