Mozilla Firefox 1.0.7 DoS Exploit

An anonymous reader writes "Whitedust Security are reporting on a new exploit for Firefox which apparently affects all versions of the browser from 1.0.7 down. From the article: "If this exploit has made it out into, or indeed been retrieved from the wild is unknown at this time. However it is clear that this exploit will indeed need patching as soon as possible.""

Brilliant header!

[brian0918]

A 1.0.7 exploit that only affects everything below 1.0.7!

Re:Brilliant header!

[rincebrain]

Yes - in that vein, how can you patch a bug that's already patched?

Re:Brilliant header!

[Hey+Pope+Felcher+.+.]

. . . RTFA,

milw0rm.com have released proof of concept code for a denial of service exploit which apparently affects all versions of the Mozilla Foundations popular Firefox browser from version 1.0.7 downward.

Remember, on Slashdot always read the article, it is generally only a coincidence if the summary has any bearing on the actual linked text.

Re:Brilliant header!

[ShadowFlyP]

TFA actually says that it affects 1.0.7 and everything downward. Running 1.0.7 here myself and the test exploit worked: locked Firefox right up.

Re:Brilliant header!

[FidelCatsro]

By fixing the article summary I imagine .
The patch seems to have been in the full article since conception , but apparently it hadn't passed down the line .
these exploits are dangerous as many Slashdoters refuse to update their knowledge by reading the full article and not just the summary

Re:Brilliant header!

[LnxAddct]

Regardless, this exploit doesn't effect 1.5, it's in beta but technically the explot is already fixed... just needs to be back ported:)
Regards,
Steve

Re:Brilliant header!

[thesnarky1]

RTFA then read your comment. Kinda stupid huh? If you read it, you'd know that "down" is inclusive, as in version 1.0.7 and everything below. Or, go check the source code, its in comments there as well... In fact, if you really read the summary, it doesn't say 'just below 1.0.7' but 1.0.7 down, so even IT implies it's inclusive. I boggle over people like you *boggle*

Re:Brilliant header!

[SteveAyre]

Yep. I'm running 1.5 and just tried it out... no effect.

Re:Brilliant header!

Parent , GP , GGP are not trolls . The summary was changed without note .

Re:Brilliant header!

[DrSkwid]

Crashing can often be an indicator of a buffer overflow, it's just that the return address you crashed it with doesn't keep it running. Once an appropriate set of overflow values is deduced that leads to an exploit.

One of the approaches to finding buffer overflows in Closed Source software is to do pump loads of data into the inputs until the app crashes, then work backwards by constructing a payload to see if one can get it to jump somewhere known.

Re:Brilliant header!

[NickFitz]

<pedantry>
Well, strictly speaking, unless 1.5 has been explicitly modified with the intention of fixing this exploit, it's just that it doesn't work on 1.5. It's entirely possible that a change in 1.5 has prevented the exploit from working but, as it wasn't done as a fix, a further change in 1.5.n (or 1.n where n > 5) will allow the exploit to work again. In other words, there may be no fix to back port.
</pedantry>

Re:Brilliant header!

[dolphinling]

This crash wasn't a buffer overflow, though, it was (according to the bug, I don't really know what it means) a stack overflow. And it wasn't exploitable.

The "pumping in loads of data" that you mention I assume is fuzz testing.

Re:Brilliant header!

[9-bits.tk]

Same here. It just shows the text "Mozilla" in bold.

Re:Brilliant header!

[BorgCopyeditor]

This reminds me of a Zen koan: what is the output of diff on a single file?

Re:Brilliant header!

[TFGeditor]

From TFA: "(For the dim this INCLUDES Firefox 1.0.7)."

Re:Brilliant header!

[kubevubin]

I've learned to expect nothing but such behavior on Slashdot. Any time I talk about how much I prefer Windows to Linux based solely on my opinion, I end up being modded down as a troll. Yet it's okay for those 1337_h4>
Still, I find it rather interesting that Linux users' solutions to making Linux more user-friendly to the mainstream user is to make it look and behave as much like Windows or Mac OS as possible. Even more interesting is the fact that trivial tasks such as resizing windows or editing menus are nowhere near as intuitive in Linux as they are in Windows.
But hey, I'm a Windows user, so I guess I don't know what I'm talking about. (For a period of about 3-4 months, I tried like Hell to switch to Linux, and it wasn't very intuitive at all.) I suppose I'll just wait around to get modded down to my usual troll status. *shrug*

Re:Brilliant header!

[kubevubin]

Gahéshould've used the preview button. That one sentence should've read as follows:
Yet it's okay for those 1337_h4x0r Linux users to claim that Windows hasn't improved at all since its initial release back in the day.
Also, I meant to state that I'd attempted to switch to Linux over the course of 3-4 weeks. Do note that I tried a wide variety of distros, including (but not limited to) Debian, Gentoo, Linspire, Slackware, Ubuntu, Vector Linux, and Xandros. It seems that I've taken for granted much of Windows' functionality, namely the extensive use of drag-and-drop (not very reliable in most Linux builds), as well as using Alt key combinations to insert special characters. And yes, that is a major concern for me.

Re:Brilliant header!

[triso]

This reminds me of a Zen koan: what is the output of diff on a single file?

It depends, grasshopper! Is it the first or second parameter to the almighty diff?

Re:Brilliant header!

[bemenaker]

From TFA " (For the dim this INCLUDES Firefox 1.0.7)"

totally off guard

[Tufriast]

I checked out the Mozilla site -- not a peep about it. I made a post there. I figure this one totally right hooked them. It's a pretty massive crash. Just makes the whole browser lock up. At least I know they'll fix it fast though...I think in 24 hours we'll see a turn around. Anyone try this with version 1.5?

Re:totally off guard

[tbspit]

Version 1.5 is not affected.

Re:totally off guard

while I am sure firefox team will have this fixed soon, it will not help the majority of people, The majority of users to my sites that use firefox are still 1.05 or below. heck I even see 1.0 in my stats, if users aren't updating then mozilla security is failing. yes you can all argue it is users responsibility, but lets face the majority of users are dumb. updating needs to be made easier or firefox is doomed to be just another ie.

Re:totally off guard

[TangoCharlie]

I'm using 1.5beta2, and when I clicked on the test called link it directed me to a page that said "Mozilla". Nothing bad happened. Either 1.5B2 is not vulnerable or the test doesn't expose the vulnerability.

Re:totally off guard

[jml75]

It does not affect 1.5 beta 2 in windows... Just tried it.

Re:totally off guard

[mrgavins]

Maybe because it's already fixed? Maybe because it's hardly a security issue? This is bugzilla bug 210658, it was filed in 2003, and fixed for 1.5 15 months later.

Re:totally off guard

[nmb3000]

Version 1.0.7 on XP sure is. Crashed and burned bad.

Don't worry about it guys. I sent Microsoft an Error Report so I'm sure they'll get right on the problem as well.

Re:totally off guard

[Jafar00]

Version 1.0.7 on XP sure is. Crashed and burned bad.

Did it take the OS with it? ;)

Re:totally off guard

[nmb3000]

Did it take the OS with it? ;)

Fortunately it didn't. Though I suppose if you set firefox.exe's priority to Realtime first...

Nah. This is one of those exercises I'm leaving to the reader :)

Re:totally off guard

[Jafar00]

I think "vulnerability" is too strong a word for this. "Slight annoyance" would be more appropriate since all it does is lock up the browser which can be killed and you move on.

Re:totally off guard

[triso]

I checked out the Mozilla site -- not a peep about it. I made a post there. I figure this one totally right hooked them. It's a pretty massive crash. Just makes the whole browser lock up. At least I know they'll fix it fast though...I think in 24 hours we'll see a turn around. Anyone try this with version 1.5?

No, but it affects an old copy of Mozilla 1.7 on Linux. However, this is not a critical error and it doesn't require immediate attention. Even Windows doesn't give up the ghost, so it is a minimal-concern problem and can be fixed in due time.

Thunderbird also vunerable

[Big+Nothing]

Mozilla Thunderbird 1.0.6 is also vunerable.

1.0.7 is affected

[wo1verin3]

>>Whitedust Security are reporting on a new exploit for Firefox which apparently affects all version of the >>browser below 1.0.7. From the article:

contrary to how the article makes it sound, 1.0.7 is indeed affected by this.

Re:1.0.7 is affected

[RandomPrecision]

Not sure about that. I tried to crash my 1.07 like this and failed. I just see big tables.

Re:1.0.7 is affected

[wo1verin3]

for the love of god, I quoted the original slashdot blurb

Whitedust Security are reporting on a new exploit for Firefox which apparently affects all version of the browser below 1.0.7

That is what was originally written in the summary, it was edited after I posted this so relax. I'm glad I quoted it....

How come there are so many nice hackers?

[jkind]

Why are there so many nice hackers in the world? Willing to spend their time finding exploits, post them, and even a "safe" example. Do they take pride in helping the surfing community? Why don't they just hijack the world's browsers and make us choose between "Yes" and "Okay" on their PayPal deposit sites?
Where are the evil hackers, or have they all converted, scared about stiff http://news.bbc.co.uk/1/hi/technology/4249780.stm penalties?

Re:How come there are so many nice hackers?

[Red_Foreman]

I think you're probably trolling, but:
Yes, we do take pride in our community coming together and developing a quality product free for everyone to use.

Plus, the Open Source Community is far more nimble when it comes to fixing bugs of this nature. Part of the reason is that you have more eyeballs looking at the code and two is that there's more code review and so there's less bugs and less severe bugs with most OSS projects.

Re:How come there are so many nice hackers?

[jkind]

Sorry, not trying to troll.. Just seems there is a lot more of this "proof of exploit" type code being posted these days then say back in 1996..
Thanks for the detailed reply! I would guess the naysayers would say OSS projects are leaving themselves open to hack-attempts by scores more developers, due to the open nature.. But I guess I can see how this is counterbalanced by the more code review you refer to..

Re:How come there are so many nice hackers?

[FirienFirien]

Why are there so many nice hackers in the world? Because some people believe in things like morals and society? Because not everyone is corrupt? Apart from anything else there's always the chance that if someone is a 'nice' hacker then they can act as a model for others, and will get a little return on their investment of time by coming across a warning next time instead of a Yes/Okay dialog against them.

People who don't want their friends/family affected, people who actually care about the world they live in. I'm surprised that you seem to believe that everyone would be malicious if they could.

Re:How come there are so many nice hackers?

[Iriel]

Honestly, the evil hackers got smarter. Not all of them mind you (most of the famed worming script-kiddies still get caught). But all those malevolent 'hackers' know that cracking the world's browsers is too easy to trace or not worth the effort to keep under the radar. You know all those "Prescriptlon RXc dirugs 4for l0w coest!" emails? That just came specially delivered to you courtesy of the former uber-hacker of unknowable enormity. They're even worse that telemarketers that scam the elderly, and they're hoping you're the next $50 bill in their offshore account.

Re:How come there are so many nice hackers?

[Mistshadow2k4]

Because these are hackers. The type who run exploits and get into other people's computers without permission are called crackers. Real hackers get pissed off when they're confused with crackers - you don't want to make that mistake if you're conversing with one.

Re:How come there are so many nice hackers?

[TooMuchEspressoGuy]

Maybe there's so few "evil" hackers because *gasp* most hackers aren't evil?

Seriously. Hacking is not inherently malicious. Most hackers do so as a hobby out of curiosity and/or fun, and some even out of a desire to help people! It's only the Hollywood and television-news conception of hackers that paints them as mostly "evil."

Re:How come there are so many nice hackers?

[SuperBanana]

Why are there so many nice hackers in the world? Willing to spend their time finding exploits, post them, and even a "safe" example. Do they take pride in helping the surfing community?

