Comments on: Unpatched Firefox flaw may expose users

The problem lies in the way the browser handles Web links that are overly long and contain dashes, a researcher says.

Mozilla Firefox ''Host:'' Buffer Overflow DOESN'T WORK

Well I just tested the proof of concept vulnerability on my rig and it did nothing. Didn't do anything unusual infact... Strange....

[JorisEvers]

It crashed my Firefox

I am running Windows XP Pro and Firefox 1.0.6. Going to Ferris' proof of concept page crashes my browser and gives an error message:
http://www.security-protocols.com/firefox-death.html

[Sboston]

Drat!

I had to do it twice before it crashed FF. Mozilla will fix it soon I'm sure, but that just goes to prove what I've always said. There are no bug proof programs.

no crash. directed to google search page.

i'm running firefox 1.0.6 on linux. i copy the proof of concept into this html file:

<html>
crash
</html>

when i click on the crash link, it directs me to the google "web" search page. the address bar is: "keyword:---------------------------------------------" and the google text field (where you enter your search terms) is: "---------------------------------------------". below that is: "The 'I'm Feeling LuckyTM' button automatically takes you to the first web page returned for your query.

An 'I'm Feeling Lucky' search means less time searching for web pages and more time looking at them."

no crashes. did i do something wrong in creating the html file?

[SmokieUK]

Doesn't crash here

I've loaded the page multiple times and nothing happens. Just a white page with "Done" in the Status Bar.

No joy here either

I also just get google page with a lot of dashes in the search bar and no results, FireFox 1.06 on XP SP2 here as well.

Mozilla Firefox ''Host:'' Buffer Overflow DOESN'T WORK

Well I just tested the proof of concept vulnerability on my rig and it did nothing. Didn't do anything unusual infact... Strange....

[JorisEvers]

It crashed my Firefox

I am running Windows XP Pro and Firefox 1.0.6. Going to Ferris' proof of concept page crashes my browser and gives an error message:
http://www.security-protocols.com/firefox-death.html

[Sboston]

Drat!

I had to do it twice before it crashed FF. Mozilla will fix it soon I'm sure, but that just goes to prove what I've always said. There are no bug proof programs.

no crash. directed to google search page.

i'm running firefox 1.0.6 on linux. i copy the proof of concept into this html file:

<html>
crash
</html>

when i click on the crash link, it directs me to the google "web" search page. the address bar is: "keyword:---------------------------------------------" and the google text field (where you enter your search terms) is: "---------------------------------------------". below that is: "The 'I'm Feeling LuckyTM' button automatically takes you to the first web page returned for your query.

An 'I'm Feeling Lucky' search means less time searching for web pages and more time looking at them."

no crashes. did i do something wrong in creating the html file?

[SmokieUK]

Doesn't crash here

I've loaded the page multiple times and nothing happens. Just a white page with "Done" in the Status Bar.

No joy here either

I also just get google page with a lot of dashes in the search bar and no results, FireFox 1.06 on XP SP2 here as well.

[Scott W]

wait for it,,,

it won't be long, the flood of IE junkies will be here any minute. just as soon as they finish school :p

[Scott W]

oops

commas instead of ...'s
man i'm dumb...

[David Arbogast]

The only thing worse...

The only thing worse than unfounded knee-jerk reactions to security threats are people who pre-empt the reactions with insults. Way to go. FireFox has a flaw. A big one. Just like every other web browser. Open-source is hardly proving to be secure. Suggestng that it is somehow "more" secure is flawed logic. It matters little how many security problems a software package has, when a hacker only needs to exploit one flaw.

[Scott W]

wait for it,,,

it won't be long, the flood of IE junkies will be here any minute. just as soon as they finish school :p

[Scott W]

oops

commas instead of ...'s
man i'm dumb...

[David Arbogast]

The only thing worse...

The only thing worse than unfounded knee-jerk reactions to security threats are people who pre-empt the reactions with insults. Way to go. FireFox has a flaw. A big one. Just like every other web browser. Open-source is hardly proving to be secure. Suggestng that it is somehow "more" secure is flawed logic. It matters little how many security problems a software package has, when a hacker only needs to exploit one flaw.

