Mozilla fails to properly handle garbage collection

Overview

The Mozilla JavaScript engine fails to properly perform garbage collection, which may allow a remote attacker to execute arbitrary code on a vulnerable system.

Description

Garbage collection

According to Mozilla:

Garbage collection is generally used to refer to algorithms that (1) determine which objects are still needed by starting from a set of roots and finding all objects reachable from those objects and (2) returning all remaining objects to the heap. The roots include things like global variables and variables on the current call stack. Mozilla’s JavaScript engine uses one of the most common garbage collection algorithms, mark and sweep, in which the garbage collector clears the mark bit on each object, sets the mark bits on all roots and all objects reachable from them, and then finalizes all objects not marked and returns the memory they used to the heap.

The problem

In some situations, garbage collection could delete an object that was in active use.

---

Impact

A remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system. The attacker could also cause the vulnerable application to crash.

---

Solution

Apply an update

This vulnerability is addressed in Firefox 1.5.0.5, Thunderbird 1.5.0.5, and SeaMonkey 1.0.3 according to the Mozilla Foundation Security Update 2006-50.

---

Disable JavaScript

This vulnerability can be mitigated by disabling JavaScript.

---

Vendor Information

876420

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Mozilla, Inc. __ Affected

Updated: July 27, 2006

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see Mozilla Foundation Security Advisory 2006-50.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23876420 Feedback>).

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://www.mozilla.org/security/announce/2006/mfsa2006-50.html&gt;
• <https://bugzilla.mozilla.org/show_bug.cgi?id=324117&gt;
• <https://bugzilla.mozilla.org/show_bug.cgi?id=325425&gt;
• <https://bugzilla.mozilla.org/show_bug.cgi?id=339785&gt;
• <https://bugzilla.mozilla.org/show_bug.cgi?id=340129&gt;
• <https://bugzilla.mozilla.org/show_bug.cgi?id=341877&gt;
• <https://bugzilla.mozilla.org/show_bug.cgi?id=341956&gt;
• <https://bugzilla.mozilla.org/show_bug.cgi?id=338804&gt;
• <http://secunia.com/advisories/19873/&gt;
• <http://secunia.com/advisories/21216/&gt;
• <http://secunia.com/advisories/21229/&gt;
• <http://secunia.com/advisories/21228/&gt;
• <https://issues.rpath.com/browse/RPL-537&gt;
• <http://www.securityfocus.com/bid/19181&gt;

Acknowledgements

This vulnerability was reported by the Mozilla Foundation, who in turn credit Igor Bukanov and shutdown.

This document was written by Will Dormann.

Other Information

CVE IDs:	CVE-2006-3805
Severity Metric:	6.71 Date Public: