Unpatched Firefox Flaw May Expose Users

Corrado writes "CNET is reporting on a new Firefox flaw." From the article: "The problem lies in the way Firefox handles Web links that are overly long and contain dashes, security researcher Tom Ferris said in an interview via instant messaging late Thursday. He posted an advisory and a proof of concept to the Full Disclosure security mailing list and to his Security Protocols Web site...The public bug disclosure comes just as Mozilla released the first beta of Firefox 1.5. The final release of the next Firefox update, which includes security enhancements, is due by year's end, according to the Firefox road map."

Expose users?

[jdray]

Did anyone else have a sudden concern that using Firefox would cause you to be "pants'ed"?

Re:Expose users?

[.sig]

I'm counting on it, I'm passing out copies of firefox to all the women I know....

Re:Expose users?

[iceborer]

Since you're a /. member, I would have thought you'd installed Firefox for your mom and little sister already.

Re:Expose users?

[sootman]

No worries, the patch is here: http://www.mozilla.org/patch-to-fix-the-problem-wi th-firefox-where-long-URLs-with-lots-of-hypohens-c an-cause-bad-things-to-happen-like-the-browser-wil l-crash-and-stuff.html

Tell all your friends!

[CyricZ]

If you have gotten your non-techie friends to switch to Firefox, be sure to tell them about this problem and the possible fixes. Indeed, it is very important that Firefox be kept up to date on as many computers as possible, even if it means a short trip to install it for somebody. Nothing will hurt Firefox's reputation more than unpatched installations being exploited.

Re:Tell all your friends!

[TargetBoy]

How about having the update checker stop working?

I've seen several computers now where the red arrow icon is always displayed and the update wizard never successfully downloads anything.

Reinstalling doesn't seem to help fix it.

Re:Tell all your friends!

[killproc]

"If you have gotten your non-techie friends to switch to Firefox, be sure to tell them about this problem and the possible fixes. Indeed, it is very important that Firefox be kept up to date on as many computers as possible"

Not trying to troll here, but...

Couldn't the same be said for IE or any other browser? If you have non-techie friends that could be vulnerable on any platform, wouldn't letting them know how to check for security updates be the right thing to do?

Should you let them flounder and possibly become zombies for some nefarious spam network because they don't use your "preferred" browser?

Personally, I use Mozilla at home because I like it much better, and encourage all my friends to do the same, but I'm not above recommending security updates to those who choose not to use Mozilla/Firefox.

Re:Tell all your friends!

[AKAImBatman]

I was thinking the same thing. All browsers are vulnerable and all will need to be updated.

The ridiculous part, though, is that software doesn't *have* to be vulnerable to buffer overflows! We've had languages for more than 20 years that are completely invulnerable to such a simplistic attack. Even C/C++ have large numbers of libraries available to make such overflows a thing of the past. Yet here we are in 2005 and the number one exploit across systems is still...

(wait for it)

Buffer overflows.

Am I the only one who's getting just a smidge annoyed by this? No wonder we don't have any flying cars! We can't debug the darn things worth a damn! ;-)

It should be noted

[GweeDo]

That the posted exploit only causes Firefox to crash to stop responded (that is what it did to 1.5b1 on my Linux box). The person that found the exploit claims he has tweaked the code to actually run arbitrary code on the system, but I would like to se e proof of this since as of right now we only have a hanging browser.

Re:It should be noted

There is an actual testcase on the bug in bugzilla, and the bug is private because of that (it would be highly irresponsible to provide a working exploit to the world).

