Unpatched Firefox Flaw May Expose Users

← Back to Stories (view on slashdot.org)

Unpatched Firefox Flaw May Expose Users

Posted by Zonk on Friday September 9, 2005 @03:16AM from the again dept.

Corrado writes "CNET is reporting on a new Firefox flaw." From the article: "The problem lies in the way Firefox handles Web links that are overly long and contain dashes, security researcher Tom Ferris said in an interview via instant messaging late Thursday. He posted an advisory and a proof of concept to the Full Disclosure security mailing list and to his Security Protocols Web site...The public bug disclosure comes just as Mozilla released the first beta of Firefox 1.5. The final release of the next Firefox update, which includes security enhancements, is due by year's end, according to the Firefox road map."

10 of 390 comments (clear)

Min score:

Reason:

Sort:

workaround by Anonymous Coward · 2005-09-09 03:37 · Score: 3, Informative

about:config -> network.enableIDN -> false

be happy!
Re:Well, just another bug by DaHat · 2005-09-09 04:02 · Score: 4, Informative

No need to bring up just this bug, why not compare history for the last year on both IE6 and Firefox 1.x?

According to Secunia, during 2005 IE6 has had 11 advisories while Firefox 1.x has had 18.

Unfortunately I can't get the links to work properly (graphs come up blank), so take a look at the URL's yourself:

IE6: http://secunia.com/graph/?type=adv&period=2005&pro d=11
Firefox 1.x: http://secunia.com/graph/?type=adv&period=2005&pro d=4227

(you will have to copy and paste these URL's to make them work it seems)

--
Help Brendan pay off his student loans
For all those that can't reproduce by revelation0 · 2005-09-09 04:11 · Score: 5, Informative

Take 2 seconds to check out his proof of concept:

http://www.security-protocols.com/firefox-death.ht ml

WARNING: Clicking the above link will crash firefox. It will do nothing else. The hyphens are not normal minus hyphen (the - symbol on your american keyboard will translate to 0x2d) but a soft hyphen (0xad).
1. Re:For all those that can't reproduce by MrMr · 2005-09-09 06:09 · Score: 4, Informative
  
  Yep, lethal if network.enableIDN is true,
  no problem if set to false in about:config
Re:Well, just another bug by Tezkah · 2005-09-09 04:17 · Score: 3, Informative

Actually, you might be able to, most people don't know of the Greasemonkey-ish add-on to IE called "Trixie", with many of the same scripts running unmodified between the two plugins.

A better argument is that "In firefox, the bugs are trivial enough to be fixed with a script until it gets fixed in the main program, a matter of weeks, instead of fixing it in a script in IE, and waiting years for it do get fixed."
Re:Proof of concept by sprag · 2005-09-09 04:36 · Score: 4, Informative

Its not dashes that do it, but soft hyphens (0xad). There's a link in another thread which has the apropriate HTML, and it does hang Firefox 1.06 on Fedora 4.
Here's an xxd dump of the offending HTML:

0000000: 3c41 2048 5245 463d 6874 7470 733a adad <A HREF=https:.. 0000010: adad adad adad adad adad adad adad adad ................ 0000020: adad adad adad adad adad adad adad adad ................ 0000030: adad adad adad adad adad 203e 0a .......... >.
Important note to all... by Transcendent · 2005-09-09 04:59 · Score: 3, Informative

For those testing on their own, *please realize* that it is not simply a dash (0x2D), but the character 0xAD.
Re:Well, just another bug by adagioforstrings · 2005-09-09 07:26 · Score: 3, Informative

What about this:
0 extremely critical of 22 vulnerabilities and 4 still unpatched for Firefox
versus
10 extremely critical of 69 vulnerabilities and 19 still unpatched for IE 6.

I'm not saying Firefox doesn't have its issues, but be careful with statistics.
incorrect information by asa · 2005-09-09 08:38 · Score: 3, Informative

The bug report is now open and you can see that he reported it to Mozilla on the afternoon of the 6th. There was quite a bit of activity from top Mozilla developers and then the reporter posted the exploit publicly on the 8th.

We've determined that disabling IDN is a safe workaround and are working on supplying a small download that will take care of that configuration for the user.

- A
1. Re:incorrect information by dbaron · 2005-09-09 09:56 · Score: 3, Informative
  I'd also note that Ferris's bug report (bug 307259) originally claimed that the vulnerability was a format string vulnerability, not a buffer overrun, and that the testcase he showed us was a huge testcase probably generated by a tool for generating mangled HTML (like MangleMe). What he published in his advisory wasn't analysis he gave to us when he reported the bug, but looks like it was copied from:
  
  the analysis that I did and posted in comment 2 on the bug (which was accessible to him, since he reported it), excluding the correction I made in comment 9 (when I realized the characters I was looking at were not dashes, but soft hyphens), and
  
  the testcase that Jesse Ruderman wrote and attached to the bug.