Mozilla Foundation Security Advisory 2010-36

2010-07-24T00:00:00
ID SECURITYVULNS:DOC:24309
Type securityvulns
Reporter Securityvulns
Modified 2010-07-24T00:00:00

Description

Mozilla Foundation Security Advisory 2010-36

Title: Use-after-free error in NodeIterator Impact: Critical Announced: July 20, 2010 Reporter: regenrecht (via TippingPoint's Zero Day Initiative) Products: Firefox, SeaMonkey

Fixed in: Firefox 3.6.7 Firefox 3.5.11 SeaMonkey 2.0.6 Description

Security researcher regenrecht reported via TippingPoint's Zero Day Initiative an error in Mozilla's implementation of NodeIterator in which a malicious NodeFilter could be created which would detach nodes from the DOM tree while it was being traversed. The use of a detached and subsequently deleted node could result in the execution of attacker-controlled memory. References

* https://bugzilla.mozilla.org/show_bug.cgi?id=552110
* CVE-2010-1209