Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mozilla Firefox 1.0.7 DoS Exploit

Posted by Hemos on from the to-be-confirmed-or-not-confirmed dept.

An anonymous reader writes "Whitedust Security are reporting on a new exploit for Firefox which apparently affects all versions of the browser from 1.0.7 down. From the article: "If this exploit has made it out into, or indeed been retrieved from the wild is unknown at this time. However it is clear that this exploit will indeed need patching as soon as possible.""

36 of 438 comments (clear)

  1. totally off guard by Tufriast · · Score: 5, Informative

    I checked out the Mozilla site -- not a peep about it. I made a post there. I figure this one totally right hooked them. It's a pretty massive crash. Just makes the whole browser lock up. At least I know they'll fix it fast though...I think in 24 hours we'll see a turn around. Anyone try this with version 1.5?

    --
    Help me, help you. - Jerry McGuire
    1. Re:totally off guard by tbspit · · Score: 5, Informative

      Version 1.5 is not affected.

    2. Re:totally off guard by Anonymous Coward · · Score: 1, Informative

      while I am sure firefox team will have this fixed soon, it will not help the majority of people, The majority of users to my sites that use firefox are still 1.05 or below. heck I even see 1.0 in my stats, if users aren't updating then mozilla security is failing. yes you can all argue it is users responsibility, but lets face the majority of users are dumb. updating needs to be made easier or firefox is doomed to be just another ie.

    3. Re:totally off guard by mrgavins · · Score: 5, Informative

      Maybe because it's already fixed? Maybe because it's hardly a security issue? This is bugzilla bug 210658, it was filed in 2003, and fixed for 1.5 15 months later.

      --
      Gavin Sharp
  2. Thunderbird also vunerable by Big+Nothing · · Score: 4, Informative

    Mozilla Thunderbird 1.0.6 is also vunerable.

    --
    SIG: TAKE OFF EVERY 'CAPTAIN'!!
  3. Re:Brilliant header! by Hey+Pope+Felcher+.+. · · Score: 5, Informative

    . . . RTFA,

    milw0rm.com have released proof of concept code for a denial of service exploit which apparently affects all versions of the Mozilla Foundations popular Firefox browser from version 1.0.7 downward.

    Remember, on Slashdot always read the article, it is generally only a coincidence if the summary has any bearing on the actual linked text.

  4. Re:is this NOT an OLD version by pbranes · · Score: 2, Informative

    1.5 is beta, dude. 1.0.7 is the latest final release of firefox. 1.0.7 is like 1 month old.

  5. Tested the exploit by jurt1235 · · Score: 3, Informative

    And after I clicked on it, nothing happened, the browser just said: mozilla

    Apparently firfox 1.0.7 on linux is not affected. So not all versions of firefox are affected.
    Advisory: Install linux, then restart your browser and have fun.

    --

    My wife's sketchblog Blob[p]: Gastrono-me
    1. Re:Tested the exploit by Stevyn · · Score: 3, Informative

      I'm running firefox 1.0.7 on gentoo and it froze up. top showed 99% cpu usage just before I killed it. I also tried it on my ubuntu box with firefox 1.0.7 and it froze too. So it seems it's affecting firefox running on linux machines

  6. Re:Nomenclature... by arkanes · · Score: 2, Informative

    A Denial of Service attack denies you access to a service. It doesn't have to crash your box, or take it off the network. Anything that will hang or crash or flood a service (applications are services) is a DOS. They've been called that since before kiddies found out about pingflooding.

  7. Exploit by Anonymous Coward · · Score: 5, Informative

    The exploit is:

    <html><body><strong>Mozilla<sourcetext></body></ht ml>

    and it also makes Mozilla suite 1.7.12 hang.

    The sourcetext tag is used when a parser error occurs; the Mozilla DOMParser will accept any string and always returns a valid XML DOM object, but in the case that the string was malformed, it returns something like this:

    <parsererror xmlns="http://www.w3.org/1999/xhtml">XML Parsing Error: mismatched tag. Expected: </strong>. Location: file:///1253.html Line Number 3, Column 37:<sourcetext> (text here) </sourcetext></parsererror>

    which you may have seen formatted before in a nice red-on-yellow page.

    1. Re:Exploit by kavin · · Score: 2, Informative

      sounds like my bug (supposedly fixed in mozilla 1.8a4).

      i found and reported the browser specific elements "parsererror" and "sourcetext" in september 2004: see mozbug 210658.

      bugzilla.mozilla.org/show_bug.cgi?id=210658

      you can see the browser specific elements in a source diff:

      bonsai.mozilla.org/cvsview2.cgi?diff_mode=context& whitespace_mode=show&file=nsHTMLTags.cpp&branch=&r oot=/cvsroot&subdir=mozilla/parser/htmlparser/src& command=DIFF_FRAMESET&rev1=1.46&rev2=1.47

      sadly, i don't believe this fix has been backported to firefox 1.0x.

