Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that XUL <tree> objects could be manipulated such that the setting of certain properties on the object would trigger the removal of the tree from the DOM and cause certain sections of deleted memory to be accessed. An attacker could potentially use this vulnerability to crash a victim's browser and run arbitrary code on their computer.
This is now public: http://www.mozilla.org/security/announce/2010/mfsa2010-55.html
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Via RHSA-2010:0682 https://rhn.redhat.com/errata/RHSA-2010-0682.html
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Via RHSA-2010:0681 https://rhn.redhat.com/errata/RHSA-2010-0681.html
This issue has been addressed in following products: Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Via RHSA-2010:0680 https://rhn.redhat.com/errata/RHSA-2010-0680.html