Unpatched Firefox Flaw May Expose Users

Corrado writes "CNET is reporting on a new Firefox flaw." From the article: "The problem lies in the way Firefox handles Web links that are overly long and contain dashes, security researcher Tom Ferris said in an interview via instant messaging late Thursday. He posted an advisory and a proof of concept to the Full Disclosure security mailing list and to his Security Protocols Web site...The public bug disclosure comes just as Mozilla released the first beta of Firefox 1.5. The final release of the next Firefox update, which includes security enhancements, is due by year's end, according to the Firefox road map."

This is impossible!

[pdpTrojan]

Firefox is open source... how can it have a bug in it? Lol, they must have meant Internet Explorer!

Everybody knows that security flaws are only available in Microsoft products. I read it on Slashdot!!! It has to be true!!!

Expose users?

[jdray]

Did anyone else have a sudden concern that using Firefox would cause you to be "pants'ed"?

Re:Expose users?

[.sig]

I'm counting on it, I'm passing out copies of firefox to all the women I know....

Re:Expose users?

[iceborer]

Since you're a /. member, I would have thought you'd installed Firefox for your mom and little sister already.

Re:Expose users?

[sootman]

No worries, the patch is here: http://www.mozilla.org/patch-to-fix-the-problem-wi th-firefox-where-long-URLs-with-lots-of-hypohens-c an-cause-bad-things-to-happen-like-the-browser-wil l-crash-and-stuff.html

Re:Expose users?

[Jerry]

Sorry, that URL didn't work. :-)

404: File Not Found /patch-to-fix-the-problem-with-firefox-where-long- URLs-with-lots-of-hypohens-can-cause-bad-things-to -happen-like-the-browser-will-crash-and-stuff.html

We are sorry, the file you requested could not be found.

Referring page:

http://it.slashdot.org/article.pl?sid=05/09/09/133 6253&threshold=0&tid=128&tid=154

The link you clicked to get here is either misspelled, outdated, or may just never have existed. You can use the links on this page or the search Mozilla feature at the top to find the document to find what you were looking for. You may want to notify the webmaster of the referring page of the dead link.

Tell all your friends!

[CyricZ]

If you have gotten your non-techie friends to switch to Firefox, be sure to tell them about this problem and the possible fixes. Indeed, it is very important that Firefox be kept up to date on as many computers as possible, even if it means a short trip to install it for somebody. Nothing will hurt Firefox's reputation more than unpatched installations being exploited.

Re:Tell all your friends!

[TargetBoy]

How about having the update checker stop working?

I've seen several computers now where the red arrow icon is always displayed and the update wizard never successfully downloads anything.

Reinstalling doesn't seem to help fix it.

Re:Tell all your friends!

[killproc]

"If you have gotten your non-techie friends to switch to Firefox, be sure to tell them about this problem and the possible fixes. Indeed, it is very important that Firefox be kept up to date on as many computers as possible"

Not trying to troll here, but...

Couldn't the same be said for IE or any other browser? If you have non-techie friends that could be vulnerable on any platform, wouldn't letting them know how to check for security updates be the right thing to do?

Should you let them flounder and possibly become zombies for some nefarious spam network because they don't use your "preferred" browser?

Personally, I use Mozilla at home because I like it much better, and encourage all my friends to do the same, but I'm not above recommending security updates to those who choose not to use Mozilla/Firefox.

Re:Tell all your friends!

[AKAImBatman]

I was thinking the same thing. All browsers are vulnerable and all will need to be updated.

The ridiculous part, though, is that software doesn't *have* to be vulnerable to buffer overflows! We've had languages for more than 20 years that are completely invulnerable to such a simplistic attack. Even C/C++ have large numbers of libraries available to make such overflows a thing of the past. Yet here we are in 2005 and the number one exploit across systems is still...

(wait for it)

Buffer overflows.

Am I the only one who's getting just a smidge annoyed by this? No wonder we don't have any flying cars! We can't debug the darn things worth a damn! ;-)

Re:Tell all your friends!

[jesser]

here we are in 2005 and the number one exploit across systems is still... buffer overflows.

