CVE-2009-0071 in Firefox
Summary
by MITRE
Mozilla Firefox 3.0.5 and earlier 3.0.x versions, when designMode is enabled, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a certain (a) replaceChild or (b) removeChild call, followed by a (1) queryCommandValue, (2) queryCommandState, or (3) queryCommandIndeterm call. NOTE: it was later reported that 3.0.6 and 3.0.7 are also affected.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 05/22/2025
This vulnerability resides in the Mozilla Firefox browser's handling of DOM manipulation operations within designMode contexts, specifically affecting versions 3.0.5 and earlier in the 3.0.x release series. The flaw manifests when the browser's contentEditable feature is active, creating a scenario where malicious web content can trigger a NULL pointer dereference through improper handling of DOM node replacement and removal operations. The vulnerability operates by exploiting the interaction between the replaceChild and removeChild DOM methods with queryCommandValue, queryCommandState, and queryCommandIndeterm API calls, which are typically used for executing editing commands within rich text editors.
The technical implementation of this vulnerability stems from insufficient input validation and memory management within Firefox's rendering engine, particularly in how it processes DOM tree modifications during active designMode sessions. When an attacker constructs a malicious sequence involving replaceChild or removeChild operations followed by queryCommand API calls, the browser's internal structures fail to properly handle the NULL references that occur during these operations. This results in a crash of the browser process due to the NULL pointer dereference, effectively enabling a denial of service attack against the victim's system. The vulnerability affects the browser's ability to maintain stable execution context when processing malformed DOM operations, particularly in rich text editing scenarios where contentEditable is enabled.
The operational impact of this vulnerability extends beyond simple denial of service, as it can be exploited in various attack scenarios including drive-by downloads, malicious web page construction, and cross-site scripting attempts. Attackers can craft web pages that automatically trigger these conditions when loaded in Firefox, causing the browser to crash and potentially leading to system instability or forced browser restarts. The vulnerability's exploitation requires no special privileges from the attacker and can be delivered through standard web browsing activities, making it particularly dangerous in enterprise environments where users may inadvertently encounter malicious content. This type of vulnerability is categorized under CWE-476 as NULL Pointer Dereference, which represents a common weakness in software design where programs fail to check for NULL values before dereferencing pointers.
Mitigation strategies for this vulnerability involve immediate patching of affected Firefox versions, with the recommended approach being the upgrade to Firefox 3.0.8 or later versions that contain the necessary code fixes. Organizations should implement browser security policies that enforce automatic updates and maintain strict control over browser versions in enterprise environments. Additionally, network administrators can deploy web filtering solutions that block access to known malicious domains and implement content security policies that restrict the execution of potentially dangerous DOM operations. The ATT&CK framework categorizes this vulnerability under T1211 as "Exploitation for Defense Evasion" and T1499 as "Endpoint Denial of Service," highlighting its potential for both service disruption and broader exploitation attempts. Security teams should also consider implementing browser sandboxing mechanisms and monitoring for unusual browser crash patterns that might indicate exploitation attempts.