Unpatched Firefox flaw may expose users

A new, unpatched flaw that affects all versions of Firefox could let attackers surreptitiously run malicious code on users' PCs, a security researcher has warned.

The problem lies in the way Firefox handles Web links that are overly long and contain dashes, security researcher Tom Ferris said in an interview via instant messaging late Thursday.

He posted an advisory and a proof of concept to the Full Disclosure security mailing list and to his Security Protocols Web site.

The security vulnerability is a buffer overflow flaw that "allows for an attacker to remotely execute arbitrary code" on a vulnerable PC, Ferris said. An attacker could host a Web site containing the malicious code to exploit the flaw, he said. Though his proof of concept only crashes Firefox, Ferris claims he has been able to tweak it to run code.

Buffer overflows are a commonly exploited security problem. They occur when a program allows data to be written beyond the allocated end of a buffer in memory. A computer can be made to execute potentially malicious code by feeding in extra data that is designed to flood the buffer.

Ferris reported the bug to the Mozilla Foundation on Sunday, intending to go through the organization's bug-reporting process, he said. However, in an example of the uneasy alliance between security researchers and software makers, he decided to publicly disclose the flaw after a run-in with Mozilla staff, he said.

Mozilla, which coordinates the development of Firefox and distributes the software, on Friday confirmed the bug but said the scope of the flaw is still under investigation. The organization said it received the bug report on Tuesday, not Sunday.

"We believe there is a buffer overflow issue," said Mike Schroepfer, director of engineering at Mozilla. "We are still determining whether it is exploitable in an attack."

Users are currently not at risk because there are no known attacks that take advantage of the flaw, Schroepfer said. Mozilla is working on a fix that will be released with an upcoming version of Firefox, he said.

Mozilla is unhappy with the disclosure of the flaw. "We'd like to make sure that by the time something goes public, we have a solution for the users," Schroepfer said.

Since the debut of Firefox 1.0 in November, usage of the open-source browser has grown. Security has been a main selling point for Firefox over Microsoft's Internet Explorer, which has begun to see its market share dip slightly--for the first time in years.

However, Firefox has had its own security woes. Several serious holes in the browser have been plugged since its official release, and experts have said that safe Web browsers don't exist.

The public bug disclosure comes just as Mozilla released the first beta of Firefox 1.5. The final release of the next Firefox update, which includes security enhancements, is due by year's end, according to the Firefox road map.

Ferris has found bugs in Microsoft software before, including a yet-unpatched flaw in Internet Explorer that Microsoft still has under investigation.

Earlier this month Microsoft credited Ferris with reporting a bug in a Windows feature called Remote Desktop Protocol that could allow an attacker to remotely restart Windows systems.

Mozilla Firefox ''Host:'' Buffer Overflow DOESN'T WORK

Well I just tested the proof of concept vulnerability on my rig and it did nothing. Didn't do anything unusual infact... Strange....

[JorisEvers]

It crashed my Firefox

I am running Windows XP Pro and Firefox 1.0.6. Going to Ferris' proof of concept page crashes my browser and gives an error message:
<a class="jive-link-external" href="http://www.security-protocols.com/firefox-death.html" target="_newWindow">http://www.security-protocols.com/firefox-death.html</a>

[Sboston]

Drat!

I had to do it twice before it crashed FF. Mozilla will fix it soon I'm sure, but that just goes to prove what I've always said. There are no bug proof programs.

[justletmepost]

no crash. directed to google search page.

i'm running firefox 1.0.6 on linux. i copy the proof of concept into this html file:

&lt;html&gt;
<A HREF="#">crash</a>
&lt;/html&gt;

when i click on the crash link, it directs me to the google "web" search page. the address bar is: "keyword:---------------------------------------------" and the google text field (where you enter your search terms) is: "---------------------------------------------". below that is: "The 'I'm Feeling LuckyTM' button automatically takes you to the first web page returned for your query.

An 'I'm Feeling Lucky' search means less time searching for web pages and more time looking at them."

no crashes. did i do something wrong in creating the html file?