Are you sure that's true? Looking at http://www.mozilla.org/projects/security/known-vul nerabilities.html, it looks like most security holes in Firefox are not related to low-level memory management.

Well, just another bug

[guruevi]

For trolling sake, it is still better then IE.

Re:Well, just another bug

[Doches]

Sure. Yea. But it makes us open-source religinuts look a bit silly, touting our "secure browser" when CNET (which has a very questionably technical readerbase) and others run stories like this. Argh. I'm just going to hit the first IE-phile who uses this little bug in an argument.

Re:Well, just another bug

[ikkonoishi]

Yeah because in IE you can't write a greasemonkey script that fixes it.

var links = document.getElementsByTagName("a");
for (var i = 0;i<links.length;i++) {
  if (/-{5,}$/.test(links[i].href)) {
      links[i].href = "";
      links[i].onclick = function () {
        alert("This link was trying to cause a buffer overflow. It has been appropriately punished. That bad ol' puddy link.");
      }
  }
}

The above was proof of concept and may not work, but I see no reason why it shouldn't

Re:Well, just another bug

[DaHat]

No need to bring up just this bug, why not compare history for the last year on both IE6 and Firefox 1.x?

According to Secunia, during 2005 IE6 has had 11 advisories while Firefox 1.x has had 18.

Unfortunately I can't get the links to work properly (graphs come up blank), so take a look at the URL's yourself:

IE6: http://secunia.com/graph/?type=adv&period=2005&pro d=11
Firefox 1.x: http://secunia.com/graph/?type=adv&period=2005&pro d=4227

(you will have to copy and paste these URL's to make them work it seems)

Re:Well, just another bug

[footissimo]

What about how 'critical' the bugs are rated or how long it takes for each to be fixed? Are the problems with ActiveX included?

Re:Well, just another bug

[Tezkah]

Actually, you might be able to, most people don't know of the Greasemonkey-ish add-on to IE called "Trixie", with many of the same scripts running unmodified between the two plugins.

A better argument is that "In firefox, the bugs are trivial enough to be fixed with a script until it gets fixed in the main program, a matter of weeks, instead of fixing it in a script in IE, and waiting years for it do get fixed."

Re:Well, just another bug

[TheLink]

Yeah, I often get modded flamebait or troll when I point out that mozilla/firefox isn't really much more secure than IE.

Every few weeks there's evidence that I was correct :).

Anyway, I use both IE and Mozilla (which appears to crash more often than IE and worse of all you can't easily launch multiple independent Mozilla processes).

For security, my normal IE has active scripting off - which seems to prevent most security bugs from working. For sites which require javascript and IE, I use IE in a virtual machine.

At work, I use mozilla and set it up to run using a different user account from my normal user account, so it will be harder for exploits to affect my normal user files. I used to do that for IE in my prev office - I had XP there and it's easier to do that with XP. But the vmware thingy is good enough I guess ;).

Once you do stuff like this, it's harder for browser exploits to do significant harm to your system. It can still do harm to other people's systems unless you have other firewall stuff or other countermeasures.

p.s. Same goes for Linux vs Windows security. The same Joe Average users are as likely to update Linux systems as they are to update windows systems (typically never).

Re:Well, just another bug

[adagioforstrings]

What about this:
0 extremely critical of 22 vulnerabilities and 4 still unpatched for Firefox
versus
10 extremely critical of 69 vulnerabilities and 19 still unpatched for IE 6.

I'm not saying Firefox doesn't have its issues, but be careful with statistics.

It should be noted

[GweeDo]

That the posted exploit only causes Firefox to crash to stop responded (that is what it did to 1.5b1 on my Linux box). The person that found the exploit claims he has tweaked the code to actually run arbitrary code on the system, but I would like to se e proof of this since as of right now we only have a hanging browser.

Re:It should be noted

[finkployd]

I was not aware that wanting to classify the severity of a problem made one a zealot...

Finkployd

Re:It should be noted

There is an actual testcase on the bug in bugzilla, and the bug is private because of that (it would be highly irresponsible to provide a working exploit to the world).

