Mozilla Foundation Security Advisory 2009-37

2009-07-22T00:00:00
ID SECURITYVULNS:DOC:22200
Type securityvulns
Reporter Securityvulns
Modified 2009-07-22T00:00:00

Description

Mozilla Foundation Security Advisory 2009-37

Title: Crash and remote code execution using watch and defineSetter on SVG element Impact: Critical Announced: July 21, 2009 Reporter: PenPal Products: Firefox

Fixed in: Firefox 3.5 Firefox 3.0.12 Description

Security researcher PenPal reported a crash involving a SVG element on which a watch function and defineSetter function have been set for a particular property. The crash showed evidence of memory corruption and could potentially be used by an attacker to run arbitrary code on a victim's computer. Workaround

Disable JavaScript until a version containing these fixes can be installed. References

* https://bugzilla.mozilla.org/show_bug.cgi?id=488995
* CVE-2009-2469