SAINT CorporationSAINT:A345EEAE4EE4CFA710F08A211BB42533Firefox AttributeChildRemoved Use After Free
0.916 High
EPSS
Percentile
98.6%
Added: 05/21/2012
CVE: CVE-2011-3659
BID: 51755
OSVDB: 78736
Background
Firefox is a freely available web browser for multiple platforms including Windows, Linux, and Mac OS.
Problem
In Firefox version prior to 3.6.26, and 4.0 through 9.0, when removing child objects from the DOM tree, the removed child may still be accessible. A call to the AttributeChildRemoved method takes place before actually removing the child. This may cause certain mutation observers to maintain a reference to the object after it has been freed, which could result in a heap overflow condition if the object is accessed again. An attacker could leverage this vulnerability to control execution on the target system.
Resolution
For Firefox 3.x, upgrade to Firefox 3.6.26 or later. For Firefox 4.x or above, upgrade to Firefox 10.0 or later.
References
<https://bugzilla.mozilla.org/show_bug.cgi?id=708198>
<http://secunia.com/advisories/47816/>
<http://www.zerodayinitiative.com/advisories/ZDI-12-059>
Limitations
This exploit has been tested against Mozilla Foundation Firefox 8.x and 9.x on Windows XP SP3 English (DEP OptIn). Due to the nature of this vulnerability, the exploit may not be completely reliable against all vulnerable targets.
Platforms
Windows
Related