<mao|zZz> mscmurf, dveditz: bug 307259 has been slashdotted - maybe it would be politically good to disclose the bug, at least to counteract this statement at the end of the advisory: "Mozilla was notified, and im guessing they are working on a patch. Who knows though?"
<mcsmurf_> well, if there is a comment in it which should not be public
<mcsmurf_> then the bug remains private ;)
<dveditz> mao|zZz: the potential issue is that his advisory is incorrect, and I'd rather not release the real crashing testcase (though people might discover it soon enough)
<CTho> mao|zZz: it was nice of them to wait til we shipped to make sure the world hears ;)
<biesi> it was public before we shipped
<mcsmurf_> one day?
<dveditz> CTho: that was probably our fault, I should have pushed the fix in
<mao|zZz> biesi: but the slashdot sequence is pretty suspect...
<CTho> dveditz: i heard the patch on teh bug doesnt work
<dveditz> It was nominated, but after the point where triage was being done -- needed to be more actively pushed
<mao|zZz> looks like an easy move to eclipse the beta release wow effect, or worse make it a boomerang
***Toba wonders if the bug is patched yet
<Toba> anyone got the bug link?
<biesi> it's not publically visible
<dveditz> Toba: it's still a private bug
<biesi> (https://bugzilla.mozilla.org/show_bug.cgi?id=3072 59)
<dveditz> see scrollback a few lines
<Toba> dveditz: eh, I guess it would be nice to know
<Toba> but oh well
<biesi> dveditz, it was your comment that said the patch didn't work?
<dveditz> we have *a* patch, we're not convinced it's the right patch
<mao|zZz> dveditz: would you cc me?
<Toba> I guess it's better if the world doesn't know how to exploit yet
<mcsmurf_> dveditz: do you know why or if SeaMonkey is not vulnerable? it doesn't crash when using the exploit
<dveditz> mcsmurf_: that's part of why I'm not opening the bug... the released testcase is not the testcase from the bug
<mcsmurf_> ah-hah
<dveditz> seamonkey is vulnerable, this is core networking stuff
<mcsmurf_> :)
<mcsmurf_> well i assumed so
<mcsmurf_> but i only have the public testcase

Re:It should be noted

[Delphiki]

So if person P is skeptical of claim C about entity E, then it logically follows that P thinks that E "can do no wrong"? That sounds a like a fringe-whacko line of thought to me.

You don't really want to get into the business of pointing out wackos on slashdot. It's easily a full time job and it doesn't pay.

Patent infringement

[confusion]

I thought MS had a patent on unpatched browser flaws?!?!?

Jerry
http://www.cyvin.org/

Re:Patent infringement

[SonicBurst]

The new patching system is awesome. Binary diffs, so no downloading huge files, it downloads in the background so it doesn't disturb you, and installs when you restart firefox. It's amazingly convienient.

Yes, but would you have said the same thing if you had replaced the word firefox with the word windows in that sentence? I say that only because that's what WAU does these days, though I forget for how long it has been doing the binary diffs. I think that came along with the latest BITS update sometime in early summer this year, but can't be sure. Just FYI.

more info at

[jbeaupre]

more information on the bug at: www.youissostupid.ru/scriptyuiopuioqwhjklfashuiopy uiopuiopuiopuouihjklasd-2789789-hfsjadkhuiof

exploits?

[samjam]

The bug depended on the host name being all ---

It will be hard to craft some exploit code using only the - character.

It may DOS and cause instability; as for those "but, open source should be proof against this" nay-sayers, I'm pretty certain from the advisory that this could only be properly discovered because the source was available.

hmmmm, maybe if you can trick users to click on bad links a few times it might cause heap corruption and crashing; maybe if you get them to download the right page a few times to pre-load the heap, and then a few ----- might cause the browser to execute from the heap,

A look at the soucre will show the consequences of this and show what sort of pathway there is to arbitrary code execution. I guess it could be exploitable...

Sam

Re:exploits?

[sbrown123]

Tom Ferris has a history of reporting so-called exploits. This history includes not only Firefox but also Internet Explorer. In every case he usually makes a feeble attempt at contacting the right sources to inform them of the problem and then, all of a sudden, claims that they are not responding to him and he feels he has to post all security postings public to save our lives (and he contacts CNet too to get the word out).

