Mozilla Firefox AttributeChildRemoved Use-After-Free Remote Code Execution VulnerabilityZDI-12-110: June 28th, 2012
TippingPoint™ IPS Customer ProtectionTippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID 12418. For further product information on the TippingPoint IPS:
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Mozilla Firefox. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the way Firefox handles nsDOMAttribute child removal. It is possible to remove a child without setting the removed child pointer to NULL, thus leaving it still accessible as a dangling pointer. Subsequent use of this pointer allows for remote code execution.
Vendor ResponseMozilla has issued an update to correct this vulnerability. More details can be found at:
2011-12-01 - Vulnerability reported to vendor
2012-06-28 - Coordinated public release of advisory
CreditThis vulnerability was discovered by: