Unpatched Firefox Flaw May Expose Users

Corrado writes "CNET is reporting on a new Firefox flaw." From the article: "The problem lies in the way Firefox handles Web links that are overly long and contain dashes, security researcher Tom Ferris said in an interview via instant messaging late Thursday. He posted an advisory and a proof of concept to the Full Disclosure security mailing list and to his Security Protocols Web site...The public bug disclosure comes just as Mozilla released the first beta of Firefox 1.5. The final release of the next Firefox update, which includes security enhancements, is due by year's end, according to the Firefox road map."

It should be noted

[GweeDo]

That the posted exploit only causes Firefox to crash to stop responded (that is what it did to 1.5b1 on my Linux box). The person that found the exploit claims he has tweaked the code to actually run arbitrary code on the system, but I would like to se e proof of this since as of right now we only have a hanging browser.

Re:It should be noted

There is an actual testcase on the bug in bugzilla, and the bug is private because of that (it would be highly irresponsible to provide a working exploit to the world).

<mao|zZz> mscmurf, dveditz: bug 307259 has been slashdotted - maybe it would be politically good to disclose the bug, at least to counteract this statement at the end of the advisory: "Mozilla was notified, and im guessing they are working on a patch. Who knows though?"
<mcsmurf_> well, if there is a comment in it which should not be public
<mcsmurf_> then the bug remains private ;)
<dveditz> mao|zZz: the potential issue is that his advisory is incorrect, and I'd rather not release the real crashing testcase (though people might discover it soon enough)
<CTho> mao|zZz: it was nice of them to wait til we shipped to make sure the world hears ;)
<biesi> it was public before we shipped
<mcsmurf_> one day?
<dveditz> CTho: that was probably our fault, I should have pushed the fix in
<mao|zZz> biesi: but the slashdot sequence is pretty suspect...
<CTho> dveditz: i heard the patch on teh bug doesnt work
<dveditz> It was nominated, but after the point where triage was being done -- needed to be more actively pushed
<mao|zZz> looks like an easy move to eclipse the beta release wow effect, or worse make it a boomerang
***Toba wonders if the bug is patched yet
<Toba> anyone got the bug link?
<biesi> it's not publically visible
<dveditz> Toba: it's still a private bug
<biesi> (https://bugzilla.mozilla.org/show_bug.cgi?id=3072 59)
<dveditz> see scrollback a few lines
<Toba> dveditz: eh, I guess it would be nice to know
<Toba> but oh well
<biesi> dveditz, it was your comment that said the patch didn't work?
<dveditz> we have *a* patch, we're not convinced it's the right patch
<mao|zZz> dveditz: would you cc me?
<Toba> I guess it's better if the world doesn't know how to exploit yet
<mcsmurf_> dveditz: do you know why or if SeaMonkey is not vulnerable? it doesn't crash when using the exploit
<dveditz> mcsmurf_: that's part of why I'm not opening the bug... the released testcase is not the testcase from the bug
<mcsmurf_> ah-hah
<dveditz> seamonkey is vulnerable, this is core networking stuff
<mcsmurf_> :)
<mcsmurf_> well i assumed so
<mcsmurf_> but i only have the public testcase

Re:It should be noted

There is no such thing as a piece of 100% secure software that consists of more than 100 or so lines of code. There are always bugs. If the software is bug and vulnerability free, it only means that the vulnerabilities and bugs haven't been found yet ; ) This statement is true whether it's microsoft, open source, joe shmoe in accounting, Sun or Oracle.

It's a fact of life, and will never change. If man made it, man can break it. All that can be done is to continually look for vulnerabilities, then fix the ones that are found.

Writing software is one of the most complex endeavors possible, the issues are often the result of one persons mistake, or a confluence of seemingly unrelated factors. To have perfect software, you need a perfect people writing it. Those people do not exist, no matter whether open source, or closed.

I challenge anyone at slashdot to prove me wrong.

l8,
AC

Re:Well, just another bug

[Doches]

Sure. Yea. But it makes us open-source religinuts look a bit silly, touting our "secure browser" when CNET (which has a very questionably technical readerbase) and others run stories like this. Argh. I'm just going to hit the first IE-phile who uses this little bug in an argument.

exploits?