Oddly, I have yet to see one of his found exploits actually work. At most, I have seen them as annoyances that can possibly cause browsers to crash IF the end-user follows the exploit instructions to the letter using the exact same browser on Windows (Tom never appears to find anything on Linux or Mac but always claims that his exploits work on all platforms without actually testing them).

Re:exploits?

[sbrown123]

I take that back. I did find one of his recent exploits (actually its a DoS) that Microsoft actually made a patch for:

http://www.microsoft.com/technet/security/bulletin /MS05-041.mspx

The funny thing is his note: "As I previously reported, there is a remote kernel denial of serivce vulnerability with the Remote Desktop Services protocol which affects every verison of Microsoft Windows. "

Last time I check, RDP is not on older versions of Windows. Again, blown out of porportion for such a minor bug.

buffer overflows

[diegocgteleline.es]

The security vulnerability is a buffer overflow flaw that "allows for an attacker to remotely execute arbitrary code" on a vulnerable PC,

Just for curiosity, can be Firefox compiled with the compiler parameter which adds code to detect a wide variety of such bugs? It's what Microsoft did at IE in the XP SP2; does it have "sense" to do the same for firefox?

Re:buffer overflows

[CTho9305]

Releases are built with Microsoft Visual C++ 6, because there are concerns that the license of newer versions would not allow the builds to be distributed.

Unacceptable

[goldspider]

"The final release of the next Firefox update, which includes security enhancements, is due by year's end, according to the Firefox road map."

We rightly criticize Microsoft for not responding to security concerns in a timely manner. I hope the Mozilla Foundation will be held to the same standard.

Re:Unacceptable

[CTho9305]

If you followed the discussions on IRC, you'd see that people are working on the bug.

  mconnor: we're in security firedrill mode. probably not meeting on beta2 today.

They're all busy dealing with this issue... everything else is on hold.

So, the question is ...

[WillAffleckUW]

would you rather find about about a bug and fix it:

A. before you release a version (Firefox);

or

B. years after you release a version (IE).

Well? Which is better? If you choose option B, you can deny there's a problem for 1-2 years, start working on a fix in 2-3 years, nay-say press rumors about the bug in 3-4 years, and fix it and release the bug fix in 4-5 years.

I choose option A.

Uhm, your point?

[Alien+Venom]

Well, unlike Microsoft (and IE) which doesn't really care about the bad press its browser gets; I know for a fact that Mozilla and the people that work on Firefox, do.

Does CNET really think that Mozilla group is going to ignore it? I don't really see the point of the article. It seems like they were more interested in saying, "Oh, hey. Look, we're cool too because we found a flaw in Firefox."

I'm sure it'll be fixed in a couple day in the nightly builds. The new auto-update mechanism in 1.5 wasn't implemented for nothing. And it's the things like these that make Mozilla (Firefox) a good browser. No matter what kind of press (or lack of) that it gets, bugs still get fixed.

Personally, I think CNET is trying to jump on the Firefox-bug-reporting bandwagon like everyone else.

He sounds like a self-promoting twit

[93+Escort+Wagon]

I can see why some folks will publicize exploits if they feel the software maker isn't responding in a timely manner. But c'mon - he just reported this to the Mozilla folks on Sunday!

Re:He sounds like a self-promoting twit

[tdvaughan]

Responsible vulnerability reporting doesn't necessarily mean telling everyone possible (including proof-of-concept exploit code) as soon as you discover a vulnerability. Some people allow the vendor/maintainer 30 days to make an appropriate response (e.g. investigating the vulnerability and making a commitment to fixing it) and a further 30 days on top of that to provide a fix before going public. Regardless of how long you think a vendor should be given, though, going public immediately makes me wonder if his priorities are personal gain rather than trying to improve the software's security.

Buffer overflow

[Spy+der+Mann]

From TFA:

"The security vulnerability is a buffer overflow"

Buffer overflows aren't very easy to catch, but I thank the guy who discovered it. This way we can make Firefox a more secure browser everytime.

But frankly, I don't know how to feel. Embarrassed because buffer overflows are the result of sloppy buffer programming, or proud because Firefox has much fewer buffer overflows than windows products?