Maybe some, but I suspect it has more to do with ego, pride, and vanity; the same reason virus authors do it. Hackers, good and bad, love showing and/or proving to the world how smart they are.

I suspect a fair number of "white hats" also do it to try and get noticed, like high school athletes. Posting to a security mailing list with an impressive vulnerability discovery is like getting the touchdown with 5 seconds to go in front of the coach from that big college...

Re:How come there are so many nice hackers?

[LordSnooty]

Sorry, not trying to troll.. Just seems there is a lot more of this "proof of exploit" type code being posted these days then say back in 1996.

Perhaps today there are more coders actively looking at current software than there were in 1996. Indeed, there are probably more software apps around. In fact, make that "definitely". Maybe all these kinds of bugs were in the software from 96, but they weren't used as widely or heavily. If no-one finds it, is it a bug? If a tree falls and no-one is around, does it make a sound?

Re:How come there are so many nice hackers?

[skubeedooo]

Lets suppose there's 1 bad hacker to 100 good hackers. Now lets suppose that 1 motivated bad guy can hack 1000 users, whereas the good hacker sticks to proof-of-concept. Suddenly the number of bad hackers appears to outnumber the good by 10:1.

Re:How come there are so many nice hackers?

[skubeedooo]

And who's to say they (or you) have the authority to dictate how language is used?

Most people, quite reasonably, couldn't give a toss what a 'real hacker' thinks the word shoud mean - to them it conjures up a nice image of someone with a machete cutting through the internals of your software to get at what they want to - more power to them.

If you were a 'real hacker' and didn't want to be confused with a normal hacker then perhaps you should remove your head from your ass and call yourself something unambiguous.

Re:How come there are so many nice hackers?

[Mistshadow2k4]

You remove your head from your ass first. Why should anyone care what other people prefer to be called? It's called consideration. It's also called politeness. Concepts which are clearly beyond the scope of your intelligence. Or maybe it's just your nature to be an insulting little prick whenever you get the chance, but not everyone is like that.

I gave you no reason whatsoever to troll me, and if you talked to me like that in person you'd have less teeth, plus I'd break some other body part to drive the point home. I didn't say a single impoilte word in my post, let alone a damn thing to you personally. Maybe you've been hacked? Here's a clue: stop being such an insulting little shit to people for no reason and that might not happen so often. Even the internet's anonymity can only protect you from so much of your own stupidity - because it's not really anonymous at all. And even the nicest hackers who are attacked by a petty little troll like you might be prone to thinking you need a lesson.

And no, I'm neither a hacker nor a cracker, so I'm not a threat to you. But no worry; you're obviously capable of pissing off the wrong people all on your own.

Re:How come there are so many nice hackers?

[FirienFirien]

Technically not - unless his programs replicate in a way that makes each one look different. Even when however many millions of computers were affected by {recent virus of your choice}, it was still only one virus author, not millions. Granted a virus can have a handful of collaborating authors; granted the malicious ones get through to the public eye more often. It's the perception of those numbers - the hacking the public sees - that has changed the meaning of hacking from 'editing things that you didn't write' to 'being malicious with software'. Check out the Jargon File for stories about this, and the open letter in one of the appendices that eventually failed to stop the change of meaning of the word.

Very vague

[fa_pa]

OMG there is an exploit for firefox but we don't know anything about it but it might be dangerous. i need to switch back to IE maybe...

Re:Very vague

[Agret]

Dangerous? It's a DoS exploit. It causes your browser to lock up. Nothing to see here, move along.

Re:Very vague

[TheSpoom]

Is that what it does? When I went to the demo page, all I saw was a bolded Mozilla. I looked at the source and it appears to have something to do with <sourcetext> but it didn't do anything to my browser. I was disappointed; now I have no excuse to goof off while I'm supposed to be working :^(

Re:Very vague

[Mistshadow2k4]

A good hosts file can fix that, no matter what browser or OS you're running.

(I'm in the mood to be helpful today instead of giving my usual serving of sarcastic remarks. God knows why.)

Re:Very vague

[goldspider]

Are you suggesting that vulnerabilities in Firefox and other popular OSS software aren't newsworthy? Or are you saying that such news should be actively supressed for the sake of the 'movement'?

Nomenclature...

[gowen]

How long has a webpage that makes a browser crash been called a "Denial Of Service Exploit".

A browser that can be crashed is a very bad thing, but suggesting this is some sort of "Denial Of Service" attack, is just semantics. It doesn't crash the box, and it doesn't flood/break the network. Every other service on your machine runs as normal. That's not a Denial Of Service by the usual definition of the term.

Re:Nomenclature...

[arkanes]

A Denial of Service attack denies you access to a service. It doesn't have to crash your box, or take it off the network. Anything that will hang or crash or flood a service (applications are services) is a DOS. They've been called that since before kiddies found out about pingflooding.

Re:Nomenclature...

[NickFortune]

How long has a webpage that makes a browser crash been called a "Denial Of Service Exploit".

Oddly enough, about the same length of time as has passed since Microsoft realised their stranglehold on web browsers was slipping.

One day Redmond reformed the IE development team to try and stem the tide. The next, stories like this one started cropping up with penny-ante firefox exploits being made into front page news. Just as though crushing your browser was comparable in scale to rooting your network...

Purely co-incidental, of course...

Re:Nomenclature...

[gowen]

Most sources I can find seem to disagree with you.

Re:Nomenclature...

[m50d]

A browser that can be crashed is a very bad thing, but suggesting this is some sort of "Denial Of Service" attack, is just semantics. It doesn't crash the box, and it doesn't flood/break the network. Every other service on your machine runs as normal. That's not a Denial Of Service by the usual definition of the term.

Yes it is. If you did exactly the same thing to, say, apache or proftpd or mysql - don't crash the box, don't break the network, every other service runs normal - it would be a DoS. Calling this attack a DoS provides some very important information - it doesn't allow execution of arbitrary code, just locks up the browser. The only thing that's possibly unusual here is applying the term to a client rather than a server program, but a DoS is absolutely the correct term.

Re:Nomenclature...

[Pieroxy]

From your wikipedia article:
"A denial-of-service attack (also, DoS attack) is an attack on a computer system or network that causes a loss of service to users"

Well, this seems to be an attack that cause a loss of the Firefox service to the user using it. Anything else?

Re:Nomenclature...

[Kawahee]

You've already said it's semantics, anything that "denies" me access to my "services" is :. a Denial of Service. Thankfully I've got the IE7 Beta, and I don't think too many MSDN subscribers are rushing out to exploit it.

Re:Nomenclature...

[marcosdumay]

The problem is that "Firefox" isn't a service. You can't have a Denial of Service acting on a client.

Re:Nomenclature...

[gowen]

If you did exactly the same thing to, say, apache or proftpd or mysql

They're all servers.

Servers <=> Service <=> Denial Of Service.

See how that works?

Re:Nomenclature...

[Secrity]

Apache, proftpd, and mysql are SERVERS and sending packets that kills server processes is properly called a DOS. Firefox is a CLIENT, sending data in response to a client request that causes the client to lock up is not a DOS.

Re:Nomenclature...

[MightyYar]

Wow... what a big ball of... nothing. All they did was find some html that crashes Firefox. Big deal! Have you seen Bugzilla lately? Should I just start randomly submitting bugs from Bugzilla, start calling them DOS exploits, and make the front page of Slashdot?

Re:Nomenclature...

[southpolesammy]

This is a targetted DoS as it denies Firefox the ability to function. We're just conditioned to a DoS being a major outage type of event where all communication to or from a system on a network is blocked, while this specifically affects a single application's ability to communicate (so far).

Re:Nomenclature...

[Pieroxy]

Did you read my previous post? Where does it say that anything has to be a service? It says that it deprives the users of a service. And it is a service that Firefox does every time I click somewhere, every time it renders a page, etc...

Re:Nomenclature...

[horza]

A Denial of Service attack denies you access to a service. It doesn't have to crash your box, or take it off the network. Anything that will hang or crash or flood a service (applications are services) is a DoS.

I personally would disagree, though I am open to a reasoned argument. Applications are not services. Applications may be clients, they may be servers, or they may contain both clients and servers. I would posit that a server provides services. For instance if someone froze my instance of Skype then I would call this a DoS as this renders the service of answering Skype calls inoperable. Web browsing does not, imho, count as a service as it is a pure client.

They've been called that since before kiddies found out about pingflooding.

From what I understand, the pingflooding attacks the IRC server. This has trouble maintaining the stream over the virtual connection to the client which then times out. It does not attack the client directly. Or do I have this wrong?

Phillip.

Re:Nomenclature...

[AvitarX]

It does not deny you the service of having weaccess it denies yoiu one browser (sort of).

Time for a weak non-sensical car anology:

If you get in an accident while riding a cab, you can still use cab service.

Re:Nomenclature...

[baggins2002]

Oh, but I like this one.
Because the next time someone says that firefox has just as many exploits as IE and that we should just switch back to IE. I'll say " Oh, you mean like the one that crashes your browser if you go to a malicious site ". vs the browser that we were using that had 15% of IT working on adware, spyware and inherent system crashes.

Re:Nomenclature...

[aug24]

Brilliant... they have found a way of denying access to their own service.

Now if this could deny me access to, say news.bbc.co.uk I might see the point, but this is totally irrelevent.

Justin.

Re:Nomenclature...

[NitroWolf]

You've already said it's semantics, anything that "denies" me access to my "services" is :. a Denial of Service. Thankfully I've got the IE7 Beta, and I don't think too many MSDN subscribers are rushing out to exploit it.

No, probably not... just everyone else in the known world. But by god, you are safe from those nefarious MSDN subscribers!

Re:Nomenclature...

[arkanes]

Windows naming conventions aside, anything that perform operations on behalf of something else is often referred to as a service. In OS design classes, you will often hear people referring to memory management as an OS service, for example. The term is absolutely *not* limited to network daemons on the internet. Go back 10 or 15 years in computer science and the term "application" wasn't even that common - people referred to services instead.

Re:Nomenclature...

[arkanes]

Not one of those sources provides a definition that disagrees with me. In fact, they all agree with me, although the meat of the Wikipedia article focuses on network DOS attacks. Network DOSes, because of the media attention and the focus on Internet computing in the last few years, are the most familiar to people but common knowledge is not the limit of the technical usage of the term, which predates the Internet.

Re:Nomenclature...

[arkanes]

Also, pingflooding is simply a generic term for sending lots and lots of ping packets to saturate a network connection. It's effective to a greater or lesser degree against any networked entity, assuming the attacker has more bandwidth than the attacker. Modern DDOS zombie networks use more sophisticated versions, but even a simple ping -f can shut someone down if they have a small enough pipe (T1 vs a dialup user, for example).

Re:Nomenclature...

[m50d]

Servers <=> Service <=> Denial Of Service.

An attractive interpretation but not correct - simplest counterexample is that it's called a local DoS if you can crash a box with a local account.

Re:Nomenclature...

[Craster]

It's time to realise that the word "Service" in the phrase "Denial of Service" has nothing to do with services on a machine. Service is being used in the same context as it would if you were getting service in a restaurant.

Re:Nomenclature...

[Pieroxy]

I love these analogies:

The biggest service of all is life. You can be denied the service 'right leg' but you still have the service life. So if you are in a cab accident, you can still use the cab service, true, but this does not mean you haven't been deprived of another service: An available cab !!!

These analogies are really stupid, but I still love them!!! :D

But to get back to the point: You can be denied the service of your Firefox instance, which is somewhat painful if you had 16 tabs opened doing stuff (uploading files, etc...)

So there is still a denial of service, even if it is only for one instance of FF.

Re:Nomenclature...

[gowen]

login is a service.

Re:Nomenclature...

[AvitarX]

FWIW the anology was just a joke, they are worthless.

Also I felt it weakened my point, not strengthen it, but again, joke.