[samjam]

The bug depended on the host name being all ---

It will be hard to craft some exploit code using only the - character.

It may DOS and cause instability; as for those "but, open source should be proof against this" nay-sayers, I'm pretty certain from the advisory that this could only be properly discovered because the source was available.

hmmmm, maybe if you can trick users to click on bad links a few times it might cause heap corruption and crashing; maybe if you get them to download the right page a few times to pre-load the heap, and then a few ----- might cause the browser to execute from the heap,

A look at the soucre will show the consequences of this and show what sort of pathway there is to arbitrary code execution. I guess it could be exploitable...

Sam

Re:exploits?

[sbrown123]

Tom Ferris has a history of reporting so-called exploits. This history includes not only Firefox but also Internet Explorer. In every case he usually makes a feeble attempt at contacting the right sources to inform them of the problem and then, all of a sudden, claims that they are not responding to him and he feels he has to post all security postings public to save our lives (and he contacts CNet too to get the word out).

Oddly, I have yet to see one of his found exploits actually work. At most, I have seen them as annoyances that can possibly cause browsers to crash IF the end-user follows the exploit instructions to the letter using the exact same browser on Windows (Tom never appears to find anything on Linux or Mac but always claims that his exploits work on all platforms without actually testing them).

buffer overflows

[diegocgteleline.es]

The security vulnerability is a buffer overflow flaw that "allows for an attacker to remotely execute arbitrary code" on a vulnerable PC,

Just for curiosity, can be Firefox compiled with the compiler parameter which adds code to detect a wide variety of such bugs? It's what Microsoft did at IE in the XP SP2; does it have "sense" to do the same for firefox?

Re:buffer overflows

[CTho9305]

Releases are built with Microsoft Visual C++ 6, because there are concerns that the license of newer versions would not allow the builds to be distributed.

So, the question is ...

[WillAffleckUW]

would you rather find about about a bug and fix it:

A. before you release a version (Firefox);

or

B. years after you release a version (IE).

Well? Which is better? If you choose option B, you can deny there's a problem for 1-2 years, start working on a fix in 2-3 years, nay-say press rumors about the bug in 3-4 years, and fix it and release the bug fix in 4-5 years.

I choose option A.

Uhm, your point?

[Alien+Venom]

Well, unlike Microsoft (and IE) which doesn't really care about the bad press its browser gets; I know for a fact that Mozilla and the people that work on Firefox, do.

Does CNET really think that Mozilla group is going to ignore it? I don't really see the point of the article. It seems like they were more interested in saying, "Oh, hey. Look, we're cool too because we found a flaw in Firefox."

I'm sure it'll be fixed in a couple day in the nightly builds. The new auto-update mechanism in 1.5 wasn't implemented for nothing. And it's the things like these that make Mozilla (Firefox) a good browser. No matter what kind of press (or lack of) that it gets, bugs still get fixed.

Personally, I think CNET is trying to jump on the Firefox-bug-reporting bandwagon like everyone else.

Re:Tell all your friends!

[TargetBoy]

How about having the update checker stop working?

I've seen several computers now where the red arrow icon is always displayed and the update wizard never successfully downloads anything.

Reinstalling doesn't seem to help fix it.

Elinks

[Jessta]

I use elinks.
maybe it's secure, maybe not.
Due to the lack of graphics support and javascript there is a good chance it is more secure than most other browsers.
Also nobody is going to target it. :)

Buffer overflow

[Spy+der+Mann]

From TFA:

"The security vulnerability is a buffer overflow"

Buffer overflows aren't very easy to catch, but I thank the guy who discovered it. This way we can make Firefox a more secure browser everytime.

But frankly, I don't know how to feel. Embarrassed because buffer overflows are the result of sloppy buffer programming, or proud because Firefox has much fewer buffer overflows than windows products?

