Dangling pointer vulnerability in nsTreeContentView

Dangling pointer vulnerability in nsTreeContentView

Announced

March 30, 2010

Reporter

regenrecht (via TippingPoint's Zero Day Initiative)

Impact

Critical

Products

Firefox, SeaMonkey, Thunderbird

Fixed in

• Firefox 3.0.19
• Firefox 3.5.9
• Firefox 3.6.2
• SeaMonkey 2.0.4
• Thunderbird 3.0.4

Description

Security researcher regenrecht reported via TippingPoint's Zero Day Initiative an error in the way <option> elements are inserted into a XUL tree <optgroup>. In certain cases, the number of references to an <option> element is under-counted so that when the element is deleted, a live pointer to its old location is kept around and may later be used. An attacker could potentially use these conditions to run arbitrary code on a victim's computer.

Workaround

Disable JavaScript until a version containing these fixes can be installed.

References

• https://bugzilla.mozilla.org/show_bug.cgi?id=538308
• CVE-2010-0176