Re:Buffer overflow

[SimplexO]

Say it with me now.

"Security is a process."

Being open source programmers doesn't make them perfect programmers. Not working at Microsoft doesn't make them perfect programmers.

The phrase never never said, "given enough eyes, there are no bugs." It said "given enough eyes, all bugs are shallow." That phrase even admits there will be bugs. Security is a process, not an accumulated number of crash bugs.

I would hope Firefox has fewer overflows than IE, only because that would mean less headaches for me, and less bad press.

Year's end?

[Swamii]

This is why open source is better! M$ expects me to wait until year's end for a patch?! What am I supposed to do until then, hide in a cave?

What's that you say? This isn't an article about Microsoft?

Oh, nevermind then.

Re:Flaws

Oh please, how is a heap overflow of 0x78787878787878... going to be exploitable. This looks like just a regular crash, if these turn you on just watch bugzilla for a few days, they turn up all the time.

A browser is a complex piece of software, of course there are going to be subtle bugs that turn up now and then. Nobody is perfect, and visualizing every possible execution path through a billion SLOC application is impossible. Please stop making a fuss about "OMG BROWSER DoS!!".

workaround

about:config -> network.enableIDN -> false

be happy!

Nope - not on my v1.06 Firefox

[HermanAB]

I made a page with the supposed bad link full of dashes and all that happens, is that FF tries to do a Google lookup on "keyword:---lots of dashes here---"

This seems to be a dud exploit...

Re:Nope - not on my v1.06 Firefox

[digidave]

I tried increasing the number of dashes in the link, all tested on the Aug 29 nightly build:

40,000 dashes: No crash, it does a Google search, but Google displays a Bad Request message.

130,000 dashes: No crash. Same results as above.

275,000 dashes: Same as above.

At this point Kate is very slow and gedit seems to hang. All these dashes are on a single line so as not to modify the POC too much and text editors don't like that. I wrote a script to add more dashes for the next test.

1.5 million dashes: No crash. Same as above.

Screw this. Can someone point me to a real POC for this alleged exploit?

Re:Nope - not on my v1.06 Firefox

[Qzukk]

Ah, interesting. Just loading the page containing the link causes it to crash. And yeah, those aren't - signs as was in the message linked on CNET, those are some other character (maybe on a certain font they are minuses?).

Re:Nope - not on my v1.06 Firefox

[cortana]

The advisory isn't talking about "0+002D HYPHEN-MINUS". Try the sample exploit. Freezes Firefox and Epiphany cold here.

$ GET www.security-protocols.com/firefox-death.html | xxd
0000000: 3c41 2048 5245 463d 6874 7470 733a adad <A HREF=https:..
0000010: adad adad adad adad adad adad adad adad ................
0000020: adad adad adad adad adad adad adad adad ................
0000030: adad adad adad adad adad 203e 0a .......... >.

Assuming the document is UTF-8 (no way of telling for sure), we can look up 0xad in gucharmap and so realise that the character that triggers the bug is really "U+00AD SOFT HYPHEN"

So you are a victim of loss of information caused by the incorrect encoding of the advisory into ASCII. :)

Re:Nope - not on my v1.06 Firefox

[greenskyx]

Ok, here is the deal. in about:config search for idn. If you have network.enableIDN set to false this wont work. I'm not sure if I disabled that myself or if that's a firefox default. Either way you might want to make sure IDN is turned off if you dont use it.

not crashing

[roman_mir]

under winxp I can't get this to crash. Crap! I thought windows should help with things like this! (Clippy: -So, it looks like you are trying to crash your browser. Need help?)

Re:not crashing

[kryten_nl]

Clippy: 'If you would like to see the BSOD: create a new Word document, make it 50 pages long and try to save.'

Re:Proof of concept

[Gori]

Actually, I have searching from the location bar setup as default, and only thing I get is firefox opening a google search with a bunch of dashes in it. (this is on linux)

So kind of pointless exploit in this case ?

So, to protect yourself
go to about:config and change keyword.URL to http://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8 &q=

and keyword.enabled to true

Re:1.5 safe?

[beerman2k]

I dont understand. Is 1.5 safe?

I'd say RTFA, but this is Slashdot after all...