I still think service has a more specific term in compyter use, so calling it a DoS is, at least, a little contrived IMHO.

Re:Nomenclature...

[gowen]

technical usage of the term, which predates the Internet.

Find me a usage of the term that predates the internet but doesn't block login. Fork bombs are a non-network DoS (because no one else can login or run programs). A crashed application using 99% CPU is not a DoS.

Re:Nomenclature...

[m50d]

No, anything that stops (or denies) the service (the user being able to see the webpage) is a DoS

Re:Nomenclature...

[malsdavis]

Surely though the term "Denial of Service" indicates prolonged or sustained denial of a service. Even when counting websites as services then (unless I'm wrong in which case please correct me) the maximum "damage" caused by this exploit (unless it originates from an important website) is that if you do have an important website open (say in another tab or window) while you visit the malicious website, then you will have to reopen the browser and reload that important website.

A minor inconvenience yes, but not really much of a prolonged denial of a service.

Re:Nomenclature...

[LDoggg_]

A Denial of Service attack denies you access to a service.

That's a pretty broad statement. So almost anything could be a DoS attack?
How about having the server hacked and pieces of code replaced? With the service no longer working correctly is it a DoS?
How about donwloading a bad executeable that messes with Internet Explorer. The browser can no longer connect to the service. That a DoS attack?
How about when your neighbor finally secures his wireless access point and cuts you off from slashdot? DoS?

To be honest, I don't recall the "Denial of Service" being in the news until people started scripting requests to websites, particularly dynamic database-driven ones. Seems really strange to call a browser crashing on funky HTML a Denial of Service attack.

Re:Nomenclature...

[Pieroxy]

I was joking too, but it's still a good analogy. Depriving you of an instance of Firefox is still denying you an access to a service. And yes, 'service' has to be use in the common sense of the word, not in the sense 'daemon'.

Re:Nomenclature...

[Pieroxy]

You just can't grasp the concept that an instance of Firefox may have some value, that it may be providing a service of its own (as opposed to the Firefox install)? Then I can't explain it to you.

Re:Nomenclature...

[Mike+McTernan]

Exactly what I thought.

Re:Nomenclature...

[m50d]

Yes, but it isn't login that you crash, any more than you're crashing (for example) firefox. The exploit can be against any program (a recent one I read was IIRC a kernel flaw that could be exploited using vim)

Re:Nomenclature...

[konijn]

How long has a webpage that makes a browser crash been called a "Denial Of Service Exploit".

Off course it should be called a "Denial of Client Exploit".

That's the only thing it does.

Re:Nomenclature...

[m50d]

Point, but we call it a DoS if you can crash (for example) apache even though it will probably be automatically restarted pretty quickly. A short and not very effective DoS this exploid is, but a DoS nonetheless.

Re:Nomenclature...

[gowen]

Yes, but it isn't login that you crash

You've prevented logins.

You've denied that service.

Re:Nomenclature...

[m50d]

You've prevented logins.

No more or less than you've prevented web browsing.

Re:Nomenclature...

[dustmite]

Also, the hypothetical Apache DoS exploit example is something that somebody externally causes to happen. The service is "denied" because even if you restart Apache, someone external can kill it again. A webpage that can crash Firefox cannot externally cause your Firefox to crash unless you actively go and visit that website. You have to make it happen - NOBODY can just CAUSE your FireFox to crash out of the blue. You are quite welcome to continue using FireFox to visit the +/- 8 billion other webpages out there that don't crash FireFox and nothing/nobody can stop you i.e. "deny you the use of Firefox".

Re:Nomenclature...

[gowen]

i) Web browsing isn't a server process, it's a client process.
ii) You can kill the browser and go to another web page. Hell, you can just start another instance of the web browser. Which must take all of three nanoseconds.

If you prevent login, or send a SYN flood that prevents http connections, you can't just restart the appropriate service. If you really can't see why causing a client to crash is different from preventing a server from functioning, I suggest you look in some elementary computer science textbooks.

I don't have time any more time to explain the basics to fools.

Re:Nomenclature...

[pipingguy]

It's nice to remember that all these important automated tasks can still be replaced by good old fashioned human brains and thinking.

Oh, crap, sorry, I thought I was replying to Risks_L, please ignore the above.

Re:Nomenclature...

[antiMStroll]

Pulling the network cable?

Re:Nomenclature...

[LilGuy]

Since when did slashdot have anything BUT a front page? What is this the New York Times now?

Re:Nomenclature...

[cagle_.25]

Your neighbor breaks your hand so that you can't type. Yep, that's a DoS.

Re:Nomenclature...

[m50d]

i) Web browsing isn't a server process, it's a client process.

No. But the effect is the same.

ii) You can kill the browser and go to another web page. Hell, you can just start another instance of the web browser. Which must take all of three nanoseconds.

Not if your whole machine has been crashed.

If you prevent login, or send a SYN flood that prevents http connections, you can't just restart the appropriate service.

No. But if you just kill the httpd that's still classed as a DoS.

If you really can't see why causing a client to crash is different from preventing a server from functioning, I suggest you look in some elementary computer science textbooks.

Argument from authority, and not a very good one at that. Not to mention not even being accurate.

I don't have time any more time to explain the basics to fools.

Yeah, insult me, that shows real confidence in your arguments

Re:Nomenclature...

[m50d]

Yes, absolutely. And setting the computer on fire.

Re:Nomenclature...

[MightyYar]

Wow, I'm surprised you have a slashdot # as low as 150110 and haven't delved into the sections yet. They have many different sections: Apple, Apache, Linux, etc, and not every story makes it to the front page, or main page, or home page, or whatever you want to call it. So yes, like the New York Times.

Re:Nomenclature...

[antiMStroll]

By that defintion the ultimate DoS at my work is a Diet oPEN Soda. =D

Re:Nomenclature...

[dcam]

Following your logic all forms of malware provide a denial of service. Spyware attached to IE that changes the home page denies you from getting to your home page. Worms steal CPU cycles, denying you from using them.

He is right and you are wrong. Admit it.

Re:Nomenclature...

[TheTomcat]

Like this? https://bugzilla.mozilla.org/show_bug.cgi?id=30676 7.

click at your own risk (don't).

S

Re:Nomenclature...

[m50d]

Spyware attached to IE that changes the home page denies you from getting to your home page.

That doesn't stop you getting to it. If it actually stops the browser working, then yes, it's a DoS, though that's probably far less important than other aspects of the spyware.

Worms steal CPU cycles, denying you from using them.

They don't (normally) stop you doing anything, just make it a bit slower. If a worm actually crashes the box it's called a DoS.

He is right and you are wrong. Admit it.

If I thought I was wrong I wouldn't still be here. Besides, if he's right why did he need to insult me?

Re:Nomenclature...

[LilGuy]

Ok Mr. Smarty pants - where is microsoft.slashdot.org?

Re:Nomenclature...

[MightyYar]

Huh? What are you talking about? Why would they have a microsoft.slashdot.org? What would that have to do with how many "pages" there are on slashdot? I wasn't being a "smarty pants", I was just surprised that you didn't know that slashdot didn't have a "front page" and various sections that included non-front-page content.

Re:Nomenclature...

[LilGuy]

It was merely a joke, don't get your panties in such a twist. Sheesh.

Re:Nomenclature...

[MightyYar]

LOL. I think we are just miscommunicating. I am definately not in any kind of a twist. I guess I just didn't get the joke. :)

Re:Nomenclature...

[LilGuy]

I was hoping so, but it wasn't clear :) You're right, definate miscommunication goin on there :P

Sorry bout that

Worm Code

[Agret]

What follows is the source code made avaliable on the site.

Mozilla

# milw0rm.com [2005-10-16]

I have 1.0.7 and it caused me to crash :(

Not too big a deal

[Dr.+Evil]

There isn't much incentive for malicious people to crash people's browsers.

The wording from the security company has me thinking they're just trying to make a name for themselves.

Re:Not too big a deal

I came across something like this developing Javascript. It hangs the browsing for a few minutes. Though in my case Firefox eventually asked me if I want to abort the script. I thought it was just a normal side-effect of weird Javascript combined with Mozilla/Firefox's lack of multi-threading. I think I'll file a bug report in any case, but probably not as big a deal because Firefox actually recovers from it.

Re:Not too big a deal

[gromitcode]

if you can crash the browser it means you are probably in a buffer overflow situation or some other potentially exploitable bug, these are EXACTLY what malicious people look for. just because the proof of concept only crashes the browser doesn't make it useless for malicous people.

Re:Not too big a deal

[sqlrob]

Look at the source. It's an unclosed tag, so it's likely an infinite loop.

Re:Not too big a deal

[stevey]

Not necessarily.

I reported some DOS bugs against firefox which will kill a browser by essentially saying:

• Give me a table of 1000000 rows and 1000000 columns.

The browser dies. Probably because it attempts to either a) allocate all the system's memory and the kernel kills it, or b) at some point memory allocation fails and the program terminates.

Not all crashes are buffer overflows, or exploitable.

• Kill Your Browser

Re:Not too big a deal

[Mattwolf7]

I followed your "Kill Your Browser" link clicked on everything. And this is the same window that was supposed to be killed... I dunno but those must be Windows specific, I am running Gentoo with FF 1.0.7

Re:Not too big a deal

[nmx]

I reported some DOS bugs against firefox . . .

None of those pages crashed my browser (Windows XP, Firefox 1.0.6). Were those for older versions of Firefox?

Re:Not too big a deal

[Dr.+Evil]

This doesn't appear to be a buffer overflow though, the browser just freezes.

Re:Not too big a deal

[ianmassey]

I also clicked your link, and tried all the things listed. Running 1.5 beta 2 on XP Pro Sp2, no crashes, not so much as a slowdown. They must have fixed whatever bugs you found.

Re:Not too big a deal

[Kimos]

No crashes for me either using 1.0.7 on MS Win at work. I'll check Ubuntu at home. The pages are mostly a bunch of garbage inserted into HTML tags. I assume it just strips it out as nonsense.

Someone was saying that you could crash by calling a 1,000,000x1,000,000 table. There must be some safeguards in browsers to protect against that kind of thing aside from failed memory allocation from the OS, otherwise it would be simple to bring a system to its knees (not that it's really that hard already).

Re:Not too big a deal

[guardian653dave]

Doesn't work on Firefox 1.0.7 on Windows.. doesn't work on Opera 8.5 either

Re:Not too big a deal

[Anthracks]

None of them fazes 1.5 beta builds either as far as I can tell, at least on Windows 2000 here at work. No trouble at all loading any of those pages.

Re:Not too big a deal

[StonedRat]

If all this bug does is cause the browser to crash then it's nothing. I know of numerous ways to cause IE to crash using pefectly valid CSS. Does anyone care? Nope. Micro$oft sure as hell won't fix them because they're not really a security risk. I know how to lock up Opera using CSS too, which has been known about by the Opera team for a long while.

Re:Not too big a deal

[confuted]

None of them affected Firefox version 1.0.7 on Windows XP with SP2 here at work - they didn't even do so much as slow it down. Do those pages actually crash anybody's browser?

Re:Not too big a deal

[stevey]

I'm pretty sure all are fixed in current versions of Firefox, otherwise I wouldn't have posted the link!

You can get crashes if you use Firefox 1.04, as distributed in Debian Sarge, for example. But that's an older version. (D'oh!)

Re:Not too big a deal

[stevey]

Yes. All created/tested/reported against 1.04, or earlier.

Still they are examples of the kind of thing you can create if you have enough time upon your hands, and a desire to DOS clients.

Re:Not too big a deal

[Jaseoldboss]

That's right, this isn't even a DoS exploit as the service is not affected. It's just a browser crash.

Also, at least if you kill Firefox it doesn't take down Windows Explorer and all your filesystem browsing windows with it.

