Firefox is prone to an overflow condition. The application fails to properly sanitize input caused by interactions between DOM insertions and the document.write() function resulting in a heap overflow. With a specially crafted website, a context-dependent attacker can potentially cause arbitrary code execution.

Upgrade to version 3.5.15 or 3.6.12 or higher, as they have been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

• Exploit Database: 15341
• CVE ID: 2010-3765 (see also: NVD)
• Secunia Advisory ID: 41761 41957 41965 41966 41969 42003 42010 42026 42043 42056 42150 42216 42224 42310 42867 44446 51766
• SCIP VulDB ID: 4218
• Bugtraq ID: 44425
• Metasploit ID: 68905
• Vendor Specific Advisory URL: http://blog.mozilla.com/security/2010/10/26/critical-vulnerability-in-firefox-3-5-and-firefox-3-6/
  http://lists.debian.org/debian-security-announce/2010/msg00174.html
  http://lists.fedoraproject.org/pipermail/package-announce/2010-October/050061.html
  http://lists.fedoraproject.org/pipermail/package-announce/2010-October/050062.html
  http://lists.fedoraproject.org/pipermail/package-announce/2010-October/050153.html
  http://lists.fedoraproject.org/pipermail/package-announce/2010-October/050156.html
  http://rhn.redhat.com/errata/RHSA-2010-0808.html
  http://rhn.redhat.com/errata/RHSA-2010-0810.html
  http://www.cometforums.com/forum-70/announcement-17-new-cometbird-version-3612-has-been-released/?
  http://www.mozilla.org/security/announce/2010/mfsa2010-73.html
  http://www.ubuntu.com/usn/usn-1011-1
  https://lists.ubuntu.com/archives/ubuntu-security-announce/2010-October/001193.html
  https://rhn.redhat.com/errata/RHSA-2010-0809.html
• Other Advisory URL: http://blogs.sun.com/security/entry/multiple_vulnerabilities_in_mozilla_firefox
  http://blogs.sun.com/security/entry/multiple_vulnerabilities_in_mozilla_thunderbird1
  http://norman.com/about_norman/press_center/news_archive/2010/129223/en
  http://www.norman.com/security_center/virus_description_archive/129146/
• Vendor Specific News/Changelog Entry: http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050684.html
  http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050688.html
  http://lists.opensuse.org/opensuse-security-announce/2010-11/msg00003.html
  http://www.gentoo.org/security/en/glsa/glsa-201301-01.xml
  https://bugzilla.mozilla.org/show_bug.cgi?id=607222
• News Article: http://news.softpedia.com/news/Zero-Day-Firefox-Vulnerability-Exploited-to-Distribute-Trojan-163065.shtml
  http://www.prnewswire.com/news-releases/norman-warns-concerning-new-vulnerability-in-firefox-browser-105771928.html
  http://www.scmagazineus.com/firefox-zero-day-being-exploited-in-the-wild/article/181821/
  http://www.scmagazineus.com/mozilla-closes-gaping-remote-code-hole-in-firefox/article/189749/
  http://www.theregister.co.uk/2010/10/26/firefox_0day_report/
• Mail List Post: http://seclists.org/fulldisclosure/2010/Oct/441
• Generic Exploit URL: http://www.saintcorporation.com/cgi-bin/exploit_info/firefox_document_write_dom
• RedHat RHSA: https://rhn.redhat.com/errata/RHSA-2010-0861.html
  https://rhn.redhat.com/errata/RHSA-2010-0896.html

• Morten Kråkvik