Description: xpcom, or cross platform component object model is a framework for writing cross-platform, modular software. The xpcom library is used in many applications including a majority of the popular browsers such as FireFox, NetScape, Mozilla, Galeon, etc. It seems that there is a race condition of sorts in xpcom that makes it possible for an attacker to crash a victims browser by having them view a malformed html document. This issue is not believed to be exploitable by the Mozilla dev team, and will likely be addressed in full at a later date by the development team.
XPCOM Race Condition: It is possible for an attacker to create a race condition that will cause an access violation and result in a hard crash of the browser. One way to trigger this issue is by taking a decent sized html file and loading a dom call within some nested divs that will cause part of the page currently being rendered to be deleted. If the page has not loaded by the time the dom call is made then we can delete objects that have yet to be referenced, which will result in a crash as soon as the browser tries to reference the deleted object.
Solution: Mozilla have been aware of this issue for some months, and have fixed the issue on trunk, but not on branch. The reason for this as stated by one of the developers is "fixes for this stuff could easily cause regressions". I did test this issue on the latest copy of the mozilla browser (Deer Park) this morning though, and it seemed to NOT be vulnerable. However, firefox and the like are still affected.
Related Info: The original advisory can be found at the following location http://www.gulftech.org/?node=research&article_id=00091-07212005
Credits: James Bercegay of the GulfTech Security Research Team