Mozilla Firefox nsTreeRange Dangling Pointer Remote Code Execution Vulnerability

ID ZDI-11-157
Type zdi
Reporter regenrecht
Modified 2011-11-09T00:00:00


This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Mozilla Firefox. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the way Firefox handles user defined functions of a nsTreeSelection element. When executing the function invalidateSelection it is possible to free the nsTreeSelection object that the function operates on. Any further operations on the freed object can result in remote code execution.