Firefox onreadystatechange Use-after-free Vulnerability

August 9, 2013

Mozilla Firefox is a web browser developed by the Mozilla Foundation. Firefox is capable of rendering multiple types of content such as HTML, XML, XUL, JavaScript, and popular media formats among others. Firefox is distributed for all major platforms such as Windows, Apple, and Linux.

The Document Object Model (DOM) is a cross-platform and language-independent convention for representing and interacting with objects in HTML, XHTML and XML documents. Objects in the DOM tree may be addressed and manipulated by using methods on the objects. The public interface of a DOM is specified in its application programming interface (API). Firefox uses DOM as the main structure to interpret and render related documents. JavaScript can be used within Firefox to access and modify a web page's underlying DOM.

Firefox supports various DOM events, which may occur when changes to the structure or contents of the document are made or when user actions are detected. Some of the events supported by the browser are character input and clipboard events; load, unload and state events; form events; mouse events and scrolling; move and drag events; resize events; activation and focus events and selection events.

A use-after-free vulnerability exists in Mozilla Firefox. Mozilla Firefox before 22.0 do not properly handle onreadystatechange events in conjunction with page reloading, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted web site that triggers an attempt to execute data at an unmapped memory location.

Dell SonicWALL Threat team has researched this vulnerability and released the following IPS signatures to address the issue:

  • 4169 Mozilla Firefox onreadystatechange use after free Attack
  • 6207 HTTP Client Shellcode Exploit 42a

This vulnerability is referred by CVE as CVE-2013-1690.