Re:Not too big a deal

[tomatensaft]

They haven't yet fixed this bug as well (I tried it today, and my Firefox 1.0.7 crashed)...

<script>
a = new Array(); while (1) { (a = new Array(a)).sort(); }
</script>

Re:Not too big a deal

[Lucractius]

Malicious no... Devious yes...

Suppose you have vested interests in Firefox not succeeding as a Web Browser and you hacked/setup some major site to lockup firefox and dramaticaly decrease tbe userbase over the course of a few hours...

Re:Not too big a deal

[maxwell+demon]

I reported some DOS bugs against firefox

I didn't know there's a DOS port of Firefox. :-)

Re:Not too big a deal

[Blkdeath]

I followed your "Kill Your Browser" link clicked on everything. And this is the same window that was supposed to be killed... I dunno but those must be Windows specific, I am running Gentoo with FF 1.0.7

If you follow the README URL, you'll notice that the bugs referenced were confirmed agianst 1.0.4 and older, but are all fixed in 1.0.7.

Try to keep the suppositions about Windows bugs to yourself unless you have even some inkling of understanding of the situation. It makes us all look bad.

Re:Not too big a deal

[zootm]

From the page which you apparently went to, in a happy file marked "README":

All tested against Firefox 1.04 or earlier.

All fixed when tested against Firefox 1.07.

So no, not Windows-specific. Just for old versions.

Re:Not too big a deal

[Cunjo]

I tried them all as well with 1.0.7 running from a flash drive on Windows XP. none of them so much as slowed the browser.

Re:Not too big a deal

[MaskedSlacker]

Same here, no crash in Slackware with FF 1.0.7

Re:Not too big a deal

[dolphinling]

Hmm... that slow script dialog is supposed to come up after 5 seconds. Some of the devs have actually been doing/thinking about doing things to change that dialog, so they'd probably be interested to hear about your case. You should file a bug, the sooner the better.

Re:Not too big a deal

[SenFo]

"I followed your "Kill Your Browser" link clicked on everything. And this is the same window that was supposed to be killed... I dunno but those must be Windows specific, I am running Gentoo with FF 1.0.7"

http://www.steve.org.uk/firefox/README.html

Re:Not too big a deal

[ojustgiveitup]

Did neither of you notice that his site clearly says "all fixed with 1.0.7"?

Re:Not too big a deal

[Dr.+Evil]

Yeah, it needs to be fixed, it just sucks that this will be lumped in with the pundits' vital stats of # of Mozilla bugs per month v.s. # of IE bugs per month.

Re:Not too big a deal

[pipingguy]

Give me a table of 1000000 rows and 1000000 columns.

Software barfs on this?

I'd rather have a trained, capable coffin-stuffer managing things.

Then again, maybe I should just shut up and bend over to the great software lord.

Re:Not too big a deal

[eraserewind]

Why bother. Firefox has been crashing on all versions fairly regularly for me up to and including version 1.6 (haven't downloaded 1.7 yet). I'm not saying it's not a good browser, I use it all the time, but you don't need an exploit to crash it. Or do you?..... (cue paranoid conspiracy theory)

Re:Not too big a deal

[Vanishing+Nerd]

Debian with FF1.0.7 died though. Too bad.

Re:Not too big a deal

[jesterzog]

There isn't much incentive for malicious people to crash people's browsers.

While we're discussing it, can anyone point me a way to get a browser (notably IE and possibly other browsers) out of the following?

<script>
<!--
while(1) {
alert('Try to close this window now.');
}
-->
</script>

I've occasionally found myself getting my browser in an unbreakable loop in the past when coding Javascript, and have had to shut down the process and restart.

Re:Not too big a deal

[tomatensaft]

Hey, I mean, it's not funny! My browser crashed two times! Haven't seen that for a while already...

So...

[LiquidCoooled]

This can freeze your browser.

Wheres the vulnerability? when does the spyware attack? Do I need to reinstall Windows?
Should I buy a virus checker?

Anyone stupid enough to host this "exploit" on their site are just dumb,
"oooooh it makes your firefox freeze" BFD - stay away from dodgy parts of the net

(goatse is a bigger "exploit" and generally leads to complete machine shutdown/restart as you attempt to hide it from your colleagues)

Re:So...

[ArsenneLupin]

Anyone stupid enough to host this "exploit" on their site are just dumb,

Not on their own site of course. But just imagine some Windows luser's wet dream comes true, and he finds a hole in some high profile Apache site. Just hax0r it, and put that sploit on every page of it, and then bam!

Re:So...

[rtaylor]

This can freeze your browser.

It's as bad as Google Maps with far too many location tags and polygons.

Re:So...

[Comatose51]

Serisouly, if you made a .Net web app, you can make it use so much resources that it will freeze your PC (your PC will use so much of the pagefile). IE will happily run this app without asking you, even after SP2. Anyone with Visual Studio and .Net can do this as well. Make an ASP.NET Web Application and have it create an array of a ton of strings. IE will take up all your resources.

But this really isn't an exploit since it didn't really allow me to take any information or control of the PC. At worst, the PC slowed to a crawl. If I published the app, people will simply stop going to my site.

Re:So...

[makomk]

Yup - I think appanding a string to itself repeatedly in JavaScript usually does the trick under IE too. Eats up all your free RAM until the system grinds to a swaptastic halt...

Re:So...

[vertinox]

This can freeze your browser.

Like loading Java scripts in Netscape 4.0 ;)

Re:is this NOT an OLD version

[Tufriast]

I'm using Debian, and the 1.0.7 build they have out is affected by this 100%. It works on any 1.0.7 build.

Re:is this NOT an OLD version

[pbranes]

1.5 is beta, dude. 1.0.7 is the latest final release of firefox. 1.0.7 is like 1 month old.

1.5 is beta

[cflorio]

1.0.7 is the current stable release. 1.5 is beta.

Re:is this NOT an OLD version

[DeckerDel]

Just a thought.
-How about starting with all the old win9x exploits.

Re:is this NOT an OLD version

[shadowknot]

No, 1.07 is the current release. 1.5 is the release candidate or "Deer Park" which is currently a pre-release. As far as I understand!

Tested the exploit

[jurt1235]

And after I clicked on it, nothing happened, the browser just said: mozilla

Apparently firfox 1.0.7 on linux is not affected. So not all versions of firefox are affected.
Advisory: Install linux, then restart your browser and have fun.

Re:Tested the exploit

[Stevyn]

I'm running firefox 1.0.7 on gentoo and it froze up. top showed 99% cpu usage just before I killed it. I also tried it on my ubuntu box with firefox 1.0.7 and it froze too. So it seems it's affecting firefox running on linux machines

Re:Tested the exploit

[TheSpoom]

Firefox 1.0.7 on WinXP SP2 here and I'm also not affected.

Re:Tested the exploit

[thegoogler]

using 1.0.7 on ubuntu right now, and it did indeed lock up

hmm

Re:Tested the exploit

[objorkum]

Crashed on Ubuntu Breezy. Oh noes, my browser crashed! What a gigantic problem...

Re:Tested the exploit

[StillNeedMoreCoffee]

There was one crash example I tried with my netscape browser 7.2 and it killed the browser. I came back with a question, end now or continue. Since Netscape uses Mozilla at its core it seems to be affected too.

Re:Tested the exploit

[A.T.+Hun]

Firefox 1.0.7 locked up on Slackware 10.2 too. A "killall firefox-bin" made everything all better. It's annoying, but that's about all you can say about it.

Re:Tested the exploit

[Quantum+Jim]

I'm also running the Firefox 1.5 Beta 2 (built 2005-10-13) without any crash whatsoever on Windows XP too. Perhaps it is a profile or extension error?

Re:Tested the exploit

[Somegeek]

Firefox 1.0.7 on Win2k Pro SP4 froze.

Re:is this NOT an OLD version

[BushCheney08]

Hey dipshit. Wake up! This is like me saying "I'm running Vista. Why are they bothering posting information on XP exploits?"

Re:is this NOT an OLD version

[DeckerDel]

Thank you very much for clearing that up, i'm sorry should have RTFM on firefox
Cheers thanks
Del

Exploit

The exploit is:

<html><body><strong>Mozilla<sourcetext></body></ht ml>

and it also makes Mozilla suite 1.7.12 hang.

The sourcetext tag is used when a parser error occurs; the Mozilla DOMParser will accept any string and always returns a valid XML DOM object, but in the case that the string was malformed, it returns something like this:

<parsererror xmlns="http://www.w3.org/1999/xhtml">XML Parsing Error: mismatched tag. Expected: </strong>. Location: file:///1253.html Line Number 3, Column 37:<sourcetext> (text here) </sourcetext></parsererror>

which you may have seen formatted before in a nice red-on-yellow page.

Re:Exploit

[kavin]

sounds like my bug (supposedly fixed in mozilla 1.8a4).

i found and reported the browser specific elements "parsererror" and "sourcetext" in september 2004: see mozbug 210658.

bugzilla.mozilla.org/show_bug.cgi?id=210658

you can see the browser specific elements in a source diff:

bonsai.mozilla.org/cvsview2.cgi?diff_mode=context& whitespace_mode=show&file=nsHTMLTags.cpp&branch=&r oot=/cvsroot&subdir=mozilla/parser/htmlparser/src& command=DIFF_FRAMESET&rev1=1.46&rev2=1.47

sadly, i don't believe this fix has been backported to firefox 1.0x.

- p

--
ps. my previous /. report on same:
http://it.slashdot.org/comments.pl?sid=68828&cid=6 295508

Re:Exploit

[YU+Nicks+NE+Way]

Oh, my. That's a nasty design error in the DOM parser. I wonder if I can exploit the lack of data scrubbing there?

OMG, this is bad!

[ArsenneLupin]

Almost as bad (and scaringly simple) as the <form><input type crash></form> sploit for Internet Exploder.

I guess I'll just stick with Konqueror.

PoC Code *is* in the wild

[OverlordQ]

Despite the article summary if you click through and read it you'd find that there is code out there.

Danger Will Robinson test your firefox Danger Will Robinson

Re:PoC Code *is* in the wild

[OverlordQ]

crap forgot the http

http://www.thedarkcitadel.com/~ovrlrdq/firefox.htm l

teach me to use preview to check the bold but not the url.

Re:PoC Code *is* in the wild

[The+MAZZTer]

And here is the "exploit" in crunchy data: url form if you don't want to wait for slashdotted servers: data:text/html;base64,PGh0bWw+PGJvZHk+PHN0cm9uZz5N b3ppbGxhPHNvdXJjZXRleHQ+PC9ib2R5PjwvaHRtbD4=

Re:PoC Code *is* in the wild

[skurrier]

I clicked on that link without thinking and it froze my browser - (what a surprise =) )

Then I forcibly closed it. All good.

Then I realised that sessionsaver would open up the page again when I reloaded.

I'm only posting this now because of the beauty of high latency internet and middle mouse buttons.

Phew!!!!

Nothing happens on Beta 2

[sheepoo]

Simply shows the word Mozilla when the test web site is loaded in Beta 2. I guess they have already taken care of it in the Beta release

How come...

[CDPatten]

whenever there is a firefox exploit, /. is understanding, and people say things like "well no software is perfect... its rare and hard to do, not really an explot... ". When there is an IE exploit its, "MS Sucks, IE Sucks, and if you use IE your computer is going to blow up, not to mention global warming will continue"...

I exaggerated a bit there, but you know what I'm saying. Why not offer equal critiques, and understanding, for any product regardless. I have a few macs for web testing but don't really like them, but it doesn't stop me from saying that there are some things that apple does a damm good job with. IE isn't a horrible web browser, it may not be as cutting edge with functionality today as firefox, but it isn't all bad. And before you scream standards, only do it if you include safari, and all the other browsers that have "standards" problems.

Re:How come...

[ArsenneLupin]

not to mention global warming will continue"...

