Remote code execution with use-after-free in nsTreeSelection

ID MFSA2010-17
Type mozilla
Reporter Mozilla Foundation
Modified 2010-03-30T00:00:00


Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that a select event handler for XUL tree items could be called after the tree item was deleted. This results in the execution of previously freed memory which an attacker could use to crash a victim's browser and run arbitrary code on the victim's computer. This vulnerability does not affect Firefox 3.6