Remote code execution in Mozilla Firefox

Published: 2010-10-27 14:21:10 | Updated: 2017-02-01
Severity Critical
Patch available YES
Number of vulnerabilities 1
CVE ID CVE-2010-3765
CVSSv3 8.9 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C]
CWE ID CWE-119
Exploitation vector Network
Public exploit This vulnerability is being exploited in the wild.
Vulnerable software Mozilla Firefox
SeaMonkey
Mozilla Thunderbird
Vulnerable software versions Mozilla Firefox 3.5
Mozilla Firefox 3.5.14
Mozilla Firefox 3.5.13

Show more

SeaMonkey 2.0
SeaMonkey 2.0.9
SeaMonkey 2.0.8

Show more

Mozilla Thunderbird 3.0
Mozilla Thunderbird 3.0.9
Mozilla Thunderbird 3.0.8

Show more

Vendor URL Mozilla

Security Advisory

1) Heap-based buffer overflow

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to boundary error within nsCSSFrameConstructor::ContentAppended. A remote attacker can create a specially crafted web page containing specially crafted document.write and appendChild calls, cause heap-based buffer overflow and execute arbitrary code on the target system with privileges of the current user.

Successful exploitation of this vulnerability may allow an attacker to compromise vulnerable system.

Note: this vulnerability is being actively exploited.

Remediation

Install the following software versions:

  • Firefox 3.5.15
  • Firefox 3.6.12
  • SeaMonkey 2.0.10
  • Thunderbird 3.0.10
  • Thunderbird 3.1.6

External links

https://bugzilla.mozilla.org/show_bug.cgi?id=607222
https://www.mozilla.org/en-US/security/advisories/mfsa2010-73/

Back to List