1. Skip to navigation
  2. Skip to content
  3. Skip to secondary-content

Mozilla Firefox WOFF Heap Corruption Vulnerability

Report ID: SA201006425
Source: F-Secure
Date of Discovery: 23.03.2010
Criticality: Critical
Firefox 3.6
Note: Support for the WOFF downloadable font format is new in Firefox 3.6. This vulnerability does not affect earlier versions of Firefox

Compromise From: From remote
Compromise Type: DoS
Remote code execution


A WOFF heap corruption vulnerability in Mozilla Firefox 3.6 could allow an attacker to execute arbitrary code on an affected system.

Detailed Description

Mozilla Firefox reported a vulnerability that presents during font decompression routine in the WOFF decoder. A memory buffer could be allocated to store a downloadable font, and an attacker could use this vulnerability to cause application crash and execute arbitrary code.


Update to Firefox 3.6.2 or later versions

Original Reference

Mozilla Foundation Security Advisory 2010-08 (http://www.mozilla.org/security/announce/2010/mfsa2010-08.html)

CVE Reference