If you had read the article you would have found a link to the advisory which clearly states the following:

Vendor:
Mozilla

Versions Affected:
Firefox Win32 1.0.6 and prior
Firefox Linux 1.0.6 and prior
Firefox 1.5 Beta 1 (Deer Park Alpha 2)

Overview:
A buffer overflow vulnerability exists within Firefox version 1.0.6 and all other prior
versions which allows for an attacker to remotely execute arbitrary code on a affected
host.

Similar Bug

[MobileMrX]

I saw a similar bug IRL.

This guy was driving and navigated to a bunch of yellow dashes in succession.

This method of action caused his car to crash.

I've only been able to replicate this bug on roads with > 2 cars.

Anyone experience this?

/waiting for roads v1.5

Works only in Fx 1.5beta1, 1.0.6 is not affected!

[YA_Python_dev]

This flaw is only present in Firefox 1.5beta1, 1.0.6 is not affected.

So if you are worried just keep using the stable version until at least the next beta release and be happy.

The Mozilla codebase quality is questionable.

[CyricZ]

It's not so much Firefox, as it is the Mozilla codebase upon which Firefox is built. Having recently done some work with Mozilla, I can say that it is a very complex beast. Perhaps even too complex, some might say. The potential for the introduction of bugs is astounding, since it is often very difficult to know for sure exactly what effects a code change will have.

It doesn't help that a lot of the documentation is out of date, often by several years. Nothing is worse than incorrect or outdated documentation, which can often lead to incorrect code being unintentionally added.

While a rewrite of Mozilla is of course out of the question, there should perhaps be some procedures in place to clean up the code base, and ensure that documentation is correct. Performing such basic engineering practices is what results in quality products, be it software or bridges.

Re:The Mozilla codebase quality is questionable.

[CTho9305]

It's not so much Firefox, as it is the Mozilla codebase upon which Firefox is built.

Just so people don't think that means the upcoming SeaMonkey release will be using shoddy code, I'd like to point out that code review for firefox-only code is significantly less thorough than review for suite-only code. In many cases, large Firefox patches have been checked in with no code review at all! On multiple occasions when porting features from Firefox to SeaMonkey, the patches were initially rejected due to code quality, and had to be fixed up.

Firefox is the fix for Internet Explorer problems.

[CyricZ]

Indeed. The main update/fix for Internet Explorer-related problems is Firefox. So that should always be the first solution proposed. That in turn directly leads to my proposal: always keep your non-technical friends' Firefox installations up to date.

Patch available

[Frankie70]

You can download a fix here

Re:Flaws

[shaitand]

Does it even crash you? So far I haven't found anyone this actually crashes.

possible bugzilla bugs

[molo]

Between 2005-09-03 and 2005-09-06, there were several bugs reported to Mozilla that are now marked hidden. Expect one of them to become visible now that this is announced. (note: bugzilla blocks slashdot referer, so cut&paste is needed, watch out for the extra space)

https://bugzilla.mozilla.org/show_bug.cgi?id=30693 9
https://bugzilla.mozilla.org/show_bug.cgi?id=30694 0
https://bugzilla.mozilla.org/show_bug.cgi?id=30703 1
https://bugzilla.mozilla.org/show_bug.cgi?id=30704 0
https://bugzilla.mozilla.org/show_bug.cgi?id=30708 4
https://bugzilla.mozilla.org/show_bug.cgi?id=30708 7

BTW, why is it necessary that so many bug reports be hidden? They can't all be valid security bugs, can they? Besides, full disclosure and an open development model go hand-in-hand.

-molo

MS vs Firefox is irrelevant

[mccalli]

I'm reading a depressingly large number of predicatble off-pat responses - "So? IE is far worse. Microsoft sucks!".

Honestly, who cares? Why does this have to be compared to a Microsoft response? Why can't this just be viewed as an event in its own right and not constantly looked at as some insult which might be handing Microsoft an edge?

Objectively, if I use Firefox I have no interest in how Microsoft might have responded to a similar situation. I am purely interested in the Mozilla response (which I'm explicitly not passing judgement on in this post). Can people give it a rest with the constant defensiveness against Microsoft?

