Mozilla Foundation Security Advisory 2012-04
Child nodes from nsDOMAttribute still accessible after removal of nodes
- Announced
- January 31, 2012
- Reporter
- regenrecht
- Impact
- Critical
- Products
- Firefox, SeaMonkey, Thunderbird
- Fixed in
-
- Firefox 10
- Firefox 3.6.26
- SeaMonkey 2.7
- Thunderbird 10
- Thunderbird 3.1.18
Description
Security researcher regenrecht reported via
TippingPoint's Zero Day Initiative that removed child nodes of nsDOMAttribute
can be accessed under certain circumstances because of a premature notification
of AttributeChildRemoved. This use-after-free of the child nodes could possibly
allow for remote code execution.
References