Mozilla developer Blake Kaplan reported that setTimeout, when called with certain object parameters which should be protected with a XPCNativeWrapper, will fail to keep the object wrapped when compiling the new function to be executed. If chrome privileged code were to call setTimeout using this as an argument, the this object will lose its wrapper and could be unsafely accessed by chrome code. An attacker could use such vulnerable code to run arbitrary JavaScript with chrome privileges.
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 4 Via RHSA-2009:1162 https://rhn.redhat.com/errata/RHSA-2009-1162.html
MITRE's CVE-2009-2471 entry: The setTimeout function in Mozilla Firefox before 3.0.12 does not properly preserve object wrapping, which allows remote attackers to execute arbitrary JavaScript with chrome privileges via a crafted call, related to XPCNativeWrapper. References: ---------- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2471 http://www.mozilla.org/security/announce/2009/mfsa2009-39.html https://bugzilla.mozilla.org/show_bug.cgi?id=460882 http://www.securityfocus.com/bid/35758 http://secunia.com/advisories/35914 http://secunia.com/advisories/35944 http://www.vupen.com/english/advisories/2009/1972
devhelp-0.22-10.fc10, blam-1.8.5-12.fc10, gecko-sharp2-0.13-10.fc10, galeon-2.0.7-12.fc10, gnome-python2-extras-2.19.1-32.fc10, evolution-rss-0.1.2-8.fc10, gnome-web-photo-0.3-20.fc10, mozvoikko-0.9.5-12.fc10, google-gadgets-0.10.5-8.fc10, kazehakase-0.5.6-4.fc10.4, mugshot-1.2.2-11.fc10, yelp-2.24.0-11.fc10, ruby-gnome2-0.19.0-3.fc10.1, Miro-2.0.5-2.fc10, epiphany-2.24.3-8.fc10, pcmanx-gtk2-0.3.8-11.fc10, xulrunner-1.9.0.12-1.fc10, firefox-3.0.12-1.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.