Re:Well, just another bug

[ikkonoishi]

Yeah because in IE you can't write a greasemonkey script that fixes it.

var links = document.getElementsByTagName("a");
for (var i = 0;i<links.length;i++) {
  if (/-{5,}$/.test(links[i].href)) {
      links[i].href = "";
      links[i].onclick = function () {
        alert("This link was trying to cause a buffer overflow. It has been appropriately punished. That bad ol' puddy link.");
      }
  }
}

The above was proof of concept and may not work, but I see no reason why it shouldn't

Re:Flaws

[shaitand]

Does it even crash you? So far I haven't found anyone this actually crashes.

Re:Proof of concept

[obdulio]

Didn't crash my Opera session....

Re:Nope - not on my v1.06 Firefox

[digidave]

I tried increasing the number of dashes in the link, all tested on the Aug 29 nightly build:

40,000 dashes: No crash, it does a Google search, but Google displays a Bad Request message.

130,000 dashes: No crash. Same results as above.

275,000 dashes: Same as above.

At this point Kate is very slow and gedit seems to hang. All these dashes are on a single line so as not to modify the POC too much and text editors don't like that. I wrote a script to add more dashes for the next test.

1.5 million dashes: No crash. Same as above.

Screw this. Can someone point me to a real POC for this alleged exploit?

Re:Nope - not on my v1.06 Firefox

[Qzukk]

Ah, interesting. Just loading the page containing the link causes it to crash. And yeah, those aren't - signs as was in the message linked on CNET, those are some other character (maybe on a certain font they are minuses?).

Interesting...

[cz_eye]

Ferris found this "hidden feature" by inspecting the source code, not by trying to probe the browser from "the outside".

He just analysed possible outcomes of usage of this function:

nsStandardURL::BuildNormalizedSpec

That is another proof (of known fact) that it is much easier to hack the open sourced then the proprietary application.

Does something weird on Firefox 1.0.3 on Linux

[Srdjant]

I entered the html in hex editor as from:

http://it.slashdot.org/comments.pl?sid=161697&cid= 13519728

and clicked on the link. The link pointed to:

https://xn--m1aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaa/

and firefox downloaded this:

http://www.srh.noaa.gov/abrfc/archive/1996/aug/rvm files/96083106_1_rvmshv

Re:Does something weird on Firefox 1.0.3 on Linux

[sabat]

Weird; firefox on my mac downloaded

http://smorye.apeha.ru/message1_pt_32627_page_18.f html

when I clicked on your aaaaaaaa link.

Date Reported to Mozilla: September 4, 2005?

Release Date:
September 8, 2005

Date Reported:
September 4, 2005

Vendor Status:
Mozilla was notified, and im guessing they are working on a patch. Who knows though?


Do I understand correctly that the guy reported the bug to Mozilla on September 4, 2005 and then released it to public on September 8, 2005?

It so that would show a complete lack of responsibility on his part and total disreagard for proper security reporting procedures.

Re:Tell all your friends!

Agreed - but, they do patch & patch FAST. I know, I had written them a couple years back in regards to how FireFox was handling the homegrown forums boards used @ NTCompatible.com (& was 'bugging out' on some of its handlings of the code used in it).

The FireFox/Mozilla team wrote me THAT day, acknowledging it was indeed, a bug on their end, fixed it the VERY NEXT DAY, & even wrote me back directly and came to speak to us there & to the site's owner directly, in regard to the fix and problem.

It is important, & their team KNOWS it... and their response time?

Read the above, rinse/wash/repeat.

(They're FAST about it)

APK

P.S.=> I still am more of an Opera 8.02 fan than I am of FireFox, but FireFox is LOADS better than current models of IE imo, especially security-wise...

Even though various addons like greasemonkey turned up "funny" recently (but too, was fixed fast), it's YOU that installs them & takes the chance...

Whereas IE?

Well, SOMETIMES, the addon stuff installs (because of the lax default security settings in XP/2000 & below models of their OS & IE in them is @ fault, this is correctable too via IE's security & zones settings IF you take the time to look - me? I turn off java/javascript &/or ActiveX usage usually, period in IE) w/out you asking for it...

That's WRONG! MS has corrected a GREAT DEAL of this in Windows Server 2003, especially how its init. security is setup (very restrictive), but has a ways to go before they catch up to Opera &/or FireFox imo... both featureset-wise & also security invulnerable-ness-wise.

apk