<mao|zZz> mscmurf, dveditz: bug 307259 has been slashdotted - maybe it would be politically good to disclose the bug, at least to counteract this statement at the end of the advisory: "Mozilla was notified, and im guessing they are working on a patch. Who knows though?"
<mcsmurf_> well, if there is a comment in it which should not be public
<mcsmurf_> then the bug remains private ;)
<dveditz> mao|zZz: the potential issue is that his advisory is incorrect, and I'd rather not release the real crashing testcase (though people might discover it soon enough)
<CTho> mao|zZz: it was nice of them to wait til we shipped to make sure the world hears ;)
<biesi> it was public before we shipped
<mcsmurf_> one day?
<dveditz> CTho: that was probably our fault, I should have pushed the fix in
<mao|zZz> biesi: but the slashdot sequence is pretty suspect...
<CTho> dveditz: i heard the patch on teh bug doesnt work
<dveditz> It was nominated, but after the point where triage was being done -- needed to be more actively pushed
<mao|zZz> looks like an easy move to eclipse the beta release wow effect, or worse make it a boomerang
***Toba wonders if the bug is patched yet
<Toba> anyone got the bug link?
<biesi> it's not publically visible
<dveditz> Toba: it's still a private bug
<biesi> (https://bugzilla.mozilla.org/show_bug.cgi?id=3072 59)
<dveditz> see scrollback a few lines
<Toba> dveditz: eh, I guess it would be nice to know
<Toba> but oh well
<biesi> dveditz, it was your comment that said the patch didn't work?
<dveditz> we have *a* patch, we're not convinced it's the right patch
<mao|zZz> dveditz: would you cc me?
<Toba> I guess it's better if the world doesn't know how to exploit yet
<mcsmurf_> dveditz: do you know why or if SeaMonkey is not vulnerable? it doesn't crash when using the exploit
<dveditz> mcsmurf_: that's part of why I'm not opening the bug... the released testcase is not the testcase from the bug
<mcsmurf_> ah-hah
<dveditz> seamonkey is vulnerable, this is core networking stuff
<mcsmurf_> :)
<mcsmurf_> well i assumed so
<mcsmurf_> but i only have the public testcase

Re:It should be noted

[Delphiki]

So if person P is skeptical of claim C about entity E, then it logically follows that P thinks that E "can do no wrong"? That sounds a like a fringe-whacko line of thought to me.

You don't really want to get into the business of pointing out wackos on slashdot. It's easily a full time job and it doesn't pay.

Patent infringement

[confusion]

I thought MS had a patent on unpatched browser flaws?!?!?

Jerry
http://www.cyvin.org/

Re:Patent infringement

[SonicBurst]

The new patching system is awesome. Binary diffs, so no downloading huge files, it downloads in the background so it doesn't disturb you, and installs when you restart firefox. It's amazingly convienient.

Yes, but would you have said the same thing if you had replaced the word firefox with the word windows in that sentence? I say that only because that's what WAU does these days, though I forget for how long it has been doing the binary diffs. I think that came along with the latest BITS update sometime in early summer this year, but can't be sure. Just FYI.

exploits?

[samjam]

The bug depended on the host name being all ---

It will be hard to craft some exploit code using only the - character.

It may DOS and cause instability; as for those "but, open source should be proof against this" nay-sayers, I'm pretty certain from the advisory that this could only be properly discovered because the source was available.

hmmmm, maybe if you can trick users to click on bad links a few times it might cause heap corruption and crashing; maybe if you get them to download the right page a few times to pre-load the heap, and then a few ----- might cause the browser to execute from the heap,

A look at the soucre will show the consequences of this and show what sort of pathway there is to arbitrary code execution. I guess it could be exploitable...

Sam

He sounds like a self-promoting twit

[93+Escort+Wagon]

I can see why some folks will publicize exploits if they feel the software maker isn't responding in a timely manner. But c'mon - he just reported this to the Mozilla folks on Sunday!

Re:He sounds like a self-promoting twit

[tdvaughan]

Responsible vulnerability reporting doesn't necessarily mean telling everyone possible (including proof-of-concept exploit code) as soon as you discover a vulnerability. Some people allow the vendor/maintainer 30 days to make an appropriate response (e.g. investigating the vulnerability and making a commitment to fixing it) and a further 30 days on top of that to provide a fix before going public. Regardless of how long you think a vendor should be given, though, going public immediately makes me wonder if his priorities are personal gain rather than trying to improve the software's security.

Re:Flaws

Oh please, how is a heap overflow of 0x78787878787878... going to be exploitable. This looks like just a regular crash, if these turn you on just watch bugzilla for a few days, they turn up all the time.

A browser is a complex piece of software, of course there are going to be subtle bugs that turn up now and then. Nobody is perfect, and visualizing every possible execution path through a billion SLOC application is impossible. Please stop making a fuss about "OMG BROWSER DoS!!".