You got it all wrong. That particular problem has more to do with Athlon processors than with Internet Exploder.

Re:How come...

[nothingbutcoupons]

How many people actually use all the "cutting edge" features on their browsers? All I do is type in a URL and go to it, hitting CTRL-D at some point if I wanna bookmark the site in IE. Do we really need anything more than just a viewing window and an address bar? Besides, the more features we have seemingly takes away much more of our viewing capacity.

Re:How come...

[smooth+wombat]

The difference between FF having an issue and IE having an issue is that when FF has an issue it only affects the browser itself. When IE has an issue it can cause issues with your entire operating system because the browser (an application) has been retro-welded into the OS.

Also, FF is being developed by people who aren't getting paid (well, most aren't) for their service compared to Microsoft, a multi-billion dollar corporation which has had 10 years to try and get the bugs out of their product.

Re:How come...

[Fallus+Shempus]

[screams]ACTIVE X![/screams]

Re:How come...

[Frankie70]

Why not offer equal critiques, and understanding, for any product regardless


Because IE has more exploits. At least, that's what they told me the last
100 times, Mozilla/Firefox exploits were reported.

Re:How come...

[courtarro]

Also, FF is being developed by people who aren't getting paid (well, most aren't) for their service compared to Microsoft, a multi-billion dollar corporation which has had 10 years to try and get the bugs out of their product.

We cannot use this as an excuse in the open-source community; it's very dangerous. When you are trying to convince the general population that FF is superior to IE and can be successful in an enterprise environment, which is generally the goal, you can't consider the two to be on equal footing in performance and features and then shoot it down by relegating it to a niche position. Though we realize the FF devs are volunteering a lot of time, we want to convince others that it doesn't matter, or in fact, it improves their ability to solve problems.

Re:How come...

[1001011010110101]

Except that IE usually has holes that allows remote access, run arbitrary code or access arbitrary files on your computer, instead of just crashing a window. Do you check the monthly explorer/windows patches? Its scary.

Re:How come...

[Thalagyrt]

That's a common misconception. "It comes with the OS" is not the same as "It is tightly integrated into the OS." Explorer and IE are not the same program. They're two seperate ActiveX controls, which is a bizarre way of doing things, but that's how Microsoft did it. Using COM, Explorer can invoke IE when necessary and IE can invoke Explorer when necessary. IE is a seperate program, and just like Firefox it runs user level and in its own memory space.

The problem lies in the exploits for IE that allow arbitrary code to be run, or ActiveX controls to be installed just by the user clicking Yes. In fact, most of the time the spyware installs are just simple social engineering. Microsoft should have been able to fix this issue ages ago, as you said, and there's no reason for them not to have done it by now. It seems like it's going to be better in IE 7, but I'm not holding my breath.

If there was a hole in Firefox/Win32 that allowed arbitrary code to be run, you'd see spyware getting installed through Firefox within a week or so of the exploit's release. It probably wouldn't affect us geeks who update religiously, since Mozilla fixes the holes faster than people can exploit them. It would however affect people who don't know better and are still using an older version, like my grandma who uses 1.0.4. Off topic, I would have updated that by now but she lives in San Diego and I live in Miami. Hell for all I know she might have updated it herself. :P

Re:How come...

[Politburo]

This always gets modded up and is INCORRECT. IE has the same privileges as the user that ran it. The main problem is that ActiveX allows any code to be run on the machine at the user's privileges instead of a sandbox.

Re:How come...

[sicking]

Also, FF is being developed by people who aren't getting paid (well, most aren't) for their service compared to Microsoft, a multi-billion dollar corporation which has had 10 years to try and get the bugs out of their product.

That does not matter in the least. As a user deciding which software to use I don't care how it was developed in the least. What I care about is what I get for my money. FOSS software has no more of an excuse for bugs and exploits then propriatry.

And I say that as one of the mentioned developers who have worked on mozilla for years, most of which unpaied.

That said, this advisory doesn't mean anything. Sure, it's bad that a website can crash your browser, but that has always been the case with any browser released. But it's not nearly as bad as exploits that allow sites to steal your data or hack into your system, which this so far does not claim to be.

And no matter what, what happened to responsible reporting? Releasing exploits in the wild without giving the developers a chance to develop a patch first is just plain stupid and shows a complete lack of professionalism.

Re:How come...

[Rocketship+Underpant]

You sound like a troll. You do web testing, and you don't know the difference between Firefox's flaws and IE's flaws?

When I used IE, I got worms and viruses through it that infected all the machines on my network and caused data loss. I got browser helper objects and toolbars installed without my permission. I had my home page and error pages hacked. I got pop-up windows and malware installed on my computer.

None of that ever happened from any Firefox bug or exploit.

Oh yeah, and the minor rendering errors in Safari or Firefox are *nothing* compared to the awfulness that is IE.

Re:How come...

[naelurec]

I believe if you reviewed all the current modern browsers, you would find that indeed, IE is trailing. Trailing with regards to total number of exploits/patches, trailing in compliance to web standards, trailing in feature set, etc..etc..

To top this off, it costs money! The only version that might have been considered free was IE for Macintosh, but this has long since been discontinued. As IE is an integrated part of Windows, and you pay for Windows .. well umm, your paying for IE. Its as simple as that.

Compare this to Firefox. It is freely available, available for windows, mac os x, linux, bsd, solaris, etc.. has more features, is more standards compliant, is still very new (1.0 was released less than a year ago) and is very competitive with security issues (total number of exploits) as Internet Explorer.

As a network administrator, I see a huge advantage -- particularly with malware. When IE was the default browser, systems were routinely getting attacked with malware. Once an entire network was converted to Firefox, malware ceased to be a problem and as a result, computers ran faster and employees were more productive.

Perhaps once IE7 is released, it will be on slightly more equal footing (they claim better standards compliance, a feature set more inline with Firefox, etc..) but until then, it is so far out based on any metric that giving it "equal footing" is just umm.. stupid.

Re:How come...

[freeweed]

You must be new here.

No, really.

Re:How come...

[mysticgoat]

[about slashdot's 'failure' to treat MS and FOSS screw-ups with equal equanimity] Why not offer equal critiques, and understanding, for any product regardless.

It has taken more than a decade of loathsome business practices, corrupt corporate ethics, and abusively bad coding practices for Microsoft to earn the unique status it holds on Slashdot and other fora where people who've been in the business for a while congregate. Would you deny Microsoft the community recognition it has strived so hard for so long to achieve?

Re:How come...

[po8]

Also, as an earlier poster pointed out, the time-to-fix for Firefox is significantly better. In addition, the severity of the bugs tends to be much lower. Because I'm dumb enough to occasionally run Flash stuff, I experience Firefox hangs and crashes all the time. It's annoying, but ultimately livable. Of the small number of functionality or security vulnerabilities that have been found in recent Firefox, very few are serious enough to merit my real concern.

Re:How come...

[kill-1]

What I care about is what I get for my money. FOSS software has no more of an excuse for bugs and exploits then propriatry.

What I get for my money? Last time I checked FOSS software was free.

Re:How come...

[PickyH3D]

Just because it is on the OS, doesn't mean that every flaw opens the door to the OS. It's poor design, albeit effective marketing, but it's not a show stopper for the software itself. A bug is a bug anyway you look at it, but the attachment of IE to Windows is just a design decision, which also benefits the OS because it gets to use many explorer features.

So FF can't be bitched at because the people are unpaid, and IE can be bitched at because a rich company is paying people.

Re:How come...

[GweeDo]

Didn't you mean NetBurst based Pentiums?

Re:How come...

[toofast]

FOSS software has no more of an excuse for bugs and exploits then propriatry.

Right. This means we have no "right" to complain about bugs in FOSS because we didn't pay for it, whereas an owner of Windows has the "right" to complain about bugs in IE because they paid for it.

D.

But...

[supersocialist]

...it shows an "update" icon, which updates when clicked. How much easier could it be without hijacking your system to do it for you?

Re:But...

[leuk_he]

Doing the actual update might help. Now it downloads the update (=full package actually, not an update) and put it at a download location, defualt = desktop. You then have to shutdown the browser and run the update, and pray everything still works (very importnt if you installed in a non-default location). Userfriendly, but i thought installers could handle .dll & exe 's in use a long time ago?

Re:But...

[Pneuma+ROCKS]

...it shows an "update" icon, which updates when clicked. How much easier could it be without hijacking your system to do it for you?

Although I agree that it's pretty trivial to update Firefox, some users don't notice the icon, or don't recognize what it does. If they RTFM or just hovered over it they would, but many don't. Another con is the fact that you have to download the full Firefox installer and run it all over again. That is not very friendly.

Thankfully, the Mozilla folks have recognized this and have improved the update system significantly on the upcoming Firefox 1.5. The update system downloads a patch, not the full installer, and installs it on the background. Then it just notifies the user that the new version will be installed when he restarts the browser. That way even the average Joe can stay updated.

Re:But...

[DrSkwid]

That only works on Windows, Mac OS X & Linux i686.

Building Mozilla from source is not straight forward so if your vendor doesn't rebuild it then you have to be concerned enough to do it yourself.

If you run your browser in a jail or even just in its own account just like you should do for *any* program that processes untrusted data) then one will know what risk one is exposed to.

Re:But...

[NanoGator]

"...it shows an "update" icon, which updates when clicked. How much easier could it be without hijacking your system to do it for you?"

When you start FireFox, it could pop up a window saying "There's a critical update to FireFox available. Would you like todownload it now? [Yes] [No] ( ) Don't show this message again." Maybe even have another button you can click that'll tell you what is updated, or at least what's 'critical' about the update.

A little OT: Windows Update has a mode that's kind of interesting. You can tell it to download the updates and hold them somewhere. It'll then apply them when you go to shut down.

Re:But...

[antiMStroll]

"Another con is the fact that you have to download the full Firefox installer and run it all over again. That is not very friendly."

Regular Windows Updates which download and install tens of megabytes = good, Firefox update that automatically replaces everything in under 5 megabytes = bad. Welcome to life in the the MS reality distortion field.

Re:Blame the hacker culture (-1, opposes groupthin

[graemecoates]

And this has what to do with a vulnerability in Firefox exactly? Upon RTFA, the exploit appears to be a one-liner - is that it....?!?! (And, no, I'm not going to run it to find out thank you very much.) GC

Latest Stable is 1.0.7

[The+MAZZTer]

1.5 is a BETA version which Mozilla only recommends bleeding-edge types and extention developers use.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Obviously...

[supersocialist]

...the RIAA has finally managed to lock up all malicious computer users. It's about time!

Re:Blame the hacker culture (-1, opposes groupthin

[Cerv]

Linux is *not* user friendly, and until it is linux will stay with >1% marketshare.

I think you meant "less than," rather than "greater than".

Mozilla too..

[Dynamoo]

It also locks up Mozila 1.7.8, so I guess it will also do the same to Netscape 8 if using the Firefox renderer.

There's not much to it though:

<!--
posidron@tripbit.net

Vulnerable: Mozilla Firefox <= 1.0.7
Mozilla Thunderbird <= 1.0.6
-->

<html><body><strong>Mozilla<sourcetext></body></ht ml>

Ah well, not much harm done. Of course, there's nothing to stop Microsoft putting it into MSN deliberately to break the browser, in much the same way they tried to nobble Opera some months back.

Who cares?

[brunes69]

So clicking on a link can lock up the browser. So what?

How is this any different from this, which effectively locks up *all* current browsers?

<script>
while(true){
alert('Haha!');
}
<script>

This is hardly important. I don't see any way this can crash my machine or infect me with a trojan.

PS if you want a fix for the above vote for bug 61098] at bugzilla.

Re:Who cares?

[m50d]

How is this any different from this, which effectively locks up *all* current browsers?

