logo
DATABASE RESOURCES PRICING ABOUT US

Mozilla Foundation Security Advisory 2010-67

Description

Mozilla Foundation Security Advisory 2010-67 Title: Dangling pointer vulnerability in LookupGetterOrSetter Impact: Critical Announced: October 19, 2010 Reporter: regenrecht Products: Firefox, Thunderbird, SeaMonkey Fixed in: Firefox 3.6.11 Firefox 3.5.14 Thunderbird 3.1.5 Thunderbird 3.0.9 SeaMonkey 2.0.9 Description Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that when window.__lookupGetter__ is called with no arguments the code assumes the top JavaScript stack value is a property name. Since there were no arguments passed into the function, the top value could represent uninitialized memory or a pointer to a previously freed JavaScript object. Under such circumstances the value is passed to another subroutine which calls through the dangling pointer, potentially executing attacker-controlled memory. References * https://bugzilla.mozilla.org/show_bug.cgi?id=598669 * CVE-2010-3183


Related