      - p

      --
      ps. my previous /. report on same:
      http://it.slashdot.org/comments.pl?sid=68828&cid=6 295508

  8. Re:Brilliant header! by ShadowFlyP · · Score: 2, Informative

    TFA actually says that it affects 1.0.7 and everything downward. Running 1.0.7 here myself and the test exploit worked: locked Firefox right up.

  9. PoC Code *is* in the wild by OverlordQ · · Score: 4, Informative

    Despite the article summary if you click through and read it you'd find that there is code out there.

    Danger Will Robinson test your firefox Danger Will Robinson

    --
    Your hair look like poop, Bob! - Wanker.
  10. Re:Brilliant header! by FidelCatsro · · Score: 3, Informative

    By fixing the article summary I imagine .
    The patch seems to have been in the full article since conception , but apparently it hadn't passed down the line .
    these exploits are dangerous as many Slashdoters refuse to update their knowledge by reading the full article and not just the summary

    --
    The only things certain in war are Propaganda and Death. You can never be sure which is which though
  11. But... by supersocialist · · Score: 2, Informative

    ...it shows an "update" icon, which updates when clicked. How much easier could it be without hijacking your system to do it for you?

    1. Re:But... by Pneuma+ROCKS · · Score: 3, Informative
      ...it shows an "update" icon, which updates when clicked. How much easier could it be without hijacking your system to do it for you?

      Although I agree that it's pretty trivial to update Firefox, some users don't notice the icon, or don't recognize what it does. If they RTFM or just hovered over it they would, but many don't. Another con is the fact that you have to download the full Firefox installer and run it all over again. That is not very friendly.

      Thankfully, the Mozilla folks have recognized this and have improved the update system significantly on the upcoming Firefox 1.5. The update system downloads a patch, not the full installer, and installs it on the background. Then it just notifies the user that the new version will be installed when he restarts the browser. That way even the average Joe can stay updated.

      --
      Favorite quote: &quot;
  12. Who cares? by brunes69 · · Score: 5, Informative

    So clicking on a link can lock up the browser. So what?

    How is this any different from this, which effectively locks up *all* current browsers?

    <script>
    while(true){
    alert('Haha!');
    }
    <script>

    This is hardly important. I don't see any way this can crash my machine or infect me with a trojan.

    PS if you want a fix for the above vote for bug 61098] at bugzilla.

    1. Re:Who cares? by m50d · · Score: 2, Informative
      How is this any different from this, which effectively locks up *all* current browsers?

      It doesn't lock up links (which has a lovely "kill script" button on any javascript dialog) and I'm told opera will let you simply close the tab.

      --
      I am trolling
  13. Re:Brilliant header! by LnxAddct · · Score: 2, Informative

    Regardless, this exploit doesn't effect 1.5, it's in beta but technically the explot is already fixed... just needs to be back ported:)
    Regards,
    Steve

  14. Re:Not too big a deal by sqlrob · · Score: 4, Informative

    Look at the source. It's an unclosed tag, so it's likely an infinite loop.

  15. Secunia says "Not Critical" by Mini-Geek · · Score: 1, Informative

    assuming the Secunia Advisory is referring to the same vulnerability linked to in the /. article, its Critical level is the lowest, Not Critical

    --
    do {print "Mini-Geek Rules!\n";}
    until ($TheEndOfTheWorld);
  16. Re:Nomenclature... by m50d · · Score: 3, Informative
    A browser that can be crashed is a very bad thing, but suggesting this is some sort of "Denial Of Service" attack, is just semantics. It doesn't crash the box, and it doesn't flood/break the network. Every other service on your machine runs as normal. That's not a Denial Of Service by the usual definition of the term.

    Yes it is. If you did exactly the same thing to, say, apache or proftpd or mysql - don't crash the box, don't break the network, every other service runs normal - it would be a DoS. Calling this attack a DoS provides some very important information - it doesn't allow execution of arbitrary code, just locks up the browser. The only thing that's possibly unusual here is applying the term to a client rather than a server program, but a DoS is absolutely the correct term.

    --
    I am trolling
  17. Re:Not too big a deal by Mattwolf7 · · Score: 4, Informative

    I followed your "Kill Your Browser" link clicked on everything. And this is the same window that was supposed to be killed... I dunno but those must be Windows specific, I am running Gentoo with FF 1.0.7

  18. Re:Brilliant header! by Anonymous Coward · · Score: 1, Informative

    Parent , GP , GGP are not trolls . The summary was changed without note .

  19. Re:Not too big a deal by Kimos · · Score: 2, Informative

    No crashes for me either using 1.0.7 on MS Win at work. I'll check Ubuntu at home. The pages are mostly a bunch of garbage inserted into HTML tags. I assume it just strips it out as nonsense.