It doesn't lock up links (which has a lovely "kill script" button on any javascript dialog) and I'm told opera will let you simply close the tab.

Re:Who cares?

[dema]

I've done this to myself a couple of times while debugging JS. In Camino I just go to the preferences and turn off javascript; this stops the JS in its tracks and I don't need to restart the browser. I'm guessing this is true for Firefox since it works in Camino, but I've no proof of that.

Re:Who cares?

[brunes69]

Nope. you can't go into the prefereces because the alert box is modal. You can't do *anything* other than kill the browser window.

This is the point of the bugzilla bug.

Re:Who cares?

[Tim+C]

It's a hell of a lot more likely that what's been happening recently is that rather than being hacked, the maintainers of the linked-to sites have simply put a (referer-based?) redirect in place to mitigate the slashdot effect.

Re:Who cares?

[a.d.trick]

Same thing in firefox, just close the tab (ctrl-W), mabye you have to click through 1 more alert, and it'll be gone. Useful info for javascript developers like me who aren't always as careful as we should be. Also, the article is just about a browser bug. It's not an exploit or a DoS. Someone is just really confused.

Re:Blame the hacker culture (-1, opposes groupthin

[sqlrob]

A DOS is, by definition, a vulnerability. Less significant than others, especially for user systems, since you quit firefox and it's fixed, no system change, no arbitrary code running.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Here is the exploit (the text of the html)

[putko]

Here's the exploit:

<html><body><strong>Mozilla<sourcetext></body></ht ml>

Note: that last thing really is "html", but I think slashcode rewrites it.

Any ideas as to what is going wrong?

Re:Here is the exploit (the text of the html)

[Zemplar]

Zero impact on Firefox 1.5 Beta 2

Re:Here is the exploit (the text of the html)

[randyflood]

You can also use italic in place of strong (and probably some other things too, but I haven't ehaustively tested them...)

You can also encrypt the whole thing as a JavaScript and have it dynamically decrypted by a JavaScript and printed out to the Web Browser as mentioned here: http://justfriends4n0w.blogspot.com/

Re:is this NOT an OLD version

[Directrix1]

Except you have no reason not to update something that automatically updates itself and for free.

yeah, WTF?

[subtropolis]

There's this exploit, see. Click here to try it. Go on, it's ok...

I think the poll at the top of the page should ask, "Do you trust WhiteDust security?"

Oh, wait - that's what the 'Test the exploit' link is for.

Re:yeah, WTF?

[Khyber]

With a name like "WhiteDust," I'm not sure if I'd trust them, though I'm tempted to give them the President's phone number so they can hook up. ;)

Comment removed

[account_deleted]

Comment removed based on user account deletion

FUD, Proof of concept

[Zoko+Siman]

Great example of more FUD for the fire (no pun intended). Why just post a bug report to the bug list like everyone else when you can make a 'proof of concept' bug, post it on slashdot and increase visitors to your site? No no, we can't go the normal route, that wouldn't make IE look better. All a proof of concept virus does is make all the new people want to flock back to IE

Face it people, Bugs like this are reported and fixed all the time. Just because another person decided to post about their 'proof of concept' on slashdot doesn't mean the world is coming to an end

Re:FUD, Proof of concept

[An+Onerous+Coward]

"Great example of more FUD for the fire (no pun intended)."

Are you sure? This sentence seems to just scream, "Pun intended! Pun really really really intended!" I realize that puns are the red-headed stepchildren of the humor world, but if you're going to make them, at least stand up for them afterwards.

A browser DoS?

[courtarro]

It's hardly news to be able to DoS a browser. I DoS both FF and IE regularly while working on DHTML scripts, often when I use a debugging "alert" in the wrong place. Try this one and see how much farther you get during your morning browsing:

<html>
<body onmousemove="while(1) alert('ooooh');">
&nbsp;
</body>
</html>

Watch out before you run it! You wouldn't want to lose that Xanga post you've been working on.

Re:A browser DoS?

[Bogtha]

There's a simple, if not entirely obvious way around that problem. Even though the browser is displaying a modal dialog box, you can still access menus, so go to View | Reload, Go | Back or whatever to make it not want to continue to generate dialog boxes, and then dismiss the dialog box.

Re:A browser DoS?

[LiquidCoooled]

Actually, IE doesn't fall for it.

It displays a box at the top informing me:

"To help protect your security, Internet Explorer has restricted this file from showing active content that could access your computer. Click here for options..."

Quite nice really

FF completely blows on Windows, and contrary to the sibling poster, the menus are not available.

Re:A browser DoS?

[courtarro]

I noticed this effect, but it's not IE recognizing unsafe code, it's the fact that IE considers any Javascript run on the localhost to be unsafe until you okay it. That's a decent security feature to keep Javascript from doing stuff on your PC, but IE fails to keep you safe from the script if it's loaded from the internet instead. Upload the script to a webserver and try it again, and IE falls victim to it as well.

In general, I think the solution to Javascript DoS problems is twofold: first, alert boxes and input boxes should not be application modal (maybe the other poster is referring to a different OS, but if what he says is true then his setup has accomplished this). Second, the browser user should have the ability to halt Javascript, even if it's hidden from typical users. That would prevent the need for the browser message: "A script on this page is causing your computer to react slowly..." - this type of dialog would be unnecessary if the browser simply executed Javascript asynchronously.

Re:A browser DoS?

[courtarro]

What browser/OS combo are you using? In IE or FF for Windows, alerts are displayed application modal, preventing menu access. I'm curious if another browser or OS handles them more gracefully.

Re:A browser DoS?

[Bogtha]

Oh, sorry, I'm using Firefox on Linux. I didn't realise it wasn't the same on other operating systems.

Re:A browser DoS?

[Zarel]

What browser/OS combo are you using? In IE or FF for Windows, alerts are displayed application modal, preventing menu access. I'm curious if another browser or OS handles them more gracefully.

If you want a Windows browser, Opera handles JavaScript pop-ups better than IE or FF.

Re:A browser DoS?

[courtarro]

We're not talking about handling regular window popups - I haven't had a problem with those since Adblock blocks most of the scripts that serve them, Flashblock prevents annoying flash-generated popups, and FF handles the rest itself. We're talking about javascript "alert" dialogs that give the user no choice but to click "OK", which the javascript follows with another dialog, forever and ever...

Opera becomes useless with that script as well. The modal alert prevents you from exiting the browser, or doing anything else. It sounds like the only solution is another OS.

Re:is this NOT an OLD version

[BushCheney08]

I guess I must've missed the part where my STABLE release of 1.0.7 (susceptible to the exploit) automatically updated itself to the BETA 1.5...

Secunia says "Not Critical"

[Mini-Geek]

assuming the Secunia Advisory is referring to the same vulnerability linked to in the /. article, its Critical level is the lowest, Not Critical

Re:$10 says they'll fix this

[iambarry]

OK, I'll take you up on that offer.

If, in the unlikely event that they don't patch this very scary DoS exploit within a week, you can send me $10.

Thanks,

--Barry

Re:Whoop-d-doo

[jon787]

Linux? You should try it on a Solaris 8 box. I wouldn't call it random cause it is 100% reliable when it decides it doesn't like a page, but I have yet to determine what about the pages crash it.

crasher bug != news

[CNeb96]

This crasher bug has no effect on my post 1.5 beta 2 version of firefox on Linux. Gecko/20051017. A new crasher bug is also not news. There are hundreds of ways to crash mozilla. Lets face it most browsers aren't at a state to jump every time there is a new bug to crash or "DOS Them" as the article states. Just another security site trying to make themselves look good at a products expense. How much money does it cause companies like the Mozilla Organization to release a new version of their browser, just to put an end to the bad press of a so called "exploit"?

How long will it take?

[Chabil+Ha']

I bet we won't have to wait 'til MS Patch Tuesday for it to come out!

Oooh, evil idea!

[TheSpoom]

Microsoft should start putting this code in all its mass mailings ;^)

Re:Oooh, evil idea!

[jrumney]

And the rest of the world will start putting "begin 644" at the beginning of all their mails. Bugs are present in all software, and I suspect Microsoft will lose that battle.

Re:Topic title is confusing

[m50d]

I think a little reading comprehension would be in order.

Nah, parent just made the stupid mistake of assuming the submitter would actually RTFA before writing his summary, or the even stupider mistake of thinking the editor might actually check the facts before posting the story.

Re:Blame the hacker culture (-1, opposes groupthin

[graemecoates]

To clarify: " And this has what to do with a vulnerability in Firefox exactly? " refers to the parent post. Looks like the quoting I managed to remove the quote from my post. Agreed - a DoS certainly is a vuln.

Re:Whoop-d-doo

[dummy_variable]

Mine's been running for 2 weeks solid with no problems, and at least 8 tabs constantly open. Maybe you're doing something wrong.

Re:Whoop-d-doo

[slavemowgli]

You moderators may think this is funny, but it's actually true - Mozilla (both Firefox and Seamonkey) is generally a rather crash-happy program. I'm using Seamonkey 1.7.12, myself, which really is supposed to accumulate only critical bug and security fixes, but it still crashes or locks up at least once a day.

If it wasn't for AdBlock, I'd switch to Opera in an instant.

how's this possible

[Douglas+Simmons]

Unless somehow this is truly "in the wild" sasser style, which I highly doubt, I'm more inclined to piss and moan for a fix for all these firefox process running away and ram leaking like ... the levees. But I guess that's just not as sexy a thing to get everyone all freaked out over. Or maybe I'm the only one opening up over a hundred tabs on my pr0n hunts.

And let's suppose it is in the wild and to get infected I don't have to go to some Russian site selling stolen credit cards. Can anyone see how that could be possible? You'd have to go to a site knowingly and maliciously designed to exploit this, right?

Is wasting time on this story the real DoS attack?

[iambarry]

OK, I just wasted 15 minutes of time trying to figure out the point of this story.

Whitedust.net's technique of giving the wrong content type to the linked files that contain any real information about this so called exploit causing Firefox to open links in a text viewer was particularly effective.

This may be the largest human DoS attack in recent memory (and slashdot was the vector).

--Barry

Wake me up when...

[Revellion]

A bug enables you to install anything you want on the end-users system without agreement...

The operative word is "attack".

[khasim]

Since you have to go to a specific web page, with a specific browser ... and the only thing that will happen is that your browser will crash ... is "attack" the correct term for this kind of behaviour?

If you crash your car into a tree, did that tree "attack" you?

If you crash your car when driving over ice, did that ice "attack" you?

If you drive your car off a bridge and into a lake, did that lake "attack" you?

Since you cannot use your car immediately after a crashes, are trees considered a DoS exploit?

Re:The operative word is "attack".

[drstock]

If you crash your car into a tree, did that tree "attack" you?

If you crash your car when driving over ice, did that ice "attack" you?

If you drive your car off a bridge and into a lake, did that lake "attack" you?

Yes, yes and yes. At least that's what I'm telling my insurance company.

Re:The operative word is "attack".

[SuperJason]

If I set up a bear trap to get you, and you step into it, it is an attack. Same thing with laying landmines to stop advancing troops. I guess it's debateable, but I think it's an attack if it's a trap that you are unaware of, and that someone set up to "attack" you.

Define DoS.

[Tei]

//universal (except lynx, links, w3m and a few older browsers ) dos web browser exploit

while(1) {
    open("hi!","about:blank");
    alert("you llamma!");
}

No crash on 1.5b2 on Linux

[Nicolas+MONNET]

Doesn't even register a hit in CPU usage.

Re:Whoop-d-doo

[Keithel]

Mine's been running for 2 weeks solid with no problems, and at least 8 tabs constantly open. Maybe you're doing something wrong.

If an application crashes, I'm sorry, but it isn't the users fault. Application crashes are not the fault of the users.

In programs like this, bugs are inevitable, as there are *soo many* forms of input, and it is hard for a programmer to take them all into account. But in any case, if blame has to be put on anyone, it would be the developers.

