Mozilla Foundation Security Advisory 2005-50
Title: Possibly exploitable crash in InstallVersion.compareTo
Severity: High
Reporter: shutdown
Products: Firefox, Mozilla Suite
Fixed in: Firefox 1.0.5
Mozilla Suite 1.7.9
Description
When InstallVersion.compareTo() is passed an object rather than a string
it assumed the object was another InstallVersion without verifying it.
When passed a different kind of object the browser would generally
crash with an access violation.
shutdown has demonstrated that different javascript objects can be
passed on some OS versions to get control over the instruction pointer.
We assume this could be developed further to run arbitrary machine code
if the attacker can get exploit code loaded at a predictable address.
Workaround
Disable Javascript.
References
https://bugzilla.mozilla.org/show_bug.cgi?id=