Firefox AttributeChildRemoved Use After Free

Added: 05/21/2012
CVE: CVE-2011-3659
BID: 51755
OSVDB: 78736

Background

Firefox is a freely available web browser for multiple platforms including Windows, Linux, and Mac OS.

Problem

In Firefox version prior to 3.6.26, and 4.0 through 9.0, when removing child objects from the DOM tree, the removed child may still be accessible. A call to the AttributeChildRemoved method takes place before actually removing the child. This may cause certain mutation observers to maintain a reference to the object after it has been freed, which could result in a heap overflow condition if the object is accessed again. An attacker could leverage this vulnerability to control execution on the target system.

Resolution

For Firefox 3.x, upgrade to Firefox 3.6.26 or later. For Firefox 4.x or above, upgrade to Firefox 10.0 or later.

References

<https://bugzilla.mozilla.org/show_bug.cgi?id=708198&gt;
<http://secunia.com/advisories/47816/&gt;
<http://www.zerodayinitiative.com/advisories/ZDI-12-059&gt;

Limitations

This exploit has been tested against Mozilla Foundation Firefox 8.x and 9.x on Windows XP SP3 English (DEP OptIn). Due to the nature of this vulnerability, the exploit may not be completely reliable against all vulnerable targets.

Platforms

Windows