Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mozilla / Firefox Memory Exposure Vulnerability

Posted by timothy on from the mine-sure-is-vulnerable dept.

JimmyM writes "Secunia has a story regarding a new severe vulnerability in the Mozilla Suite and Firefox browser, which can be exploited by any web site to read all memory, which the browser process has access to. No patch is available from Mozilla. A demonstration is available here."

14 of 132 comments (clear)

  1. Did the Mozilla/Firefox guys ignore a warning? by astrashe · · Score: 3, Insightful

    Did the Mozilla/Firefox guys ignore a warning about this, or did this site publish the vulnerability without giving them a chance to patch?

  2. They say that open source... by Anonymous Coward · · Score: 1, Insightful

    ...is faster at fixing serious security flaws than closed source. Now this here is a fairly nasty vulnerability; not as bad as remote code execution, certainly, but still something I'd want fixed on my mum's PC as quickly as possible. So I'm wondering, just how long will the Mozilla foundation take to distribute a fix for this vulnerability - not just patch it in the nightlies, as that is trivial - but include it in an automatic update, like Microsoft would? I'm betting on weeks or months (not flame-baiting here, but so far most Firefox fixes have trickled down very slowly.) It will be interesting to watch and see.

  3. Definately a big hole by RzUpAnmsCwrds · · Score: 4, Insightful

    This is a *huge* hole. In three clicks, it disclosed previous URLs that I had visited, POSTDATA (including my Slashdot password) and a bunch of other stuff.

    If this could be automated (and it easily could be with something like XML-RPC), imagine the possibilities for phishing. Visit a page, have your credit card number disclosed.

    Time for Firefox 1.03.

  4. Simple JavaScript by duerra · · Score: 2, Insightful

    It works if you don't click quickly and repeatedly in Firefox.

    It's almost scary... the JavaScript for this looks to just abuse a buffer overflow in an almost scary-easy way.

    function genGluck(str){
    var x = str;
    var rx=/end/i;
    x = x.replace(rx,function($1){
    $1.match(rx);
    return "";
    });
    x = x.replace(/^end/,"");
    return x;
    }

    function readMemory()
    {
    var mem = genGluck("{10,246 "X's" here}end");

    mem = mem.replace(/[^\.\\\:\/\'\(\)\"\_\?\=\%\&\;\#\@\- a-zA-Z0-9]+/g, " ");

    document.getElementById('result').value = mem;

    }

    --
    A community-oriented lyrics site
  5. Re:I'm shocked! by samael · · Score: 2, Insightful

    Which is fair enough.

    Of course, I can reinstall the OS in about two hours.

    It's my documents I actually care about...

    --
    My Journal
  6. Safari slightly vulnerable? by inio · · Score: 2, Insightful

    In addition to a bunch of Xs, Safari threw a little piece of Javascript code not originating on the source page into the end of the text box. Looks light it might be a little vulnerable too.

    1. Re:Safari slightly vulnerable? by LincolnQ · · Score: 2, Insightful

      No, Safari doesn't support Javascript's function objects (lambdas?), which the test seems to use. I don't know if rewriting the test in a different way would make it work, but I doubt it. It appears to be a flaw in the regular expression engine in Gecko.

  7. Access to firefox heap, not entire system by jgoemat · · Score: 2, Insightful
    This exploits a vulnerability in Mozilla/FireFox's javascript engine. It allows the javascript code on the web page to access an arbitrary amount of heap data of the FireFox application. The locations in memory and the size of the block returned cannot be set, so you basically get random data from FireFox's heap. Most likely under a kilobyte of data will be returned, and it will most likely be data from some web page or file you downloaded.

    This data is available to the javascript engine then, so it is possible for the javascript to submit it a number of ways to an internet server. It could call a web service with the data or post it to a web page. The server could then organize this data and examine it for anything interesting.

    This will not allow someone to read your personal files or hijack your computer. The real problem would be if stored passwords or sensitive data from web mail or banking sites were on the heap and were found this way and transmitted to a web site. A large amount of 'Junk' would have to be sifted through in order to get any juicy data though.

    The only way to be save right now is (in FireFox) to go to Tools->Options, go to "Web Features", and uncheck "Enable Javascript". Seeing as many sites (including /.) require javascript to use, this really isn't a good option. I hope the team gets a fixed version out soon.

  8. Re:I'm shocked! by Gary+Destruction · · Score: 1, Insightful

    Mozilla is at version 1.7.5 and Firefox is at version 1.x. IE is approaching version 7.0. Microsoft has billions of dollars and more than enough developers and other personnel to make a secure product. Mozilla may have more security flaws in the short run, but it will have less in the long run because more careful consideration was made during development.

  9. Re:I'm shocked! by dougmc · · Score: 2, Insightful
    Mozilla is at version 1.7.5 and Firefox is at version 1.x. IE is approaching version 7.0.
    And Linux is at version 2.6.something, and Windows is at version 2003 and Solaris is at version 10 (having jumped from 2.6 to 7.) Fedora Core is at FC3 (or is that RH12?) Doom is up to Doom 3, and Jake 2.0 was released at 2.0 and never made 2.1. And I think Sid died at version 6.7. Relevance?

    Version numbers don't mean anything. They're arbitrary, and you cannot compare them to the numbers of other products like you appear to be doing, at least not in any meaningful way.

  10. comma by Anonymous Coward · · Score: 5, Insightful
    which can be exploited by any web site to read all memory, which the browser process has access to

    I don't normally complain about the grammar and punctuation of submitters and editors, but in this case it is too significant. The difference between

    read all memory, which the browser process has access to

    and

    read all memory which the browser process has access to

    Is profound. The first form says that the browser has access to all memory. The second form says that the web site has access to all the memory to which the browser also has access. Catching and fixing stuff like this is what an editor does. If Slashdot's people can't do that, then don't call them editors. Call them "Dudes Who Click Approve," or something like that.

  11. Re:I'm shocked! by Anonymous Coward · · Score: 1, Insightful
    Are you implying that version numbers are qualitative?

    No, he was mocking someone else who did:

    Mozilla is at version 1.7.5 and Firefox is at version 1.x. IE is approaching version 7.0.

  12. Re:IE & Opera Unaffected by Zork+the+Almighty · · Score: 4, Insightful

    No, it would be "New Critical IE Vulnerability" and it would be on the front page...

    --

    In Soviet America the banks rob you!
  13. Other Gecko-based browsers affected as well. by Lazyhound · · Score: 2, Insightful

    K-Meleon has the same problem, only it probably won't be patched for months, forcing me back to Firefox. Bah.