You are here: Security Center > Mozilla Foundation Security Advisories > MFSA 2009-41
Mozilla Foundation Security Advisory 2009-41
Title: Corrupt JIT state after deep return from native function
Impact: Critical
Announced: July 16, 2009
Reporter: zbyte
Products: Firefox 3.5
Fixed in: Firefox 3.5.1
Description
Firefox user zbyte reported a crash that we determined
could result in an exploitable memory corruption problem. In certain cases
after a return from a native function, such as escape()
, the
Just-in-Time (JIT) compiler could get into a corrupt state. This could be
exploited by an attacker to run arbitrary code such as installing malware.
We would like to thank community members Lucas Kruijswijk and Nochum Sossonko for isolating the problematic script from the original crashing site.
This vulnerability does not affect earlier versions of Firefox which do not support the JIT feature.
Workaround
Users of Firefox 3.5 can avoid this vulnerability by disabling the Just-in-Time compiler as described in the Mozilla Security Blog. That workaround is not necessary in Firefox 3.5.1 and can be reverted.