Unpatched Firefox Flaw May Expose Users

Corrado writes "CNET is reporting on a new Firefox flaw." From the article: "The problem lies in the way Firefox handles Web links that are overly long and contain dashes, security researcher Tom Ferris said in an interview via instant messaging late Thursday. He posted an advisory and a proof of concept to the Full Disclosure security mailing list and to his Security Protocols Web site...The public bug disclosure comes just as Mozilla released the first beta of Firefox 1.5. The final release of the next Firefox update, which includes security enhancements, is due by year's end, according to the Firefox road map."

It should be noted

[GweeDo]

That the posted exploit only causes Firefox to crash to stop responded (that is what it did to 1.5b1 on my Linux box). The person that found the exploit claims he has tweaked the code to actually run arbitrary code on the system, but I would like to se e proof of this since as of right now we only have a hanging browser.

Re:It should be noted

There is an actual testcase on the bug in bugzilla, and the bug is private because of that (it would be highly irresponsible to provide a working exploit to the world).

<mao|zZz> mscmurf, dveditz: bug 307259 has been slashdotted - maybe it would be politically good to disclose the bug, at least to counteract this statement at the end of the advisory: "Mozilla was notified, and im guessing they are working on a patch. Who knows though?"
<mcsmurf_> well, if there is a comment in it which should not be public
<mcsmurf_> then the bug remains private ;)
<dveditz> mao|zZz: the potential issue is that his advisory is incorrect, and I'd rather not release the real crashing testcase (though people might discover it soon enough)
<CTho> mao|zZz: it was nice of them to wait til we shipped to make sure the world hears ;)
<biesi> it was public before we shipped
<mcsmurf_> one day?
<dveditz> CTho: that was probably our fault, I should have pushed the fix in
<mao|zZz> biesi: but the slashdot sequence is pretty suspect...
<CTho> dveditz: i heard the patch on teh bug doesnt work
<dveditz> It was nominated, but after the point where triage was being done -- needed to be more actively pushed
<mao|zZz> looks like an easy move to eclipse the beta release wow effect, or worse make it a boomerang
***Toba wonders if the bug is patched yet
<Toba> anyone got the bug link?
<biesi> it's not publically visible
<dveditz> Toba: it's still a private bug
<biesi> (https://bugzilla.mozilla.org/show_bug.cgi?id=3072 59)
<dveditz> see scrollback a few lines
<Toba> dveditz: eh, I guess it would be nice to know
<Toba> but oh well
<biesi> dveditz, it was your comment that said the patch didn't work?
<dveditz> we have *a* patch, we're not convinced it's the right patch
<mao|zZz> dveditz: would you cc me?
<Toba> I guess it's better if the world doesn't know how to exploit yet
<mcsmurf_> dveditz: do you know why or if SeaMonkey is not vulnerable? it doesn't crash when using the exploit
<dveditz> mcsmurf_: that's part of why I'm not opening the bug... the released testcase is not the testcase from the bug
<mcsmurf_> ah-hah
<dveditz> seamonkey is vulnerable, this is core networking stuff
<mcsmurf_> :)
<mcsmurf_> well i assumed so
<mcsmurf_> but i only have the public testcase

exploits?

[samjam]

The bug depended on the host name being all ---

It will be hard to craft some exploit code using only the - character.

It may DOS and cause instability; as for those "but, open source should be proof against this" nay-sayers, I'm pretty certain from the advisory that this could only be properly discovered because the source was available.

hmmmm, maybe if you can trick users to click on bad links a few times it might cause heap corruption and crashing; maybe if you get them to download the right page a few times to pre-load the heap, and then a few ----- might cause the browser to execute from the heap,

A look at the soucre will show the consequences of this and show what sort of pathway there is to arbitrary code execution. I guess it could be exploitable...

Sam

buffer overflows

[diegocgteleline.es]

The security vulnerability is a buffer overflow flaw that "allows for an attacker to remotely execute arbitrary code" on a vulnerable PC,

Just for curiosity, can be Firefox compiled with the compiler parameter which adds code to detect a wide variety of such bugs? It's what Microsoft did at IE in the XP SP2; does it have "sense" to do the same for firefox?

So, the question is ...

[WillAffleckUW]

would you rather find about about a bug and fix it:

A. before you release a version (Firefox);

or

B. years after you release a version (IE).

Well? Which is better? If you choose option B, you can deny there's a problem for 1-2 years, start working on a fix in 2-3 years, nay-say press rumors about the bug in 3-4 years, and fix it and release the bug fix in 4-5 years.

I choose option A.

Re:Tell all your friends!

[TargetBoy]

How about having the update checker stop working?

I've seen several computers now where the red arrow icon is always displayed and the update wizard never successfully downloads anything.

Reinstalling doesn't seem to help fix it.

Re:Well, just another bug

[ikkonoishi]

Yeah because in IE you can't write a greasemonkey script that fixes it.

var links = document.getElementsByTagName("a");
for (var i = 0;i<links.length;i++) {
  if (/-{5,}$/.test(links[i].href)) {
      links[i].href = "";
      links[i].onclick = function () {
        alert("This link was trying to cause a buffer overflow. It has been appropriately punished. That bad ol' puddy link.");
      }
  }
}

The above was proof of concept and may not work, but I see no reason why it shouldn't