Security researcher regenrecht reported via
TippingPoint's Zero Day Initiative an error in the
way <option>
elements are inserted into a XUL
tree <optgroup>
. In certain cases, the number of
references to an <option>
element is under-counted so
that when the element is deleted, a live pointer to its old location
is kept around and may later be used. An attacker could potentially
use these conditions to run arbitrary code on a victim's computer.
Disable JavaScript until a version containing these fixes can be installed.