Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mozilla Firefox 1.0.7 DoS Exploit

Posted by Hemos on from the to-be-confirmed-or-not-confirmed dept.

An anonymous reader writes "Whitedust Security are reporting on a new exploit for Firefox which apparently affects all versions of the browser from 1.0.7 down. From the article: "If this exploit has made it out into, or indeed been retrieved from the wild is unknown at this time. However it is clear that this exploit will indeed need patching as soon as possible.""

19 of 438 comments (clear)

  1. totally off guard by Tufriast · · Score: 5, Informative

    I checked out the Mozilla site -- not a peep about it. I made a post there. I figure this one totally right hooked them. It's a pretty massive crash. Just makes the whole browser lock up. At least I know they'll fix it fast though...I think in 24 hours we'll see a turn around. Anyone try this with version 1.5?

    --
    Help me, help you. - Jerry McGuire
    1. Re:totally off guard by tbspit · · Score: 5, Informative

      Version 1.5 is not affected.

    2. Re:totally off guard by mrgavins · · Score: 5, Informative

      Maybe because it's already fixed? Maybe because it's hardly a security issue? This is bugzilla bug 210658, it was filed in 2003, and fixed for 1.5 15 months later.

      --
      Gavin Sharp
  2. Thunderbird also vunerable by Big+Nothing · · Score: 4, Informative

    Mozilla Thunderbird 1.0.6 is also vunerable.

    --
    SIG: TAKE OFF EVERY 'CAPTAIN'!!
  3. Re:Brilliant header! by Hey+Pope+Felcher+.+. · · Score: 5, Informative

    . . . RTFA,

    milw0rm.com have released proof of concept code for a denial of service exploit which apparently affects all versions of the Mozilla Foundations popular Firefox browser from version 1.0.7 downward.

    Remember, on Slashdot always read the article, it is generally only a coincidence if the summary has any bearing on the actual linked text.

  4. Tested the exploit by jurt1235 · · Score: 3, Informative

    And after I clicked on it, nothing happened, the browser just said: mozilla

    Apparently firfox 1.0.7 on linux is not affected. So not all versions of firefox are affected.
    Advisory: Install linux, then restart your browser and have fun.

    --

    My wife's sketchblog Blob[p]: Gastrono-me
    1. Re:Tested the exploit by Stevyn · · Score: 3, Informative

      I'm running firefox 1.0.7 on gentoo and it froze up. top showed 99% cpu usage just before I killed it. I also tried it on my ubuntu box with firefox 1.0.7 and it froze too. So it seems it's affecting firefox running on linux machines

  5. Exploit by Anonymous Coward · · Score: 5, Informative

    The exploit is:

    <html><body><strong>Mozilla<sourcetext></body></ht ml>

    and it also makes Mozilla suite 1.7.12 hang.

    The sourcetext tag is used when a parser error occurs; the Mozilla DOMParser will accept any string and always returns a valid XML DOM object, but in the case that the string was malformed, it returns something like this:

    <parsererror xmlns="http://www.w3.org/1999/xhtml">XML Parsing Error: mismatched tag. Expected: </strong>. Location: file:///1253.html Line Number 3, Column 37:<sourcetext> (text here) </sourcetext></parsererror>

    which you may have seen formatted before in a nice red-on-yellow page.

  6. PoC Code *is* in the wild by OverlordQ · · Score: 4, Informative

    Despite the article summary if you click through and read it you'd find that there is code out there.

    Danger Will Robinson test your firefox Danger Will Robinson

    --
    Your hair look like poop, Bob! - Wanker.
  7. Re:Brilliant header! by FidelCatsro · · Score: 3, Informative

    By fixing the article summary I imagine .
    The patch seems to have been in the full article since conception , but apparently it hadn't passed down the line .
    these exploits are dangerous as many Slashdoters refuse to update their knowledge by reading the full article and not just the summary

    --
    The only things certain in war are Propaganda and Death. You can never be sure which is which though
  8. Who cares? by brunes69 · · Score: 5, Informative

    So clicking on a link can lock up the browser. So what?

    How is this any different from this, which effectively locks up *all* current browsers?

    <script>
    while(true){
    alert('Haha!');
    }
    <script>

    This is hardly important. I don't see any way this can crash my machine or infect me with a trojan.

