Mozilla Foundation Security Advisory 2015-63

Use-after-free in Content Policy due to microtask execution error

Announced
July 2, 2015
Reporter
Herre
Impact
Critical
Products
Firefox, Firefox ESR, SeaMonkey, Thunderbird
Fixed in
  • Firefox 39
  • Firefox ESR 38.1
  • SeaMonkey 2.35
  • Thunderbird 38.1

Description

Security researcher Herre reported a use-after-free vulnerability when a Content Policy modifies the Document Object Model to remove a DOM object, which is then used afterwards due to an error in microtask implementation. This leads to an exploitable crash.

In general this flaw cannot be exploited through email in the Thunderbird product because scripting is disabled, but is potentially a risk in browser or browser-like contexts.

References