===================================================================== CERT-Renater Note d'Information No. 2010/VULN113 _____________________________________________________________________ DATE : 02/04/2010 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Systems running Firefox 3.6. ====================================================================== http://www.mozilla.org/security/announce/2010/mfsa2010-25.html ______________________________________________________________________ Mozilla Foundation Security Advisory 2010-25 Title: Re-use of freed object due to scope confusion Impact: Critical Announced: April 1, 2010 Reporter: Nils (MWR InfoSecurity) Products: Firefox Fixed in: Firefox 3.6.3 Description A memory corruption flaw leading to code execution was reported by security researcher Nils of MWR InfoSecurity during the 2010 Pwn2Own contest sponsored by TippingPoint's Zero Day Initiative. By moving DOM nodes between documents Nils found a case where the moved node incorrectly retained its old scope. If garbage collection could be triggered at the right time then Firefox would later use this freed object. The contest winning exploit only affects Firefox 3.6 and not earlier versions. We will be patching Firefox 3.5 in an upcoming release just in case there is an alternate way of triggering the bug. References * https://bugzilla.mozilla.org/show_bug.cgi?id=555109 * CVE-2010-1121 Portions of this content are ©1998–2010 by individual mozilla.org contributors. Content available under a Creative Commons license. ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================