 |
|
|
|
| From: | MOZILLA | | Date: | 10.12.2010 | | Subject: | Mozilla Foundation Security Advisory 2010-80 |
Mozilla Foundation Security Advisory 2010-80
Title: Use-after-free error with nsDOMAttribute MutationObserver
Impact: Critical
Announced: December 9, 2010
Reporter: regenrecht
Products: Firefox, SeaMonkey
Fixed in: Firefox 3.6.13
Firefox 3.5.16
SeaMonkey 2.0.11
Description
Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that a nsDOMAttribute node can be modified without informing the iterator object responsible for various DOM traversals. This flaw could lead to a inconsistent state where the iterator points to an object it believes is part of the DOM but actually points to some other object. If such an object had been deleted and its memory reclaimed by the system, then the iterator could be used to call into attacker-controlled memory.
References
* https://bugzilla.mozilla.org/show_bug.cgi?id=590771
* CVE-2010-3766
|
|
|
|
|
|
|
|