[SmokieUK]

Doesn't crash here

I've loaded the page multiple times and nothing happens. Just a white page with "Done" in the Status Bar.

No joy here either

I also just get google page with a lot of dashes in the search bar and no results, FireFox 1.06 on XP SP2 here as well.

Mozilla Firefox ''Host:'' Buffer Overflow DOESN'T WORK

Well I just tested the proof of concept vulnerability on my rig and it did nothing. Didn't do anything unusual infact... Strange....

[JorisEvers]

It crashed my Firefox

I am running Windows XP Pro and Firefox 1.0.6. Going to Ferris' proof of concept page crashes my browser and gives an error message:
<a class="jive-link-external" href="http://www.security-protocols.com/firefox-death.html" target="_newWindow">http://www.security-protocols.com/firefox-death.html</a>

[Sboston]

Drat!

I had to do it twice before it crashed FF. Mozilla will fix it soon I'm sure, but that just goes to prove what I've always said. There are no bug proof programs.

[justletmepost]

no crash. directed to google search page.

i'm running firefox 1.0.6 on linux. i copy the proof of concept into this html file:

&lt;html&gt;
<A HREF="#">crash</a>
&lt;/html&gt;

when i click on the crash link, it directs me to the google "web" search page. the address bar is: "keyword:---------------------------------------------" and the google text field (where you enter your search terms) is: "---------------------------------------------". below that is: "The 'I'm Feeling LuckyTM' button automatically takes you to the first web page returned for your query.

An 'I'm Feeling Lucky' search means less time searching for web pages and more time looking at them."

no crashes. did i do something wrong in creating the html file?

[SmokieUK]

Doesn't crash here

I've loaded the page multiple times and nothing happens. Just a white page with "Done" in the Status Bar.

No joy here either

I also just get google page with a lot of dashes in the search bar and no results, FireFox 1.06 on XP SP2 here as well.

[Scott W]

wait for it,,,

it won't be long, the flood of IE junkies will be here any minute. just as soon as they finish school :p

[Scott W]

oops

commas instead of ...'s
man i'm dumb...

[David Arbogast]

The only thing worse...

The only thing worse than unfounded knee-jerk reactions to security threats are people who pre-empt the reactions with insults. Way to go. FireFox has a flaw. A big one. Just like every other web browser. Open-source is hardly proving to be secure. Suggestng that it is somehow "more" secure is flawed logic. It matters little how many security problems a software package has, when a hacker only needs to exploit one flaw.

[Scott W]

wait for it,,,

it won't be long, the flood of IE junkies will be here any minute. just as soon as they finish school :p

[Scott W]

oops

commas instead of ...'s
man i'm dumb...

[David Arbogast]

The only thing worse...

The only thing worse than unfounded knee-jerk reactions to security threats are people who pre-empt the reactions with insults. Way to go. FireFox has a flaw. A big one. Just like every other web browser. Open-source is hardly proving to be secure. Suggestng that it is somehow "more" secure is flawed logic. It matters little how many security problems a software package has, when a hacker only needs to exploit one flaw.

Was OS are effected?

I wish that these "security experts" would be a little more informitive. Does PC mean Windows PC, Intel machines, all personal computers? Does that exclude servers that man be running a X-Windows Fire fox client?

[Scott W]

true

the page causes the fox to crash in linux, however, it's debatable whether code run could be run in linux...

[unknown unknown]

RE

Firefox is cross-platform so theoretically it effects any OS that can run Firefox. That said the code to be executed by exploiting this flaw would have to be written for the intented system.

Was OS are effected?

I wish that these "security experts" would be a little more informitive. Does PC mean Windows PC, Intel machines, all personal computers? Does that exclude servers that man be running a X-Windows Fire fox client?

[Scott W]

true

the page causes the fox to crash in linux, however, it's debatable whether code run could be run in linux...

[unknown unknown]

RE

Firefox is cross-platform so theoretically it effects any OS that can run Firefox. That said the code to be executed by exploiting this flaw would have to be written for the intented system.