    PS if you want a fix for the above vote for bug 61098] at bugzilla.

  9. Re:Not too big a deal by sqlrob · · Score: 4, Informative

    Look at the source. It's an unclosed tag, so it's likely an infinite loop.

  10. Re:Nomenclature... by m50d · · Score: 3, Informative
    A browser that can be crashed is a very bad thing, but suggesting this is some sort of "Denial Of Service" attack, is just semantics. It doesn't crash the box, and it doesn't flood/break the network. Every other service on your machine runs as normal. That's not a Denial Of Service by the usual definition of the term.

    Yes it is. If you did exactly the same thing to, say, apache or proftpd or mysql - don't crash the box, don't break the network, every other service runs normal - it would be a DoS. Calling this attack a DoS provides some very important information - it doesn't allow execution of arbitrary code, just locks up the browser. The only thing that's possibly unusual here is applying the term to a client rather than a server program, but a DoS is absolutely the correct term.

    --
    I am trolling
  11. Re:Not too big a deal by Mattwolf7 · · Score: 4, Informative

    I followed your "Kill Your Browser" link clicked on everything. And this is the same window that was supposed to be killed... I dunno but those must be Windows specific, I am running Gentoo with FF 1.0.7

  12. Re:But... by Pneuma+ROCKS · · Score: 3, Informative
    ...it shows an "update" icon, which updates when clicked. How much easier could it be without hijacking your system to do it for you?

    Although I agree that it's pretty trivial to update Firefox, some users don't notice the icon, or don't recognize what it does. If they RTFM or just hovered over it they would, but many don't. Another con is the fact that you have to download the full Firefox installer and run it all over again. That is not very friendly.

    Thankfully, the Mozilla folks have recognized this and have improved the update system significantly on the upcoming Firefox 1.5. The update system downloads a patch, not the full installer, and installs it on the background. Then it just notifies the user that the new version will be installed when he restarts the browser. That way even the average Joe can stay updated.

    --
    Favorite quote: &quot;
  13. Re:Not too big a deal by Anthracks · · Score: 3, Informative

    None of them fazes 1.5 beta builds either as far as I can tell, at least on Windows 2000 here at work. No trouble at all loading any of those pages.

    --
    Rock over London, Rock on Chicago. Wheaties: Breakfast of Champions.
  14. Re:Not too big a deal by Blkdeath · · Score: 3, Informative
    I followed your "Kill Your Browser" link clicked on everything. And this is the same window that was supposed to be killed... I dunno but those must be Windows specific, I am running Gentoo with FF 1.0.7

    If you follow the README URL, you'll notice that the bugs referenced were confirmed agianst 1.0.4 and older, but are all fixed in 1.0.7.

    Try to keep the suppositions about Windows bugs to yourself unless you have even some inkling of understanding of the situation. It makes us all look bad.

    --
    BD Phone Home!

    Shameless plug. Like you weren't expecting it.

  15. Re:Nomenclature... by gowen · · Score: 5, Informative

    i) Web browsing isn't a server process, it's a client process.
    ii) You can kill the browser and go to another web page. Hell, you can just start another instance of the web browser. Which must take all of three nanoseconds.

    If you prevent login, or send a SYN flood that prevents http connections, you can't just restart the appropriate service. If you really can't see why causing a client to crash is different from preventing a server from functioning, I suggest you look in some elementary computer science textbooks.

    I don't have time any more time to explain the basics to fools.

    --
    Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
  16. Whitedust and DoS by thetoastman · · Score: 3, Informative

    This hardly counts as a DoS attack in its traditional meaning. However it is an annoying bug. I am glad to read that it has been addressed in the latest beta.

    What follows is probably an ad hominem attack. Moderate accordingly.

    I decided to spend a little time on the Whitedust site. The site is advertised as "The Leading Independent Security News Portal".

    The site is run by a group of former crackers. Of course one has to wonder about their cracking, security, and business skills when:

    • They advertise their many connections within the underground hacker scene
    • They leave the administrative link to their PHP web site in the footer of every page
    • Their business writing would fail my mom's 7th grade remedial English class

    In short this web site has no redeeming value.