If they were complaining that the browser was spitting back a "Malformed page" error, and continuing on, then you could say that it was the fault of the user (in this case, the writer of the html)

It stands for

[dj245]

Denial of Sheep. Because when you're browsing your alternative exciting imagery, and your browser crashes, you are denied.

Fix

[Mongoose]

Install better plugins for flash/pdf/etc or just remove the bad plugins. You get the same affect in windows if you're a moron and install the old adobe 5.0 plugin that hangs. When the plugin hangs or uses a lot of cpu it affects the browser.

If you didn't know this I guess the joke is on you. Welcome to russia.

Yes

[Axel2001]

Indeed it does, indeed, need to be patched. Indeed.

Re:Browser crashing, pfff.

[Mr.+Underbridge]

So this makes your browser crash, obviously they have never been treated to an infinite loop of javascript alerts on MSIE. My friends hated me for doing that to them... It was worth it.

Well, aren't you teh kewl little script kiddie?

funny?

[Evil+Grinn]

Why is this marked funny? Because it has that Paris Hilton thing at the end? Funny should be used for posts that are entirely a joke. I assumed the OP was serious about the main question.

Re:is this NOT an OLD version

[Directrix1]

No, you didn't miss it. Why the hell would any software automatically update to BETA level software. But in a month or two it will be released and then it will automatically update to 1.5. In the mean time they are still doing bug fixes to the current stable. This one is not particularly bad, so I don't know if they will try to address it.

Firefox Div error

[xtracto]

I will use this Firefox post to ask something: I think Firefox has a problem rendering divs.

If you go to www.netvibes.com and then open one of the "frames" it will maximize, with the standard colors the maximized frame will be over all the page hiding everything else (the expected behaviour), but if you change the page colors (Tools/Options/General/Font & Colors) to Text: White and Background: Black and then select the option "always use my colors" and reload the page [netvibes.com] then maximize again any of the frames and the background will be transparent.

I thought it was a design flaw of the netvibes page but after doing the same (changing the text color to white and background color to white) on Internet Explorer (Tools/Internet Options/Colors), the page (netvibes) is still rendered correctly.

If you wonder why did I changed to those (white text on black bg) you should try it for one day (configure your screen so ALL background colors are black or less than 0x33 [of a total 0xFF] in R,G or B).

Way off topic but anyway there it is.

Oh and BTW, allow me to rant about a Firefox bug that has not been fixed (https://bugzilla.mozilla.org/show_bug.cgi?id=2547 22), And guess what, it was opened on 2004-08-07 14:20 PDT!

Who said OpenSource software was fixed faster than closed source uh?

ok, enough for a rant

Re:Firefox Div error

[pauldy]

I would like to add this appears to be at least three distinct seperate bugs.

They already did.

[dhasenan]

Check out Deer Park, either beta 1 or beta 2. Neither is vulnerable to this.

No effect on linux 1.5beta2

[ewe2]

It just prints Mozilla. Back to the exploit drawing board with you, script kiddies...

Re:$10 says they'll fix this

[taxevader]

You're on!

On a totally unrelated note, this is the EULA for this post:

I'll give $5 to anyone who can fix this Mozilla exploit within a week. And here's the catch: whoever can't has to give *me* the $5.

How can I possibly lose! EULA's rule! 8)

Security Bug

[digitalgimpus]

Ok, this isn't really a security bug. It's a crasher. If this is a security bug, so is this one (you'll likely need to cp/paste into new window to open) that I discovered a few years ago.

IMHO "security" bugs are for ones that have an impact on "security". If it doesn't fit that criteria, it's not a security issue.

A JS permissions exploit would be a security bug. So would the IDN issues, and buffer overflows...

but a crasher? I think that's pushing the benchmark. It's not really a DoS... it's a crash/hang.

It would be a security issue if say, it caused 911 to become unavailable, or killed US Radar systems... but not for crashing a web browser.

I think people have been pushing for a while in hopes of getting new security bugs. And that's all products, not just Moz. There are legitimate security bugs, but I don't think this qualifies. IMHO you need to be able to do something that violates security to be a security issue.

SuSE

[jurt1235]

My SuSE 9.1 survived it. Weird though that it would depend on the linux version. It might have something to do with the libraries in use.

I can see M$ adding this exploit.....

[8127972]

.....to their webpages to keep Mozilla clients from being used. That way you don't get rid of that IE icon on your desktop.

Re:I can see M$ adding this exploit.....

[Kylere]

Nah, get rid of the E, and install IE View! https://addons.mozilla.org/extensions/moreinfo.php ?application=firefox&id=35&vid=1179

Re:Patch-o-rama

[LordKaT]

Funny, I haven't had to uninstall Firefox since 1.0 was released. Since then I've only had to click the red-tree-button-thing in the upper-right hand corner when an update was ready, run the installer, and be done with it.

Hell, now that I'm on Ubuntu I just wait until Synaptic has an auto-update ready, click on the red button in the notification area, and *poof* - my OS and my third-party software is updated.

Of course, to counter your argument "is this acceptable for a production enviornment" I would say that, yes, it is. Microsoft, the king of production enviornments to date, has shown that regular updates to the core operating system, its components, and provided software (IE, Outlook express, Office, etc...) is not only helpful, but required on a monthly basis. These updates often require rebooting the machine, whereas Firefox only really needs you to install a piece of software. Heck, the upcoming version will be modular so you won't even need the installer.

As for your question "why is the testing so poor?" It's not. The OSS model, for the most part, is to release beta software so users can, well, use it during normal day-to-day operations. This ensures that the product will, in fact, work when nominal conditions are met. The real problem is anticipating extrordinary conditions, which is almost impossible - a lesson which Microsoft has learned the hard way over the past 5+ years.

You could, in fact, turn your own argument around: "Well, another bug was found, and now we have to wait until patch tuesday. Unil then, we'll have to hold our breath and hope that an exploit doesn't spread in the wild. When patch Tuesday comes around we'll all have to hit windows update, download the large patch, install, reboot, and hope that the atch doesn't break any of our third-party and in-house products."

The truth is OSS and Closed-source are two sides of the same leaf: programming. Bugs are a part of programming. When you're dealing with multiple class inheritence, nests upon nests of loops, parsers, lexical analysis, et al. bugs are just a part of life. I've never met a developer - FOSS or otherwise - who has developed a program that is bug-free and 100% to spec.

Um, DOS is not that serious

[bcmm]

No remote execution or personal data being revealed, it just hangs the browser. It doesn't even seem to slow down the rest of the system, it just makes Firefox unresponsive. So?

It's easy to do that to almost any browser. Loading a lot of really big images will crash Firefox when it runs out of memory, and has the side-effect of slowing the rest of the system (or probably crashing it if it's based on windows 9x).

The "exploit's" entire HTML source reads like this:
<html><body><strong>Mozilla<sourcetext></body></ht ml>

It's clearly a silly bug, but I feel that saying "it is clear that this exploit will indeed need patching as soon as possible" is excessive hype. This is not a security issue. This is part of the known problem that Firefox is not very tolerant of buggy code, which is a general serious issue that does need fixing.

I wonder if this is a Gecko bug? An email version of this for Thunderbird would be very annoying.

Re:This is just stupid...

[brouski]

From the article:

(For the dim this INCLUDES Firefox 1.0.7)

Re:Run this through the /. filter...

[freeweed]

1. A bug is found in Microsoft software that allows remote execution of code on your machine, without user intervention.
2. Story is posted on Slashdot.
3. People rightly comment on it.

Show me the stories of bugs that simply crash IE. Really. I'm curious. Because there are literally hundreds of ways to crash IE with a malformed webpage. These don't make it as Slashdot stories. Pretty much the only vulnerabilities in MS software posted here are ones that allow an attacker to actually DO SOMETHING NASTY.

Contrast this with OSS, where we post every single meaningless bug in a piece of software, even if it has hardly any practical effect.

If anything, the double standard is that we're far more critical of OSS here than MS.

Denial of Service = Less critical.

[Spy+der+Mann]

websites have been suffering DoS attacks and they can't do anything about it (specially if they're distributed).

DoS is the last resource for a hacker when he can't penetrate the website's server. It's not "hacking" in fact.

What astounds me is that people seem less afraid of remote execution vulnerabilities than of DoS attacks. Or is it just me?

Re:Denial of Service = Less critical.

[petermgreen]

offtopic but people are afraid of DDOS for two reasons.

1: it can cost them a money immediately if thier connection is metered
2: it can get them chucked off thier provider (many small providers only have 100mbit themselves which is not too difficult to saturate).
3: it costs a lot of money to keep a site running in the face of constant DDOS

getting hacked generally means you wipe the box and re-build the OS on it then restore your data. A pita sure but something you can easilly move on from.

Me want DoS

[Manifest]

What the heck.. I clicked and clicked and clicked. No crash!

And then I realised, I was on 1.5b2 :)

Mo$illa is evil...

[feepness]

When will they wake up and stop releasing buggy software.

I will not have any of their software on my computer. I ONLY use Microsoft products.

Re:Mo$illa is evil...

[bdulac]

Yeah when will they stop releasing buggy software. Did you say you ONLY use Microsoft products???????????? I'm confused.

You mean...

[Guppy06]

I can finally run Mozilla on my MS-DOS box? Sweet!

Exactly

[Sulka]

"The wording from the security company has me thinking they're just trying to make a name for themselves."

I was just about to comment the same - if every Internet Explorer crash bug was reported with this much visibility, Slash would be full of news every day.

Re:Whoop-d-doo

[HermanAB]

Hmm, maybe you should turn JavaScript off before you browse for pr0n...

Hmmm.. security?

[pavera]

OK, the IE fanboys are really stretching now. If crashing the browser is an "exploit" then that opens a whole new avenue of attack on IE. IE crashes like this (for me) far more often then firefox, and firefox crashes just about every time I visit a site with really involved flash or those really annoying smiley face banner ads (those are firefox killers).

ctrl+alt+del kill process is a good workaround for this "extremely dangerous" exploit. Again if this is a security vulnerability, then flash is the greatest hacking tool against firefox. Java is probably the greatest hacking tool against IE.

People are just really desparate for Firefox to have more bugs than IE. Thanks for finding some code that should probably be cleaned up, but crashing the browser is not in any way violating the security of the system on which the browser is running.

Re:Hmmm.. security?

[pavera]

How is Opera lightyears ahead? Because I either have to pay or watch banner ads all day? That is my biggest beef with Opera, I've never had to pay for a web browser (been on the net since 93), why would I start now? I certainly don't want to see banner ads all day. Anyway, the times I have used Opera, its seemed slower than firefox, and the interface is so cluttered, its worse than MS word. Firefox has its shortcomings too (its not like I didn't mention 2 or 3 in my post, flash is notoriously slow and buggy, certain gif animations totally trash the browser, etc) however, IE does the same sort of thing and has its own pet peeves, I've had IE crash loading very many websites. I'm saying if its fair to pick on FF for crashes, then IE needs to have all of its crashes documented as "DoS security breeches" as well. You can't measure FF in centimeters and IE in miles (IE, the granularity of centimeters will uncover alot more flaws than measuring in miles would).

Looks like..

[matt+me]

Does this mean I can sue sites for using excessive flash and javscript for DoSing my browser?

Re:Whoop-d-doo

[Snowhare]

Uh huh. Try again. I'm neither trolling nor trying to be funny. I use Firefox on Linux as my primary browser on multiple machines - except when I need to be SURE that my browser won't decide to randomly crash when doing something as simple as loading my bookmark on google.com or clicking on a link to just about anywhere. Then I fire up VMWare and run either MSIE or Firefox for Windows.