    Someone was saying that you could crash by calling a 1,000,000x1,000,000 table. There must be some safeguards in browsers to protect against that kind of thing aside from failed memory allocation from the OS, otherwise it would be simple to bring a system to its knees (not that it's really that hard already).

  20. Re:How come... by Politburo · · Score: 1, Informative

    This always gets modded up and is INCORRECT. IE has the same privileges as the user that ran it. The main problem is that ActiveX allows any code to be run on the machine at the user's privileges instead of a sandbox.

  21. Re:Brilliant header! by DrSkwid · · Score: 2, Informative

    Crashing can often be an indicator of a buffer overflow, it's just that the return address you crashed it with doesn't keep it running. Once an appropriate set of overflow values is deduced that leads to an exploit.

    One of the approaches to finding buffer overflows in Closed Source software is to do pump loads of data into the inputs until the app crashes, then work backwards by constructing a payload to see if one can get it to jump somewhere known.

    --
    There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
  22. Re:Not too big a deal by Anthracks · · Score: 3, Informative

    None of them fazes 1.5 beta builds either as far as I can tell, at least on Windows 2000 here at work. No trouble at all loading any of those pages.

    --
    Rock over London, Rock on Chicago. Wheaties: Breakfast of Champions.
  23. Re:Brilliant header! by NickFitz · · Score: 2, Informative

    <pedantry>
    Well, strictly speaking, unless 1.5 has been explicitly modified with the intention of fixing this exploit, it's just that it doesn't work on 1.5. It's entirely possible that a change in 1.5 has prevented the exploit from working but, as it wasn't done as a fix, a further change in 1.5.n (or 1.n where n > 5) will allow the exploit to work again. In other words, there may be no fix to back port.
    </pedantry>

    --
    Using HTML in email is like putting sound effects on your phone calls. Just say <strong>no</strong>.
  24. Re:Not too big a deal by confuted · · Score: 2, Informative

    None of them affected Firefox version 1.0.7 on Windows XP with SP2 here at work - they didn't even do so much as slow it down. Do those pages actually crash anybody's browser?

  25. Re:Not too big a deal by Blkdeath · · Score: 3, Informative
    I followed your "Kill Your Browser" link clicked on everything. And this is the same window that was supposed to be killed... I dunno but those must be Windows specific, I am running Gentoo with FF 1.0.7

    If you follow the README URL, you'll notice that the bugs referenced were confirmed agianst 1.0.4 and older, but are all fixed in 1.0.7.

    Try to keep the suppositions about Windows bugs to yourself unless you have even some inkling of understanding of the situation. It makes us all look bad.

    --
    BD Phone Home!

    Shameless plug. Like you weren't expecting it.

  26. RTFA by einhverfr · · Score: 2, Informative

    Ok, you might be a troll, or flamebait, but it is worth a response...

    This discussion is not any different than it would be if it was about IE. There are always those saying "no big deal" about IE security flaws, and plenty of people screaming blood on this conversation. Maybe the balance is slightly altered because so many of us have been burned by IE though....

    Having said that.... This is no big deal. Even TFA says "This is not an advisory, just a comment" indicating that the authors don't think it is a big deal either.

    --

    LedgerSMB: Open source Accounting/ERP
  27. Re:The operative word is "attack". by SuperJason · · Score: 2, Informative

    If I set up a bear trap to get you, and you step into it, it is an attack. Same thing with laying landmines to stop advancing troops. I guess it's debateable, but I think it's an attack if it's a trap that you are unaware of, and that someone set up to "attack" you.

  28. Re:Nomenclature... by gowen · · Score: 5, Informative

    i) Web browsing isn't a server process, it's a client process.
    ii) You can kill the browser and go to another web page. Hell, you can just start another instance of the web browser. Which must take all of three nanoseconds.

    If you prevent login, or send a SYN flood that prevents http connections, you can't just restart the appropriate service. If you really can't see why causing a client to crash is different from preventing a server from functioning, I suggest you look in some elementary computer science textbooks.

    I don't have time any more time to explain the basics to fools.

    --
    Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
  29. Whitedust and DoS by thetoastman · · Score: 3, Informative

    This hardly counts as a DoS attack in its traditional meaning. However it is an annoying bug. I am glad to read that it has been addressed in the latest beta.

    What follows is probably an ad hominem attack. Moderate accordingly.

    I decided to spend a little time on the Whitedust site. The site is advertised as "The Leading Independent Security News Portal".

    The site is run by a group of former crackers. Of course one has to wonder about their cracking, security, and business skills when:

    • They advertise their many connections within the underground hacker scene
    • They leave the administrative link to their PHP web site in the footer of every page
    • Their business writing would fail my mom's 7th grade remedial English class

    In short this web site has no redeeming value.