VUPEN Security Research - Mozilla Firefox "BumpChunk" Object Processing Use-after-free (Pwn2Own) Website : http://www.vupen.com Twitter : http://twitter.com/vupen I. BACKGROUND --------------------- "Mozilla Firefox is a free and open-source web browser developed for Windows, OS X, and Linux, with a mobile version for Android, by the Mozilla Foundation and its subsidiary, the Mozilla Corporation. As of February 2014, Firefox has between 12% and 22% of worldwide usage, according to different sources." (Wikipedia) II. DESCRIPTION --------------------- VUPEN Vulnerability Research Team discovered a critical vulnerability in Mozilla Firefox. The vulnerability is caused by a use-after-free error in the JS engine when processing "BumpChunk" objects while the browser is under a memory pressure, which could be exploited to leak arbitrary memory and/or achieve code execution via a malicious web page. III. AFFECTED PRODUCTS --------------------------- Mozilla Firefox versions prior to 28 Mozilla Firefox ESR versions prior to 24.4 Mozilla Thunderbird versions prior to 24.4 Mozilla Seamonkey versions prior to 2.25 IV. SOLUTION ---------------- Upgrade to Firefox v28, Firefox ESR v24.4, Thunderbird v24.4 and Seamonkey v2.25. V. CREDIT -------------- This vulnerability was discovered by VUPEN Security. VI. ABOUT VUPEN Security --------------------------- VUPEN is the leading provider of defensive and offensive cyber security intelligence and advanced zero-day research. All VUPEN's vulnerability intelligence results exclusively from its internal and in-house R&D efforts conducted by its team of world-class researchers. VUPEN Solutions: http://www.vupen.com/english/services/ VII. REFERENCES ---------------------- https://www.mozilla.org/security/announce/2014/mfsa2014-30.html VIII. DISCLOSURE TIMELINE ----------------------------- 2014-01-19 - Vulnerability Discovered by VUPEN Security 2014-03-12 - Vulnerability Reported to Mozilla/ZDI During Pwn2Own 2014 2014-03-18 - Vulnerability Fixed by Mozilla 2014-03-26 - Public disclosure