Sign petition to back out patch for Firefox Bug# 303806

If you don't agree with the changes to the Winstripe theme please comment in <a class="jive-link-external" href="http://forums.mozillazine.org/viewtopic.php?t=315361&#38;postdays=0&#38;postorder=asc&#38;postsperpage=15&#38;start=0" target="_newWindow">http://forums.mozillazine.org/viewtopic.php?t=315361&#38;postdays=0&#38;postorder=asc&#38;postsperpage=15&#38;start=0</a> and sign the petition to back out the bug that brought us the excessive padding and the hideous flat look on classic systems <a class="jive-link-external" href="http://www.petitiononline.com/fx303806/petition.html" target="_newWindow">http://www.petitiononline.com/fx303806/petition.html</a>

[unknown unknown]

Reply

Firefox is very customizable. It's UI is created through the use of an XML based UI markup language called XUL and Javascript. One could easily extract the contents of the jar files (which are just zip files with a different extension) located in the chrome folder which is under the folder one installed Firefox to.

One of the great things about open source software is if you don't like something you can change it.

In short, if you want something done right (at least according to your point of view) do it yourself. Mozilla's website has tutorials on XUL and the Javascript.

Sign petition to back out patch for Firefox Bug# 303806

If you don't agree with the changes to the Winstripe theme please comment in <a class="jive-link-external" href="http://forums.mozillazine.org/viewtopic.php?t=315361&#38;postdays=0&#38;postorder=asc&#38;postsperpage=15&#38;start=0" target="_newWindow">http://forums.mozillazine.org/viewtopic.php?t=315361&#38;postdays=0&#38;postorder=asc&#38;postsperpage=15&#38;start=0</a> and sign the petition to back out the bug that brought us the excessive padding and the hideous flat look on classic systems <a class="jive-link-external" href="http://www.petitiononline.com/fx303806/petition.html" target="_newWindow">http://www.petitiononline.com/fx303806/petition.html</a>

[unknown unknown]

Reply

Firefox is very customizable. It's UI is created through the use of an XML based UI markup language called XUL and Javascript. One could easily extract the contents of the jar files (which are just zip files with a different extension) located in the chrome folder which is under the folder one installed Firefox to.

One of the great things about open source software is if you don't like something you can change it.

In short, if you want something done right (at least according to your point of view) do it yourself. Mozilla's website has tutorials on XUL and the Javascript.

[reechwuzhere]

Well, it blew mine up...

Windows XP SP2 and FireFox 1.0.6

It crashed so fast that it made me laugh

[reechwuzhere]

Well, it blew mine up...

Windows XP SP2 and FireFox 1.0.6

It crashed so fast that it made me laugh

[J. Warren]

Fix / workaround from Mozilla

See:

- <a class="jive-link-external" href="https://addons.mozilla.org/messages/307259.html" target="_newWindow">https://addons.mozilla.org/messages/307259.html</a>
"On September 9, the Mozilla team released a configuration change which, as a temporary measure to work around this problem, disables IDN in the browser..."

[J. Warren]

Fix / workaround from Mozilla

See:

- <a class="jive-link-external" href="https://addons.mozilla.org/messages/307259.html" target="_newWindow">https://addons.mozilla.org/messages/307259.html</a>
"On September 9, the Mozilla team released a configuration change which, as a temporary measure to work around this problem, disables IDN in the browser..."

[wjsp]

Microsoft must have a hand in it!

Another FireFox security issue. Not that it's not a great browser, I just get tired of people ripping on Microsoft for it's problems when many are attributed to it simply being the most used software. Now that FireFox is becoming more popular, we're finding that it has it's holes as well. All software has its problems. Give Microsoft a break!

[wjsp]

Microsoft must have a hand in it!

Another FireFox security issue. Not that it's not a great browser, I just get tired of people ripping on Microsoft for it's problems when many are attributed to it simply being the most used software. Now that FireFox is becoming more popular, we're finding that it has it's holes as well. All software has its problems. Give Microsoft a break!