Was OS are effected?

I wish that these "security experts" would be a little more informitive. Does PC mean Windows PC, Intel machines, all personal computers? Does that exclude servers that man be running a X-Windows Fire fox client?

[Scott W]

true

the page causes the fox to crash in linux, however, it's debatable whether code run could be run in linux...

[unknown unknown]

RE

Firefox is cross-platform so theoretically it effects any OS that can run Firefox. That said the code to be executed by exploiting this flaw would have to be written for the intented system.

Was OS are effected?

I wish that these "security experts" would be a little more informitive. Does PC mean Windows PC, Intel machines, all personal computers? Does that exclude servers that man be running a X-Windows Fire fox client?

[Scott W]

true

the page causes the fox to crash in linux, however, it's debatable whether code run could be run in linux...

[unknown unknown]

RE

Firefox is cross-platform so theoretically it effects any OS that can run Firefox. That said the code to be executed by exploiting this flaw would have to be written for the intented system.

Sign petition to back out patch for Firefox Bug# 303806

If you don't agree with the changes to the Winstripe theme please comment in http://forums.mozillazine.org/viewtopic.php?t=315361&postdays=0&postorder=asc&postsperpage=15&start=0 and sign the petition to back out the bug that brought us the excessive padding and the hideous flat look on classic systems http://www.petitiononline.com/fx303806/petition.html

[unknown unknown]

Reply

Firefox is very customizable. It's UI is created through the use of an XML based UI markup language called XUL and Javascript. One could easily extract the contents of the jar files (which are just zip files with a different extension) located in the chrome folder which is under the folder one installed Firefox to.

One of the great things about open source software is if you don't like something you can change it.

In short, if you want something done right (at least according to your point of view) do it yourself. Mozilla's website has tutorials on XUL and the Javascript.

Sign petition to back out patch for Firefox Bug# 303806

If you don't agree with the changes to the Winstripe theme please comment in http://forums.mozillazine.org/viewtopic.php?t=315361&postdays=0&postorder=asc&postsperpage=15&start=0 and sign the petition to back out the bug that brought us the excessive padding and the hideous flat look on classic systems http://www.petitiononline.com/fx303806/petition.html

[unknown unknown]

Reply

Firefox is very customizable. It's UI is created through the use of an XML based UI markup language called XUL and Javascript. One could easily extract the contents of the jar files (which are just zip files with a different extension) located in the chrome folder which is under the folder one installed Firefox to.

One of the great things about open source software is if you don't like something you can change it.

In short, if you want something done right (at least according to your point of view) do it yourself. Mozilla's website has tutorials on XUL and the Javascript.

[reechwuzhere]

Well, it blew mine up...

Windows XP SP2 and FireFox 1.0.6

It crashed so fast that it made me laugh

[reechwuzhere]

Well, it blew mine up...

Windows XP SP2 and FireFox 1.0.6

It crashed so fast that it made me laugh

[J. Warren]

Fix / workaround from Mozilla

See:

- https://addons.mozilla.org/messages/307259.html
"On September 9, the Mozilla team released a configuration change which, as a temporary measure to work around this problem, disables IDN in the browser..."

[J. Warren]

Fix / workaround from Mozilla

See:

- https://addons.mozilla.org/messages/307259.html
"On September 9, the Mozilla team released a configuration change which, as a temporary measure to work around this problem, disables IDN in the browser..."

Microsoft must have a hand in it!

Another FireFox security issue. Not that it's not a great browser, I just get tired of people ripping on Microsoft for it's problems when many are attributed to it simply being the most used software. Now that FireFox is becoming more popular, we're finding that it has it's holes as well. All software has its problems. Give Microsoft a break!

Microsoft must have a hand in it!

Another FireFox security issue. Not that it's not a great browser, I just get tired of people ripping on Microsoft for it's problems when many are attributed to it simply being the most used software. Now that FireFox is becoming more popular, we're finding that it has it's holes as well. All software has its problems. Give Microsoft a break!