Mozilla
released Firefox version 3.6.3 to fix the vulnerability Nils used at
CanSecWest to "take down" Firefox in the Pwn2Own Event (See Pwn2Own hack topples Firefox on Windows).
Security Advisory
"Title: Re-use of freed object due to scope confusion
Impact: Critical
Announced: April 1, 2010
Reporter: Nils (MWR InfoSecurity)
Products: Firefox
Fixed in: Firefox 3.6.3
Description
A memory corruption flaw leading to code execution was reported by security researcher Nils
of MWR InfoSecurity during the 2010 Pwn2Own contest sponsored by
TippingPoint's Zero Day Initiative. By moving DOM nodes between
documents Nils found a case where the moved node incorrectly retained
its old scope. If garbage collection could be triggered at the right
time then Firefox would later use this freed object.
Note:
The contest winning exploit only affects Firefox 3.6 and not earlier
versions. We will be patching Firefox 3.5 in an upcoming release just
in case there is an alternate way of triggering the bug."
No comments:
Post a Comment