VUPEN Security Research - Mozilla Firefox "BumpChunk" Object Processing Use-after-free (Pwn2Own)

VUPEN Security Research - Mozilla Firefox "BumpChunk" Object Processing
Use-after-free (Pwn2Own)

Website : http://www.vupen.com

Twitter : http://twitter.com/vupen

I. BACKGROUND

"Mozilla Firefox is a free and open-source web browser developed for
Windows, OS X, and Linux, with a mobile version for Android, by the
Mozilla Foundation and its subsidiary, the Mozilla Corporation.
As of February 2014, Firefox has between 12% and 22% of worldwide
usage, according to different sources." (Wikipedia)

II. DESCRIPTION

VUPEN Vulnerability Research Team discovered a critical vulnerability
in Mozilla Firefox.

The vulnerability is caused by a use-after-free error in the JS engine
when processing "BumpChunk" objects while the browser is under a memory
pressure, which could be exploited to leak arbitrary memory and/or
achieve code execution via a malicious web page.

III. AFFECTED PRODUCTS

Mozilla Firefox versions prior to 28
Mozilla Firefox ESR versions prior to 24.4
Mozilla Thunderbird versions prior to 24.4
Mozilla Seamonkey versions prior to 2.25

IV. SOLUTION

Upgrade to Firefox v28, Firefox ESR v24.4, Thunderbird v24.4 and
Seamonkey v2.25.

V. CREDIT

This vulnerability was discovered by VUPEN Security.

VI. ABOUT VUPEN Security

VUPEN is the leading provider of defensive and offensive cyber security
intelligence and advanced zero-day research. All VUPEN's vulnerability
intelligence results exclusively from its internal and in-house R&D
efforts conducted by its team of world-class researchers.

VUPEN Solutions: http://www.vupen.com/english/services/

VII. REFERENCES

https://www.mozilla.org/security/announce/2014/mfsa2014-30.html

VIII. DISCLOSURE TIMELINE

2014-01-19 - Vulnerability Discovered by VUPEN Security
2014-03-12 - Vulnerability Reported to Mozilla/ZDI During Pwn2Own 2014
2014-03-18 - Vulnerability Fixed by Mozilla
2014-03-26 - Public disclosure