CVE-2010-3765 is a remote code execution vulnerability in Mozilla products (Firefox / SeaMonkey / Thunderbird) caused by a heap buffer overflow when mixing document.write and DOM insertion; it was actively exploited in October–November 2010.

Affected:

• Firefox 3.5.x through 3.5.14 and 3.6.x through 3.6.11 — fixed in Firefox 3.5.15 and 3.6.12.
• SeaMonkey fixed in 2.0.10.
• Thunderbird fixed in 3.0.10 and 3.1.6. (Any installs still running the pre-fixed releases are vulnerable.)

https://isc.sans.edu/diary/28132

Remote, client-side: malicious JavaScript on a webpage (or web-like content in RSS/add-ons where JS is enabled) leverages incorrect index tracking in nsCSSFrameConstructor::ContentAppended plus appendChild/document.write interactions to trigger heap corruption, then downloads and executes payloads (Belmoo / Backdoor in observed incidents). Exploits were delivered via malicious pages and exploit kits in the wild.

This allows remote attackers to execute arbitrary code via vectors related to nsCSSFrameConstructor::ContentAppended. This then triggers memory corruption, as exploited in the wild in October 2010.

CERTVU recommend:

• Patch immediately – Upgrade to the fixed product releases for affected products.
• If for some reason the endpoint(s) cannot be updated, disable JavaScript for untrusted content, block untrusted sites via proxy/URL Filtering, and restrict RSS/add-ons that execute web content.
• Harden endpoint by keeping AV/EDR signatures up to date.