You are here: Security Center > Mozilla Foundation Security Advisories > MFSA 2009-37
Mozilla Foundation Security Advisory 2009-37
Title: Crash and remote code execution using watch and __defineSetter__ on SVG element
Impact: Critical
Announced: July 21, 2009
Reporter: PenPal
Products: Firefox
Fixed in: Firefox 3.5
Firefox 3.0.12
Description
Security researcher PenPal reported a crash
involving a SVG element on which a watch
function
and __defineSetter__
function have been set for a
particular property. The crash showed evidence of memory corruption
and could potentially be used by an attacker to run arbitrary code on
a victim's computer.
Workaround
Disable JavaScript until a version containing these fixes can be installed.