Mozilla Foundation Security Advisory 2010-51

Dangling pointer vulnerability using DOM plugin array

Announced
September 7, 2010
Reporter
Sergey Glazunov
Impact
Critical
Products
Firefox, SeaMonkey, Thunderbird
Fixed in
  • Firefox 3.5.12
  • Firefox 3.6.9
  • SeaMonkey 2.0.7
  • Thunderbird 3.0.7
  • Thunderbird 3.1.3

Description

Security researcher Sergey Glazunov reported a dangling pointer vulnerability in the implementation of navigator.plugins in which the navigator object could retain a pointer to the plugins array even after it had been destroyed. An attacker could potentially use this issue to crash the browser and run arbitrary code on a victim's computer.

References