Race condition while accessing the private data of a NPObject JS wrapper class object — Mozilla

Jakob Balle and Carsten Eiram of Secunia Research reported a race condition in NPObjWrapper_NewResolve when accessing the properties of a NPObject, a wrapped JSObject. Balle and Eiram demonstrated that this condition could be reached by navigating away from a web page during the loading of a Java applet. Under such conditions the Java object would be destroyed but later called into resulting in a free memory read. It might be possible for an attacker to write to the freed memory before it is reused and run arbitrary code on the victim’s computer.