You are here: Security Center > Mozilla Foundation Security Advisories > MFSA 2010-67
Mozilla Foundation Security Advisory 2010-67
Title: Dangling pointer vulnerability in LookupGetterOrSetter
Impact: Critical
Announced: October 19, 2010
Reporter: regenrecht
Products: Firefox, Thunderbird, SeaMonkey
Fixed in: Firefox 3.6.11
Firefox 3.5.14
Thunderbird 3.1.5
Thunderbird 3.0.9
SeaMonkey 2.0.9
Description
Security researcher regenrecht reported via
TippingPoint's Zero Day Initiative that
when window.__lookupGetter__
is called with no arguments
the code assumes the top JavaScript stack value is a property name.
Since there were no arguments passed into the function, the top value
could represent uninitialized memory or a pointer to a previously
freed JavaScript object. Under such circumstances the value is passed
to another subroutine which calls through the dangling pointer,
potentially executing attacker-controlled memory.