Slashdot Mirror
Mozilla Firefox 1.0.7 DoS Exploit
An anonymous reader writes "Whitedust Security are reporting on a new exploit for Firefox which apparently affects all versions of the browser from 1.0.7 down. From the article: "If this exploit has made it out into, or indeed been retrieved from the wild is unknown at this time. However it is clear that this exploit will indeed need patching as soon as possible.""
How long has a webpage that makes a browser crash been called a "Denial Of Service Exploit".
A browser that can be crashed is a very bad thing, but suggesting this is some sort of "Denial Of Service" attack, is just semantics. It doesn't crash the box, and it doesn't flood/break the network. Every other service on your machine runs as normal. That's not a Denial Of Service by the usual definition of the term.
Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
There isn't much incentive for malicious people to crash people's browsers.
The wording from the security company has me thinking they're just trying to make a name for themselves.
This can freeze your browser.
Wheres the vulnerability? when does the spyware attack? Do I need to reinstall Windows?
Should I buy a virus checker?
Anyone stupid enough to host this "exploit" on their site are just dumb,
"oooooh it makes your firefox freeze" BFD - stay away from dodgy parts of the net
(goatse is a bigger "exploit" and generally leads to complete machine shutdown/restart as you attempt to hide it from your colleagues)
liqbase
I guess I'll just stick with Konqueror.
I think you meant "less than," rather than "greater than".
sig
Comment removed based on user account deletion
I think the poll at the top of the page should ask, "Do you trust WhiteDust security?"
Oh, wait - that's what the 'Test the exploit' link is for.
"Our interests are to see if we can't scale it up to something more exciting," he said.
The difference between FF having an issue and IE having an issue is that when FF has an issue it only affects the browser itself. When IE has an issue it can cause issues with your entire operating system because the browser (an application) has been retro-welded into the OS.
Also, FF is being developed by people who aren't getting paid (well, most aren't) for their service compared to Microsoft, a multi-billion dollar corporation which has had 10 years to try and get the bugs out of their product.
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
Why are there so many nice hackers in the world? Because some people believe in things like morals and society? Because not everyone is corrupt? Apart from anything else there's always the chance that if someone is a 'nice' hacker then they can act as a model for others, and will get a little return on their investment of time by coming across a warning next time instead of a Yes/Okay dialog against them.
People who don't want their friends/family affected, people who actually care about the world they live in. I'm surprised that you seem to believe that everyone would be malicious if they could.
Browsing with +2 to insightful posts and a higher threshold makes the average post seen seem a lot more ingenious
This crasher bug has no effect on my post 1.5 beta 2 version of firefox on Linux. Gecko/20051017. A new crasher bug is also not news. There are hundreds of ways to crash mozilla. Lets face it most browsers aren't at a state to jump every time there is a new bug to crash or "DOS Them" as the article states. Just another security site trying to make themselves look good at a products expense. How much money does it cause companies like the Mozilla Organization to release a new version of their browser, just to put an end to the bad press of a so called "exploit"?
We cannot use this as an excuse in the open-source community; it's very dangerous. When you are trying to convince the general population that FF is superior to IE and can be successful in an enterprise environment, which is generally the goal, you can't consider the two to be on equal footing in performance and features and then shoot it down by relegating it to a niche position. Though we realize the FF devs are volunteering a lot of time, we want to convince others that it doesn't matter, or in fact, it improves their ability to solve problems.
And let's suppose it is in the wild and to get infected I don't have to go to some Russian site selling stolen credit cards. Can anyone see how that could be possible? You'd have to go to a site knowingly and maliciously designed to exploit this, right?
Since you have to go to a specific web page, with a specific browser ... and the only thing that will happen is that your browser will crash ... is "attack" the correct term for this kind of behaviour?
If you crash your car into a tree, did that tree "attack" you?
If you crash your car when driving over ice, did that ice "attack" you?
If you drive your car off a bridge and into a lake, did that lake "attack" you?
