[SingCERT] Mozilla Foundation Security Advisory 2012-04

Last Updated on Thursday, 02 February 2012 10:14

[ Summary ]

Child nodes from nsDOMAttribute still accessible after removal of nodes

[ Affected Systems ]

Firefox, Thunderbird, SeaMonkey

[ Impact Analysis ]

Security researcher regenrecht reported via TippingPoint’s Zero Day Initiative that removed child nodes of nsDOMAttribute can be accessed under certain circumstances because of a premature notification of AttributeChildRemoved. This use-after-free of the child nodes could possibly allow for for remote code execution.

[ Solution/Workaround ]

Fixed In:

Firefox 10.0
Firefox 3.6.26
Thunderbird 10.0
Thunderbird 3.1.18
SeaMonkey 2.7

[ Reference ]

· AttributeChildRemoved Use-After-Free

· CVE-2011-3659