Mozilla Foundation Security Advisory 2009-13

Arbitrary code execution via XUL tree element

Announced

March 27, 2009

Reporter

Nils

Impact

Critical

Products

Firefox

Fixed in

Firefox 3.0.8

Description

Security researcher Nils reported via TippingPoint's Zero Day Initiative that the XUL tree method _moveToEdgeShift was in some cases triggering garbage collection routines on objects which were still in use. In such cases, the browser would crash when attempting to access a previously destroyed object and this crash could be used by an attacker to run arbitrary code on a victim's computer.

This vulnerability was used by the reporter to win the 2009 CanSecWest Pwn2Own contest.

This vulnerability does not affect Firefox 2, Thunderbird 2, or released versions of SeaMonkey.

References

https://bugzilla.mozilla.org/show_bug.cgi?id=484320
CVE-2009-1044

Firefox for Desktop

Firefox for Android

Firefox for iOS

Firefox Focus

Firefox Blog

Release Notes

Mozilla Monitor

Facebook Container

Pocket

Mozilla VPN

Firefox Relay

MDN Plus

Fakespot

Mozilla Manifesto

Mozilla Foundation

Leadership

Get involved

Careers

Mozilla Blog

Impact

Firefox Developer Edition

MDN Web Docs

Mozilla Innovation Projects

Common Voice

Mozilla Foundation Security Advisory 2009-13

Arbitrary code execution via XUL tree element

Description

References