Mozilla Foundation Security Advisory 2010-17

Remote code execution with use-after-free in nsTreeSelection

Announced
March 30, 2010
Reporter
regenrecht (via TippingPoint's Zero Day Initiative)
Impact
Critical
Products
Firefox, SeaMonkey, Thunderbird
Fixed in
  • Firefox 3.0.19
  • Firefox 3.5.9
  • SeaMonkey 2.0.4
  • Thunderbird 3.0.4

Description

Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that a select event handler for XUL tree items could be called after the tree item was deleted. This results in the execution of previously freed memory which an attacker could use to crash a victim's browser and run arbitrary code on the victim's computer.

This vulnerability does not affect Firefox 3.6

Workaround

Disable JavaScript until a version containing these fixes can be installed.

References