Since you cannot use your car immediately after a crashes, are trees considered a DoS exploit?
Install better plugins for flash/pdf/etc or just remove the bad plugins. You get the same affect in windows if you're a moron and install the old adobe 5.0 plugin that hangs. When the plugin hangs or uses a lot of cpu it affects the browser.
If you didn't know this I guess the joke is on you. Welcome to russia.
Also, FF is being developed by people who aren't getting paid (well, most aren't) for their service compared to Microsoft, a multi-billion dollar corporation which has had 10 years to try and get the bugs out of their product.
That does not matter in the least. As a user deciding which software to use I don't care how it was developed in the least. What I care about is what I get for my money. FOSS software has no more of an excuse for bugs and exploits then propriatry.
And I say that as one of the mentioned developers who have worked on mozilla for years, most of which unpaied.
That said, this advisory doesn't mean anything. Sure, it's bad that a website can crash your browser, but that has always been the case with any browser released. But it's not nearly as bad as exploits that allow sites to steal your data or hack into your system, which this so far does not claim to be.
And no matter what, what happened to responsible reporting? Releasing exploits in the wild without giving the developers a chance to develop a patch first is just plain stupid and shows a complete lack of professionalism.
Failing to learn from history dooms you to repeat it.
Ok, this isn't really a security bug. It's a crasher. If this is a security bug, so is this one (you'll likely need to cp/paste into new window to open) that I discovered a few years ago.
IMHO "security" bugs are for ones that have an impact on "security". If it doesn't fit that criteria, it's not a security issue.
A JS permissions exploit would be a security bug. So would the IDN issues, and buffer overflows...
but a crasher? I think that's pushing the benchmark. It's not really a DoS... it's a crash/hang.
It would be a security issue if say, it caused 911 to become unavailable, or killed US Radar systems... but not for crashing a web browser.
I think people have been pushing for a while in hopes of getting new security bugs. And that's all products, not just Moz. There are legitimate security bugs, but I don't think this qualifies. IMHO you need to be able to do something that violates security to be a security issue.
No remote execution or personal data being revealed, it just hangs the browser. It doesn't even seem to slow down the rest of the system, it just makes Firefox unresponsive. So?
t ml>
It's easy to do that to almost any browser. Loading a lot of really big images will crash Firefox when it runs out of memory, and has the side-effect of slowing the rest of the system (or probably crashing it if it's based on windows 9x).
The "exploit's" entire HTML source reads like this:
<html><body><strong>Mozilla<sourcetext></body></h
It's clearly a silly bug, but I feel that saying "it is clear that this exploit will indeed need patching as soon as possible" is excessive hype. This is not a security issue. This is part of the known problem that Firefox is not very tolerant of buggy code, which is a general serious issue that does need fixing.
I wonder if this is a Gecko bug? An email version of this for Thunderbird would be very annoying.
# cat
Damn, my RAM is full of llamas.
1. A bug is found in Microsoft software that allows remote execution of code on your machine, without user intervention.
2. Story is posted on Slashdot.
3. People rightly comment on it.
Show me the stories of bugs that simply crash IE. Really. I'm curious. Because there are literally hundreds of ways to crash IE with a malformed webpage. These don't make it as Slashdot stories. Pretty much the only vulnerabilities in MS software posted here are ones that allow an attacker to actually DO SOMETHING NASTY.
Contrast this with OSS, where we post every single meaningless bug in a piece of software, even if it has hardly any practical effect.
If anything, the double standard is that we're far more critical of OSS here than MS.
Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
You want the truthiness? You can't handle the truthiness!
Just create a large (~500Mb) file full of zeroes. gzip it, and place it on your webpage. Most browsers open .gz files in the browser, and loading something like 500Mb in the browser takes some time. May not crash the browser, but is definately as DOS as the articles "exploit" :P
This reminds me of a Zen koan: what is the output of diff on a single file?
Shop as usual. And avoid panic buying.