I've been using browsers since Mosaic was state-of-the-art and that funny IMG tag was getting Marc A. flamed. Firefox on Linux is bar none the most unstable browser I use. I like the browser (why else would I use it as my primary browser?) - but even 1.0.7 is NOT terribly solid. If you use it heavily - it WILL crash.

Re:Run this through the /. filter...

[prisoner-of-enigma]

Show me the stories of bugs that simply crash IE. Really. I'm curious. Because there are literally hundreds of ways to crash IE with a malformed webpage.

And there are hundreds of ways to do this with Firefox as well, no doubt, but for some reason this story made "news." Comments saying this is "no big deal because it happens all the time" are right, in my opinion. What's bothersome is that many of these same people sing completely different tunes with IE under similar circumstances. I've also seen far too much commentary on /. where major exploits like remote code execution on Firefox are downplayed, usually by the same people mentioned above.

If anything, the double standard is that we're far more critical of OSS here than MS.

I'm sorry but I cannot agree with your interpretation here. Microsoft is given absolutely no quarter on /., but Firefox is routinely given a pass whenever it has a major bug or a slew of patches released.

Re:Blame the hacker culture (-1, opposes groupthin

[mrbobjoe]

wow, overrated with no moderation, how'd they manage that?

Re:Whoop-d-doo

[HermanAB]

I totally agree. FF works great when it works, but it craches or locks up far more easily than anything else. Some important parts of it seems to be completely single threaded. It can sit for several minutes to forever waiting on a plugin or renderer that isn't available. Sometimes I think the developers have never heard of error handling and timeouts. A browser is a real-time system, but the developers don't seem to have much real-time experience.

Re:Patch-o-rama

[Rezonant]

10 PRINT "HELLO WORLD"
20 GOTO 10

and some workaround for the lameness filter. Indeed, some workaround for the lameness filter

Re:Run this through the /. filter...

[freeweed]

there are hundreds of ways to do this with Firefox as well, no doubt, but for some reason this story made "news."

Microsoft is given absolutely no quarter on /., but Firefox is routinely given a pass

Thank you for proving my point so eloquently :)

Oh dear, computing is insecure

[gelfling]

So get over it.

Re:Run this through the /. filter...

[pauldy]

Don't be thick. Both I.E. and Microsoft have a long history of creating buggy software that rarely works as advertised. Firfox is the new kid on the block, even though most of us know its pretty much the same ol netscape (pronounced mozilla), it has a new name and a new face. So yes people are going to be more prone to give it the benefit of the doubt and this has little to do with a double standard and more to do with the idea that past performance = future performance and firefox doesn't have enough of a history yet to be raked over the coals for its indiscretions.

If every bug is a serious DoS...

[miffo.swe]

Then Windows would be labaled as a weapon of mass destruction.

Frankly, this is non news as there are thousands of ways to just crash a browser or just hang it. It is an entirely other issue with the bugs that lets you crash a full windows computer because of an IE bug. If it crashes other apps or the computer its bad but this is just about wrongly written web pages.

RTFA

[einhverfr]

Ok, you might be a troll, or flamebait, but it is worth a response...

This discussion is not any different than it would be if it was about IE. There are always those saying "no big deal" about IE security flaws, and plenty of people screaming blood on this conversation. Maybe the balance is slightly altered because so many of us have been burned by IE though....

Having said that.... This is no big deal. Even TFA says "This is not an advisory, just a comment" indicating that the authors don't think it is a big deal either.

Camino Not Affected

[BioCS.Nerd]

I just tried the code on Camino (1.0a1) and it appears totally unaffected.

I know DOS too!

[blwrd]

Just create a large (~500Mb) file full of zeroes. gzip it, and place it on your webpage. Most browsers open .gz files in the browser, and loading something like 500Mb in the browser takes some time. May not crash the browser, but is definately as DOS as the articles "exploit" :P

How Come Indeed!

[Makarakalax]

How come whenever there's a Firefox or Internet Explorer exploit some guy like you moans about how whenever there's a Firefox or Internet Explorer exploit a bunch of fanboys get modded up when they criticise Firefox or Internet Explorer?

Uhm, hello?

[zonix]

What /. filter are you using? Obviously you forgot:

4. ???
5. Profit!

z

Darn

[Billly+Gates]

Looks like its time to switch back to IE.

Re:This is just stupid...

[CTho9305]

I stand by my statement.

"crash" in bug summary:
https://bugzilla.mozilla.org/buglist.cgi?query_for mat=advanced&short_desc_type=allwordssubstr&short_ desc=crash&resolution=DUPLICATE&resolution=---&chf ieldto=Now

"crash" keyword (5306 open or duplicate reports):
https://bugzilla.mozilla.org/buglist.cgi?query_for mat=advanced&keywords_type=allwords&keywords=crash &resolution=DUPLICATE&resolution=---&chfieldto=Now

So this is the 5307th. What's the big deal? Zalewski's "mangleme" crashers were interesting enough to be on slashdot because he presented an interesting tool to do testing, but this is just one crash among thousands.

Re:Run this through the /. filter...

[prisoner-of-enigma]

Thank you for proving my point so eloquently :)

No, I didn't prove your point at all. You claimed /. is harder on OSS than it is on MS software. I pointed out that, by and large, IE flaws get top billing and scathing comments whereas Firefox flaws get rationalizations and lame excuses from OSS zealots if it gets an article on it at all. And anyone pointing out that both FF and IE have had numerous serious security flaws gets a verbal load of buckshot from the zealots claiming that all the IE flaws are serious flaws but all the FF flaws are trivial. It's one sided. It's hypocritical. It's rabidly commonplace.

I have no problem whatsoever with taking MS to task for all the crap they've done, but you can't remain honest and objective if you don't give FF that very same treatment.

Another unfixed DoS vulnerability

[TheSurfer]

This reminds me of a bug in Firefox (and other Mozilla products) I reported in December 2004. It's fixed in the 1.5 beta series, but still unfixed in the stable versions (e.g. FF 1.0.7).

The links:
Advisory
PoC

No effect on 1.0.7 (Gentoo Linux)

[qbasicnewbie]

This appears to have no effect on Gentoo's 1.0.7-r2 (64bit) or the 1.0.7 binary (32bit).

Did anyone *see* the exploit

[metalmaniac1759]

Mozillay ></html></pre>

That's it - that's the frikkin' exploit! How the f*** is open source software supposed to be more secure when bugs like this creep into a post 1.x release!

Nandz.

Re:Run this through the /. filter...

[spitzak]

Way to miss the point.

The original poster said "SHOW ME A SLASHDOT STORY ABOUT A IE BUG THAT SIMPLY CRASHES IE".

You did not do that.

Actually there was one about 4 years ago I think. The point was however that somebody was purposely crashing IE, not that there was a bug. You could at least show the sense to try to look it up.

Whitedust and DoS

[thetoastman]

This hardly counts as a DoS attack in its traditional meaning. However it is an annoying bug. I am glad to read that it has been addressed in the latest beta.

What follows is probably an ad hominem attack. Moderate accordingly.

I decided to spend a little time on the Whitedust site. The site is advertised as "The Leading Independent Security News Portal".

The site is run by a group of former crackers. Of course one has to wonder about their cracking, security, and business skills when:

• They advertise their many connections within the underground hacker scene
• They leave the administrative link to their PHP web site in the footer of every page
• Their business writing would fail my mom's 7th grade remedial English class

In short this web site has no redeeming value.

Re:Run this through the /. filter...

[prisoner-of-enigma]

Okay genius, how about this one? If you're trying to insinuate that I couldn't find a DoS exploit for IE 6.x, guess again. At some point, proving a point that's obvious becomes tiresome. Next time, go look up your owned damned exploits, because I was right to begin with and I'm still right.

The joke is on you!

[cybermint]

I don't need an exploit to crash Firefox, it crashes during normal usage!

Tinkerers, not just Hackers

[aaandre]

The word Hacker was initially intended to describe a smart tinkerer who finds inventive/ingenious solutions to problems from all areas of life ("hacks" a solution together). At some point big media started using the word to describe malicious programmers who use their abilities to compromise others' systems ("hacks into" ...'s computers and steals ...).

So here you have a word describing 2 different things.

For the "tinkerer/inventor" part of the Hacker population, finding out how something works, how it is broken, how it may be fixed is a joy -- the journey is the destination. The satisfaction of discovery and the recognition of peers is more than sufficient to feel satisified.

No need to be evil to feel successful.

Deer Park alpha2 unaffected?

[Anubis350]

I'm running Marillat's binary of Firefox Deer Park Alpha 2 for Debian, it seems to not crash with this bug.

Why it's worth caring about

[Charles+Dodgeson]

As many may people have pointed out, this is just a plain old ordinary borking. Sending broken input to make the application crash or break. There was a time when it was popular to do the same with various versions of Microsoft Outhouse and Express Outhouse by sending carefully crafted email messages that tickled bugs in Outhouse. At the time, people did take those bugs as signs of serious design problems in Outhouse.

This bug and others like it are not of much consequence in and of themselves, but they do help underscore the big problem for browser development. The very early browsers, Mosaic and lynx, made the mistake of being "liberal in what they accepted". That is they made an effort to render broken HTLM. (Lynx, to its credit, at least produced a warning notice.)

This made it easier for web authors to grow ever sloppier in their HTML. And when the browser wars were in full swing, they were largely competing based on which could better render broken HTLM. This of course allowed web page developers to get even sloppier. And they started writing to the unpublished languages of MS-HTML and Mozilla-HTML.

I haven't looked at the actually HTML parsing code of any browser, but my guess is that more than 80% of it is there only to deal with broken HTML. This exploit (and it is an exploit with limited damage) exists only because mozilla is trying to render broken HTML.

This problem with HTML (and so the difficulty and complexity of writing browsers) is the clearest example to me of what is wrong with taking "Be liberal in what you accept, conservative in what you send" to mean that protocol and language violations should be tolerated.

I wish I could offer a realistic suggestion of how we get out of this mess. But the simple fact of the matter is that if one browser starts rejecting broken HTML, then people will use a more tolerent browser.

No Problems Here

[linsys]

It always amazes me how ALL THESE NEW firefox exploits are comming out, even more exploits then Microsoft someone recently told me... it's still amazing how I NEVER have problems with Firefox, or with my clients that use firefox, but all my NEW clients that run IE or OLD clients who forgot to STOP using IE, have serious problems... That always amazes me how that works out...

Re:Run this through the /. filter...

[spitzak]

I meant a Slashdot story about a DOS-only bug in IE, not a bug itself (there are hundreds in both IE and Firefox).

Re:Blame the hacker culture (-1, opposes groupthin

[Cerv]

Perhaps someone should post a corrected version and hope that it is copy and pasted enough to become the dominant version.

off topic but... [Re:So...]

[kbs]

...you know you play too much WoW when you read "BFD" as "Black Fathom's Deeps" and can't figure out what it's supposed to stand for...

Re:Run this through the /. filter...

[markdavis]

Exactly! This is NOT NEWS. Who gives a flying freak if some carefully crafted code crashes a certain version of Firefox. That is not a "Denial of Service" and certainly no big deal. Indeed, if Slashdot posted an article on every time some part of MS-Windows crashed, 99% of the articles would be junk.

I think it was posted by someone excited to see ANY kind of flaw in Firefox. But what I don't understand is how an article like this, with no merit, got approved to appear in front of everyone.

for(;;){window.open('');}

[ManyLostPackets]

this one is my favorite to stuff in between the header tag

        >script> for(;;){window.open('');} >/script>

freezes the fox for a bit, but it will recover in a minute. Freezes 1.5 too, but only freezes it for a few seconds.

DON'T TRY THIS IN IE

(yeah, yeah, replace the leading > with the "less-than" sign...can't include tags in posts, now, can we?)

Re:$10 says they'll fix this

[iambarry]

No patch yet as far as I can tell.

So, how would you like to pay me the $10?

--Barry