Mozilla Foundation Security Advisory 2010-17
Title: Remote code execution with use-after-free in nsTreeSelection
Impact: Critical
Announced: March 30, 2010
Reporter: regenrecht (via TippingPoint's Zero Day Initiative)
Products: Firefox, Thunderbird, SeaMonkey
Fixed in: Firefox 3.5.9
Firefox 3.0.19
Thunderbird 3.0.4
SeaMonkey 2.0.4
Description
Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that a select event handler for XUL tree items could be called after the tree item was deleted. This results in the execution of previously freed memory which an attacker could use to crash a victim's browser and run arbitrary code on the victim's computer.
This vulnerability does not affect Firefox 3.6
Workaround
Disable JavaScript until a version containing these fixes can be installed.
References
* https://bugzilla.mozilla.org/buglist.cgi?bug_id=540100,375928
* CVE-2010-0175