Cheers,
Ian

what a whiny runt.

[kinglink]

I mean I looked at the official disclosure from him (http://www.security-protocols.com/advisory/sp-x17 -advisory.txt)
and basically he acts like 4 days is all he needs to wait.. and apparently Mozilla isn't doing enough for this?

Mozilla isn't Microsoft or Cisco in two catagories.
A. They arn't ultra large coporatitions that can fix stuff in an instant.
B. They don't ignore problems, especially like this. They're likely working as fast as they can and they are willing to admit fuckups, but they want to have a fix for the fuck up first.

We don't need everyone running around thinking that EVERY company conducts business the same way that Cisco does... How all of them are part of a conspiracy. Firefox is getting known in the industry to be basically good at avoiding problems other browsers have and fixing major bugs.

By having a guy run around like this only 4 days (notice the dates in that link) it can only cause a higher likelyhood that someone will use that find maliciously and Firefox will get blamed for it when it's really the disclosure that's the problem.

The fact is those of us who find these bugs need to give the company time to react, we don't need to act like they don't care. 4 days is hardly enough unless he got back a letter that said screw you, which it doesn't sound like he did. Giving Full Disclosure the first time you hear about a problem, just creates a bigger problem because now more people will learn of the problem.

And there's a definate difference between waiting a couple monthes like the Cisco incident where the company was being forced into an uncomfortable positions and waiting less then a full week with apparently no provacation.

For all those that can't reproduce

[revelation0]

Take 2 seconds to check out his proof of concept:

http://www.security-protocols.com/firefox-death.ht ml

WARNING: Clicking the above link will crash firefox. It will do nothing else. The hyphens are not normal minus hyphen (the - symbol on your american keyboard will translate to 0x2d) but a soft hyphen (0xad).

Re:For all those that can't reproduce

[siliconjunkie]

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511

Your link crashed my browser. :(

Re:For all those that can't reproduce

[Haeleth]

WARNING: Clicking the above link will crash firefox.

Only for some people. It needs to specify a character set, too; the "exploit" appears only to crash Firefox when the character set is ISO-8859-1, so if your browser is set to use anything else by default, the link will not do anything at all.

Re:For all those that can't reproduce

[MrMr]

Yep, lethal if network.enableIDN is true,
no problem if set to false in about:config

Re:For all those that can't reproduce

[Jim+Hall]

MOD PARENT UP

It's true - if you leave network.enableIDN set to 'true' then the browser will demonstrate the problem. Toggle it to 'false' and the problem doesn't appear.

Re:Proof of concept

[obdulio]

Didn't crash my Opera session....

Aren't firefox users heading back to IE over this?

[Billly+Gates]

Telling them its insecure only encourages them to stick with IE. All the studies are showing this with clueless uers since Microsoft does not like to boast about holes in IE.

Wow, I thought only....

[TheNetAvenger]

Wow, I thought only MS products and Internet Explorer were capable of having bugs or exploits.

Were the people championing these other browser lying to me, or just ignorant in the fact that all software when given mass distribution will exhibit growing pains and exploits will be found no matter how good the programmers think they are.

Hm... (Ok, mark this as Flamebait - even though what I say is factually correct.)

Re:Proof of concept

[sprag]

Its not dashes that do it, but soft hyphens (0xad). There's a link in another thread which has the apropriate HTML, and it does hang Firefox 1.06 on Fedora 4.

Here's an xxd dump of the offending HTML:

0000000: 3c41 2048 5245 463d 6874 7470 733a adad <A HREF=https:..
0000010: adad adad adad adad adad adad adad adad ................
0000020: adad adad adad adad adad adad adad adad ................
0000030: adad adad adad adad adad 203e 0a .......... >.

Browser Bugs/Flaws? no way!

[jrallison]

Bugs and flaws are commonplace ... its a model which promotes a fast fix to these shortcomings that really makes a difference.

Re:Interesting...

[SamMichaels]

That is another proof (of known fact) that it is much easier to hack the open sourced then the proprietary application.

But the opposite is also true...it's a proof that it's much easier to debug open sourced applications.

Important note to all...

[Transcendent]

For those testing on their own, *please realize* that it is not simply a dash (0x2D), but the character 0xAD.

