Mozilla Foundation Security Advisory 2009-39
Title: setTimeout loses XPCNativeWrappers
Impact: Critical
Announced: July 21, 2009
Reporter: Blake Kaplan
Products: Firefox
Fixed in: Firefox 3.5
Firefox 3.0.12
Description
Mozilla developer Blake Kaplan reported that setTimeout, when called with certain object parameters which should be protected with a XPCNativeWrapper, will fail to keep the object wrapped when compiling the new function to be executed. If chrome privileged code were to call setTimeout using this as an argument, the this object will lose its wrapper and could be unsafely accessed by chrome code. An attacker could use such vulnerable code to run arbitrary JavaScript with chrome privileges.
Workaround
Disable JavaScript until a version containing this fix can be installed.
References
* https://bugzilla.mozilla.org/show_bug.cgi?id=460882
* CVE-2009-2471