Exploit code for the latest version of open-source browser Firefox was published Wednesday, potentially putting users at risk of a denial-of-service attack.
The exploit code takes advantage of a bug in the recently released Firefox 1.5, running on Windows XP with Service Pack 2. Firefox, which initially debuted over a year ago, has moved swiftly to capture 8 percent of the browser market.
"If the topic of a page is crafted to be long enough, it will crash the browser each time it is started after going to such a page," according to the Internet Storm Center posting. "Once this happens, Firefox will be unable to be started until you erase the history.dat file manually."
In testing Firefox 1.5 without a system running McAfee security software, the Firefox 1.5 browser would stall and not respond to a user's mouse, said Johannes Ullrich, chief research officer for the Sans Institute, which runs the Internet Storm Center.
"Users have to kill out of the browser and start over again. This stalled browser creates a DOS (denial of service) condition," Ullrich said.
The author of the proof-of-concept exploit code, initially published by nonprofit group Packet Storm, claimed the glitch is a buffer overflow that could lead to a denial-of-service attack and may even be used for a malicious execution of code. Packet Storm itself said a possible denial-of-service condition exists.
Ullrich, however, said while the potential may exist, it has not been proven either way that malicious code could be executed.
The Mozilla Foundation, which released Firefox, said it was not able to confirm the browser would crash or be at risk of a DOS attack, after visiting certain Web sites. And Mozilla has not received any reports from users of such a problem, said Mike Schroepfer, vice president of engineering for Mozilla Corp.
He added that Firefox 1.5 can be slugglish on its next start-up, due to a bug in the history.dat, but it is not a security problem.
"We have gotten no independent verification that it crashes (Firefox), but there have been a lot of attempts to try," Schroepfer said.
Correction: This story incorrectly stated the affiliation of Mike Schroepfer. It also misstated Mozilla's results in verifying the Firefox 1.5 flaw. The problem itself was not a security vulnerability but actually a flaw in the browser, according to Mozilla. In addition, it misstated PacketStorm's assessment of the situation.
Someone correct me if I am wrong here, but I would have to visit a site that performs the exploit in order for this to actually affect me. So if I don't visit sites I'm not familiar with then I shouldn't be affected (assuming the site wasn't hacked).
However, Mozilla needs to get a fix out for it ASAP. A flaw is a flaw no matter how hard or easy it is to exploit.
Not only do you have to visit a site, but the proof of concept requires you to click a link (not that that would necessarily be required on the site you visit).
You're correct. Most browser bugs in general require you to go to a site that intentionally exploits the hole, whether it be Firefox, IE, Opera, etc...
After using v1.5 for 2 days I had to revert back to v1.0.7. Problems I ran into included broken images on pages (which refresh did not fix), cookies that didn't stick, and jumpy scrolling. My impression is that this is NOT a very good release of the product.
Hard to know if it was just back luck, or whether you go to some "out of the way" sites... but I use Firefox 1.5 for browsing on mainstream sites (such as this one, news.com) and have never had those kinds of problems. Not that I haven't had other problems (such as pages appearing to never finish rendering, or the URL text being out of sync with the current tab) but in general I found 1.5 to be much faster and stable that 1.07.
Because I do as well -- although most open-source advocates would argue with you and I on this point. "It's not a product, a product is something you buy or pay for. This is free, as in free beer. You should write a patch and submit it."
Exploit seems to work on only a very limited number of systems
I don't know who tested this exploit, but it seems like the majority of users is not affected... The majority of posts about this on Heise.de is about the exploit not working, and I couldn't get it to work on Firefox 1.5 / XPSP1 either... seems like a publicity stunt to me.
False bug reported or a bug that is hard to exploit
I haven't noticed anything like this yet. I downloaded the 1.5 release the day it was released. I don't visit any sites I'm not familiar with. If the Mozilla team can duplicate this problem then that's another story. It seems most people can't even get this exploit to work. At least it's not a security flaw!
Denial of service is one of the categories of a security threat, so this IS a security flaw. Denial of service vulnerabilities are generally considered less serious than information disclosure and remote code execution, but they are still serious vulnerabilities. And the fact that the publisher hasn't acknowledged it or that you haven't been attacked yet doesn't mean it's not real.
I did not even know about this flaw and I upgraded the same week it came out. The thing is though I never use my history so I always set it to erase after 1 day and use firefox's new feature to clean out my history, saved form info, download history, cookies, cache, and authincated sessions. Thats everything except my saved passowrds. I also have zone alram that earses all my tracks and another program that erases all history on my comp and get rid of excess junk on the hd. Anyways if this is a flaw it's not bothering me at all I am happy with my firefox browser and I think they are doing a great job!
As long as there is technology (and this will now be forever) there will be new products, new flaws to go with them, virus writers, testers, analyst, patchers, open source, and whatever else you can think of. This is the computer world. I love it, you love it (or you would not be on one) and the whole world loves it. Information is key to being safe. Knowledge about your systems, and knowing what you are doing with it is what is going to keep you up and running.
Finding out about flaws and vunerability, may be somewhat scary, but researching, asking the support teams questions, putting the info you know out here so we all can stay ahead of the game, is the computer world.
If I find news on here say, I will visit many sites to find what I need to understand what to do.
Sure, they posted a correction, but the headlines remains, trumpeting a simple bug as a deadly security flaw. If crashing is a symptom of a security breach, then Microsoft, and most other software makers, should be in court on charges or something.
What a load of utter crap, written by someone without a clue. I want to know who is paying CNet to publish **** like this?
News.com keeps this up, they're going to lose any sort of respect they might have had.
Web giant is spending $120 million to beef up its Mountain View, Calif., headquarters, according to filings with the city reviewed by the San Jose Mercury News.
The Samsung Galaxy mini 2 S6500 could make its debut at the Mobile World Congress in Barcelona later this month, according to a leaked promotional image.
Tor's "obfsproxy" technology would make encrypted data look innocuous and let it dodge government censors. That could help citizens in Iran reach blocked sites as antigovernment protests reportedly loom.
MIT creates a simulation to celebrate the 50th anniversary of Spacewar. A relic of the early days of minicomputers, it was one of the first computer video games and set the stage for many others, including Asteroids.
However, Mozilla needs to get a fix out for it ASAP. A flaw is a flaw no matter how hard or easy it is to exploit.
*yawn* Same old rhetoric...
Finding out about flaws and vunerability, may be somewhat scary, but researching, asking the support teams questions, putting the info you know out here so we all can stay ahead of the game, is the computer world.
If I find news on here say, I will visit many sites to find what I need to understand what to do.
Stay safe all
This is pitiful journalism!!!
What a load of utter crap, written by someone without a clue. I want to know who is paying CNet to publish **** like this?
News.com keeps this up, they're going to lose any sort of respect they might have had.
Oh, wait, they already have. As you were then.