Mozilla Foundation Security Advisory 2010-80

Use-after-free error with nsDOMAttribute MutationObserver

Announced

December 9, 2010

Reporter

regenrecht

Impact

Critical

Products

Firefox, SeaMonkey

Fixed in

Firefox 3.5.16
Firefox 3.6.13
SeaMonkey 2.0.11

Description

Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that a nsDOMAttribute node can be modified without informing the iterator object responsible for various DOM traversals. This flaw could lead to a inconsistent state where the iterator points to an object it believes is part of the DOM but actually points to some other object. If such an object had been deleted and its memory reclaimed by the system, then the iterator could be used to call into attacker-controlled memory.

References

https://bugzilla.mozilla.org/show_bug.cgi?id=590771
CVE-2010-3766

Firefox for Desktop

Firefox for Android

Firefox for iOS

Firefox Focus

Firefox Blog

Release Notes

Mozilla Monitor

Facebook Container

Pocket

Mozilla VPN

Firefox Relay

MDN Plus

Fakespot

Mozilla Manifesto

Mozilla Foundation

Leadership

Get involved

Careers

Mozilla Blog

Impact

Firefox Developer Edition

MDN Web Docs

Mozilla Innovation Projects

Common Voice

Mozilla Foundation Security Advisory 2010-80

Use-after-free error with nsDOMAttribute MutationObserver

Description

References