September 9, 2005 3:53 AM PDT
Unpatched Firefox flaw may expose users
- Related Stories
Bug hunters, software firms in uneasy allianceSeptember 6, 2005
Microsoft investigates another IE flaw reportAugust 29, 2005
IE flaw opens door to infection on sightAugust 9, 2005
Major Firefox release delayedJuly 21, 2005
Coding misstep forces new Firefox releaseJuly 18, 2005
Windows flaw could spawn DoS attacksJuly 15, 2005
A safe browser? No longer in the lexiconJuly 7, 2005
Mozilla puts bounty on bugsAugust 2, 2004
The problem lies in the way Firefox handles Web links that are overly long and contain dashes, security researcher Tom Ferris said in an interview via instant messaging late Thursday.
He posted an advisory and a proof of concept to the Full Disclosure security mailing list and to his Security Protocols Web site.
The security vulnerability is a buffer overflow flaw that "allows for an attacker to remotely execute arbitrary code" on a vulnerable PC, Ferris said. An attacker could host a Web site containing the malicious code to exploit the flaw, he said. Though his proof of concept only crashes Firefox, Ferris claims he has been able to tweak it to run code.
Buffer overflows are a commonly exploited security problem. They occur when a program allows data to be written beyond the allocated end of a buffer in memory. A computer can be made to execute potentially malicious code by feeding in extra data that is designed to flood the buffer.
Ferris reported the bug to the Mozilla Foundation on Sunday, intending to go through the organization's bug-reporting process, he said. However, in an example of the uneasy alliance between security researchers and software makers, he decided to publicly disclose the flaw after a run-in with Mozilla staff, he said.
Mozilla, which coordinates the development of Firefox and distributes the software, on Friday confirmed the bug but said the scope of the flaw is still under investigation. The organization said it received the bug report on Tuesday, not Sunday.
"We believe there is a buffer overflow issue," said Mike Schroepfer, director of engineering at Mozilla. "We are still determining whether it is exploitable in an attack."
Users are currently not at risk because there are no known attacks that take advantage of the flaw, Schroepfer said. Mozilla is working on a fix that will be released with an upcoming version of Firefox, he said.
Mozilla is unhappy with the disclosure of the flaw. "We'd like to make sure that by the time something goes public, we have a solution for the users," Schroepfer said.
Since the debut of Firefox 1.0 in November, usage of the open-source browser has grown. Security has been a main selling point for Firefox over Microsoft's Internet Explorer, which has begun to see its market share dip slightly--for the first time in years.
The public bug disclosure comes just as Mozilla released the first beta of Firefox 1.5. The final release of the next Firefox update, which includes security enhancements, is due by year's end, according to the Firefox road map.
Earlier this month Microsoft credited Ferris with reporting a bug in a Windows feature called Remote Desktop Protocol that could allow an attacker to remotely restart Windows systems.
48 commentsJoin the conversation! Add your comment