Re:Well, just another bug

[ikkonoishi]

Yeah because in IE you can't write a greasemonkey script that fixes it.

var links = document.getElementsByTagName("a");
for (var i = 0;i<links.length;i++) {
  if (/-{5,}$/.test(links[i].href)) {
      links[i].href = "";
      links[i].onclick = function () {
        alert("This link was trying to cause a buffer overflow. It has been appropriately punished. That bad ol' puddy link.");
      }
  }
}

The above was proof of concept and may not work, but I see no reason why it shouldn't

Re:Well, just another bug

[DaHat]

No need to bring up just this bug, why not compare history for the last year on both IE6 and Firefox 1.x?

According to Secunia, during 2005 IE6 has had 11 advisories while Firefox 1.x has had 18.

Unfortunately I can't get the links to work properly (graphs come up blank), so take a look at the URL's yourself:

IE6: http://secunia.com/graph/?type=adv&period=2005&pro d=11
Firefox 1.x: http://secunia.com/graph/?type=adv&period=2005&pro d=4227

(you will have to copy and paste these URL's to make them work it seems)

possible bugzilla bugs

[molo]

Between 2005-09-03 and 2005-09-06, there were several bugs reported to Mozilla that are now marked hidden. Expect one of them to become visible now that this is announced. (note: bugzilla blocks slashdot referer, so cut&paste is needed, watch out for the extra space)

https://bugzilla.mozilla.org/show_bug.cgi?id=30693 9
https://bugzilla.mozilla.org/show_bug.cgi?id=30694 0
https://bugzilla.mozilla.org/show_bug.cgi?id=30703 1
https://bugzilla.mozilla.org/show_bug.cgi?id=30704 0
https://bugzilla.mozilla.org/show_bug.cgi?id=30708 4
https://bugzilla.mozilla.org/show_bug.cgi?id=30708 7

BTW, why is it necessary that so many bug reports be hidden? They can't all be valid security bugs, can they? Besides, full disclosure and an open development model go hand-in-hand.

-molo

Re:Well, just another bug

[footissimo]

What about how 'critical' the bugs are rated or how long it takes for each to be fixed? Are the problems with ActiveX included?

MS vs Firefox is irrelevant

[mccalli]

I'm reading a depressingly large number of predicatble off-pat responses - "So? IE is far worse. Microsoft sucks!".

Honestly, who cares? Why does this have to be compared to a Microsoft response? Why can't this just be viewed as an event in its own right and not constantly looked at as some insult which might be handing Microsoft an edge?

Objectively, if I use Firefox I have no interest in how Microsoft might have responded to a similar situation. I am purely interested in the Mozilla response (which I'm explicitly not passing judgement on in this post). Can people give it a rest with the constant defensiveness against Microsoft?

Cheers,
Ian

For all those that can't reproduce

[revelation0]

Take 2 seconds to check out his proof of concept:

http://www.security-protocols.com/firefox-death.ht ml

WARNING: Clicking the above link will crash firefox. It will do nothing else. The hyphens are not normal minus hyphen (the - symbol on your american keyboard will translate to 0x2d) but a soft hyphen (0xad).

Re:For all those that can't reproduce

[MrMr]

Yep, lethal if network.enableIDN is true,
no problem if set to false in about:config

Aren't firefox users heading back to IE over this?

[Billly+Gates]

Telling them its insecure only encourages them to stick with IE. All the studies are showing this with clueless uers since Microsoft does not like to boast about holes in IE.

Re:Proof of concept

[sprag]

Its not dashes that do it, but soft hyphens (0xad). There's a link in another thread which has the apropriate HTML, and it does hang Firefox 1.06 on Fedora 4.

Here's an xxd dump of the offending HTML:

0000000: 3c41 2048 5245 463d 6874 7470 733a adad <A HREF=https:..
0000010: adad adad adad adad adad adad adad adad ................
0000020: adad adad adad adad adad adad adad adad ................
0000030: adad adad adad adad adad 203e 0a .......... >.

Re:Firefox is the fix for Internet Explorer proble

[RzUpAnmsCwrds]

Well, after five security updates that patch numerous security holes (22 since 2004), I'm not sure that Firefox is the solution. It's certainly more secure than IE, but is it secure *enough*? No, it isn't.

I deployed Firefox on the corporate network to improve security. Five updates later, I'm explaining to my manager that Firefox, just like IE, is full of security holes that need to be patched.

Unlike IE, Firefox can't be updated through Windows Update and it doesn't have a patch release cycle. That makes it harder to plan for and harder to deploy Firefox patches.

Having "fewer" vulnerabilities than IE isn't good enough - particularly when your patching system sucks. Open source can do better.