Mozilla issues Firefox alert

The Mozilla Foundation has issued a security advisory, acknowledging concerns about a potential flaw in its Firefox 1.5 browser.

However, the browser company strenuously denied in its Sunday advisory that the problem would cause any lasting damage to the application. It maintains that the glitch is very easy to fix.

"We have investigated this issue and can find no basis for claims that variants of this denial-of-service attack can cause an exploitable crash," Mozilla said in its advisory.

The issue came to light last Wednesday, when the first exploit code for the potential vulnerability was published.

The problem occurs with extremely long history.dat files. If the history file gets larger than 10.5MB, then the system can appear to freeze. Mozilla said the system is not actually frozen, but it takes time to clear the history buffer. The company said that to cure the problem, users need to clear the History archive.

Mozilla said in a statement that it has "issued a security advisory on a temporary start-up unresponsiveness caused by Web pages in a browser history with extremely long titles. If a user encounters this problem, the slow start can be fixed by clearing the browser history."

The problem has been given a noncritical rating by Mozilla.

Colin Barker of ZDNet UK reported from London.

[ajbright]

Yawn

Or you could just configure firefox to delete it's history when you close it, along with any other private data you choose to include in it's one click clear up the new version now provides.

Check the settings button under any of the privacy options and you'll see how easy this is to do.

Show me an IE malware hole that is that easy to resolve..

[VI Joker]

Easy IE malware solution...

...use Firefox. :)

[nrlz]

lol

It's funny how you can take a bug that only affects Firefox and not IE and be able to spin it into an advantage.

[Dustyn]

Deploy A Patch!

Don't start falling behind like Microsoft and their "single" patch relese cycle per month. If this issue is so easy to correct and is not a huge deal... why don't you just deploy it across the network so that the Auto Update Mechanism in Firefox 1.5 is triggered to automatically apply the update?

Waiting for another serious issue just to deploy the fix is plain dumb, IMO.

[Dustyn]

Why Clear Or Set History To "0 Days?"

History is a part of every browser and maintains site usage tracks you have frequently visited. Some people find this feature handy.

[pmsyyz]

Bad article

"acknowledging concerns about a potential flaw in its Firefox 1.5 browser that could cause a buffer overflow error."

Factually incorrect, Mr. Colin Barker.

Here is what Mozilla has said:

We have investigated this issue and can find no basis for claims that variants of this denial-of-service attack can cause an exploitable crash, and no evidence for this claim has been offered. There does not appear to be any risk to users or their computers beyond the temporary unresponsiveness at startup.

<a class="jive-link-external" href="http://www.mozilla.org/security/history-title.html" target="_newWindow">http://www.mozilla.org/security/history-title.html</a>

[ddesy]

Correct

It's good to see that somebody caught this!

[John.Q.Public]

IE7 will release with how many holes in it?

One one minor problem with FF1.5 upon release! How many do you think IE7 will have? and how many months to get IE7's holes fixed vs days or hours to fix FF holes. Biggest "headache" with new FF release is the extensions not always being compatiable.

[FutureGuy]

Less then FF 1

Don't forget that this is a minor version release (1.5) FF1 came with over a dozen holes in it.

[FutureGuy]

Thank God..

..its a bug not a flaw. That makes me feel so much better ;)

[SystemsJunky]

Whats the difference?

Between a bug, and a flaw? Gee, Windows has a ton of fla...I mean bugs in it.

[Mork2006]

erasing history NO solution

The history is very convenient, sometimes much more so than bookmarks. Oft visited sites require two or three characters entered in location to expand and browse. The REAL SOLUTION would be to release history.dat management software to prune lesser used URLs, and retain the oft visited sites! How many years have we gone without a history management option? How many thousands of users pine for this feature? Zeroing the file is like nailing a trembling hand to the kitchen table. It appears to stop the tremmors but...