js/src/jstracer.cpp in the Just-in-time (JIT) JavaScript compiler (aka TraceMonkey) in Mozilla Firefox 3.5 before 3.5.1 allows remote attackers to execute arbitrary code via certain use of the escape function that triggers access to uninitialized memory locations, as originally demonstrated by a document containing P and FONT elements.
blog.mozilla.com/security/2009/07/14/critical-javascript-vulnerability-in-firefox-35/
isc.sans.org/diary.html?storyid=6796
secunia.com/advisories/35798
sunsolve.sun.com/search/document.do?assetkey=1-66-266148-1
voices.washingtonpost.com/securityfix/2009/07/stopgap_fix_for_critical_firef.html
www.exploit-db.com/exploits/9137
www.exploit-db.com/exploits/9181
www.h-online.com/security/First-Zero-Day-Exploit-for-Firefox-3-5--/news/113761
www.kb.cert.org/vuls/id/443060
www.mozilla.org/security/announce/2009/mfsa2009-41.html
www.securityfocus.com/bid/35660
www.vupen.com/english/advisories/2009/1868
bugzilla.mozilla.org/show_bug.cgi?id=503286
www.exploit-db.com/exploits/40936/
www.redhat.com/archives/fedora-package-announce/2009-July/msg00909.html