Does something weird on Firefox 1.0.3 on Linux

[Srdjant]

I entered the html in hex editor as from:

http://it.slashdot.org/comments.pl?sid=161697&cid= 13519728

and clicked on the link. The link pointed to:

https://xn--m1aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaa/

and firefox downloaded this:

http://www.srh.noaa.gov/abrfc/archive/1996/aug/rvm files/96083106_1_rvmshv

Re:Does something weird on Firefox 1.0.3 on Linux

[sabat]

Weird; firefox on my mac downloaded

http://smorye.apeha.ru/message1_pt_32627_page_18.f html

when I clicked on your aaaaaaaa link.

Re:Firefox is the fix for Internet Explorer proble

[RzUpAnmsCwrds]

Well, after five security updates that patch numerous security holes (22 since 2004), I'm not sure that Firefox is the solution. It's certainly more secure than IE, but is it secure *enough*? No, it isn't.

I deployed Firefox on the corporate network to improve security. Five updates later, I'm explaining to my manager that Firefox, just like IE, is full of security holes that need to be patched.

Unlike IE, Firefox can't be updated through Windows Update and it doesn't have a patch release cycle. That makes it harder to plan for and harder to deploy Firefox patches.

Having "fewer" vulnerabilities than IE isn't good enough - particularly when your patching system sucks. Open source can do better.

incorrect information

[asa]

The bug report is now open and you can see that he reported it to Mozilla on the afternoon of the 6th. There was quite a bit of activity from top Mozilla developers and then the reporter posted the exploit publicly on the 8th.

We've determined that disabling IDN is a safe workaround and are working on supplying a small download that will take care of that configuration for the user.

- A

Re:incorrect information

[dbaron]

I'd also note that Ferris's bug report (bug 307259) originally claimed that the vulnerability was a format string vulnerability, not a buffer overrun, and that the testcase he showed us was a huge testcase probably generated by a tool for generating mangled HTML (like MangleMe). What he published in his advisory wasn't analysis he gave to us when he reported the bug, but looks like it was copied from:

• the analysis that I did and posted in comment 2 on the bug (which was accessible to him, since he reported it), excluding the correction I made in comment 9 (when I realized the characters I was looking at were not dashes, but soft hyphens), and
• the testcase that Jesse Ruderman wrote and attached to the bug.

Re:Firefox is the fix for Internet Explorer proble

[cagle_.25]

OK, my first computation was wrong, also. Lol.

P(Vi) = Probability of being pwned by single vulnerability Vi = (chance of vulnerability being exploited)*(chance of user replicating vulnerability conditions).

Probability of being pwned by multiple vulnerabilities = 1 - PROD over all vulnerabilities(1 - P(Vi)).

Already fixed

[Giorgio+Maone]

The bug has been disclosed by Mozilla staff and a patch fixing the reported buffer overflow has already been applied to the CVS tree, so expect a public security update very soon. In the meanwhile, as a temporary work-around, you can fully protect your browser opening "about:config" and setting the network.enableIDN preference to false, see the full story here.

Re:Flaws

[typical]

I am sure some nop's and jmp statements could point it in the right direction ;).

The point that the person was trying to make (for which you rather unjustifiably called them a moron) is that you can't encode a nop or a jmp with just 0x78 bytes. That means that you can't push exploit code over into the browser to execute using this hole. That doesn't mean that it's impossible to cause a problem with this -- there is a very slim possibility that something crucial could be overwritten while keeping the program operational (for instance, suppose there is a bit somewhere nearby in memory that, if enabled, allows a remote website full script execution privileges, and a series of 0x78 bytes could overwrite that memory).

The chance of there being a away to finagle this into any kind of security exploit other than a DoS while visiting a specific website is very minimal, though. Maybe Thunderbird users could be hit by email that crashes their mail client, which would be somewhat more serious, as it would be a push DoS instead of a pull DoS.

I don't really worry about every browser flaw that comes out. I run "yum update" every couple of days, and maybe I'm vulnerable for a few days...but, hell, such is life, and I don't really want to waste lots of time worrying about some security bug -- hell, someone could just mug me for my wallet.