Mozilla Foundation Security Advisory 2009-28

Race condition while accessing the private data of a NPObject JS wrapper class object

Announced

June 11, 2009

Reporter

Jakob Balle, Carsten Eiram

Impact

Critical

Products

Firefox

Fixed in

Firefox 3.0.11

Description

Jakob Balle and Carsten Eiram of Secunia Research reported a race condition in NPObjWrapper_NewResolve when accessing the properties of a NPObject, a wrapped JSObject. Balle and Eiram demonstrated that this condition could be reached by navigating away from a web page during the loading of a Java applet. Under such conditions the Java object would be destroyed but later called into resulting in a free memory read. It might be possible for an attacker to write to the freed memory before it is reused and run arbitrary code on the victim's computer.

This vulnerability does not affect Firefox 2 nor other products built using the "Gecko 1.8" version of Mozilla code.

Workaround

Disable Java until a version containing these fixes can be installed.

Firefox for Desktop

Firefox for Android

Firefox for iOS

Firefox Focus

Firefox Blog

Release Notes

Mozilla Monitor

Facebook Container

Pocket

Mozilla VPN

Firefox Relay

MDN Plus

Fakespot

Mozilla Manifesto

Mozilla Foundation

Leadership

Get involved

Careers

Mozilla Blog

Impact

Firefox Developer Edition

MDN Web Docs

Mozilla Innovation Projects

Common Voice

Mozilla Foundation Security Advisory 2009-28

Race condition while accessing the private data of a NPObject JS wrapper class object

Description

Workaround

References