Firefox AttributeChildRemoved Use After Free
Added: 05/21/2012CVE: CVE-2011-3659
BID: 51755
OSVDB: 78736
Background
Firefox is a freely available web browser for multiple platforms including Windows, Linux, and Mac OS.Problem
In Firefox version prior to 3.6.26, and 4.0 through 9.0, when removing child objects from the DOM tree, the removed child may still be accessible. A call to the AttributeChildRemoved method takes place before actually removing the child. This may cause certain mutation observers to maintain a reference to the object after it has been freed, which could result in a heap overflow condition if the object is accessed again. An attacker could leverage this vulnerability to control execution on the target system.Resolution
For Firefox 3.x, upgrade to Firefox 3.6.26 or later. For Firefox 4.x or above, upgrade to Firefox 10.0 or later.References
https://bugzilla.mozilla.org/show_bug.cgi?id=708198http://secunia.com/advisories/47816/
http://www.zerodayinitiative.com/advisories/ZDI-12-059
Limitations
This exploit has been tested against Mozilla Foundation Firefox 8.x and 9.x on Windows XP SP3 English (DEP OptIn). Due to the nature of this vulnerability, the exploit may not be completely reliable against all vulnerable targets.Platforms
WindowsBack to exploit index