Mozilla Firefox 1.0.7 DoS Exploit

An anonymous reader writes "Whitedust Security are reporting on a new exploit for Firefox which apparently affects all versions of the browser from 1.0.7 down. From the article: "If this exploit has made it out into, or indeed been retrieved from the wild is unknown at this time. However it is clear that this exploit will indeed need patching as soon as possible.""

Brilliant header!

[brian0918]

A 1.0.7 exploit that only affects everything below 1.0.7!

Re:Brilliant header!

[Hey+Pope+Felcher+.+.]

. . . RTFA,

milw0rm.com have released proof of concept code for a denial of service exploit which apparently affects all versions of the Mozilla Foundations popular Firefox browser from version 1.0.7 downward.

Remember, on Slashdot always read the article, it is generally only a coincidence if the summary has any bearing on the actual linked text.

Re:Brilliant header!

[ShadowFlyP]

TFA actually says that it affects 1.0.7 and everything downward. Running 1.0.7 here myself and the test exploit worked: locked Firefox right up.

Re:Brilliant header!

[FidelCatsro]

By fixing the article summary I imagine .
The patch seems to have been in the full article since conception , but apparently it hadn't passed down the line .
these exploits are dangerous as many Slashdoters refuse to update their knowledge by reading the full article and not just the summary

Re:Brilliant header!

[LnxAddct]

Regardless, this exploit doesn't effect 1.5, it's in beta but technically the explot is already fixed... just needs to be back ported:)
Regards,
Steve

Re:Brilliant header!

[DrSkwid]

Crashing can often be an indicator of a buffer overflow, it's just that the return address you crashed it with doesn't keep it running. Once an appropriate set of overflow values is deduced that leads to an exploit.

One of the approaches to finding buffer overflows in Closed Source software is to do pump loads of data into the inputs until the app crashes, then work backwards by constructing a payload to see if one can get it to jump somewhere known.

Re:Brilliant header!

[NickFitz]

<pedantry>
Well, strictly speaking, unless 1.5 has been explicitly modified with the intention of fixing this exploit, it's just that it doesn't work on 1.5. It's entirely possible that a change in 1.5 has prevented the exploit from working but, as it wasn't done as a fix, a further change in 1.5.n (or 1.n where n > 5) will allow the exploit to work again. In other words, there may be no fix to back port.
</pedantry>

Re:Brilliant header!

[BorgCopyeditor]

This reminds me of a Zen koan: what is the output of diff on a single file?

totally off guard

[Tufriast]

I checked out the Mozilla site -- not a peep about it. I made a post there. I figure this one totally right hooked them. It's a pretty massive crash. Just makes the whole browser lock up. At least I know they'll fix it fast though...I think in 24 hours we'll see a turn around. Anyone try this with version 1.5?

Re:totally off guard

[tbspit]

Version 1.5 is not affected.

Re:totally off guard

[mrgavins]

Maybe because it's already fixed? Maybe because it's hardly a security issue? This is bugzilla bug 210658, it was filed in 2003, and fixed for 1.5 15 months later.

Re:totally off guard

[nmb3000]

Version 1.0.7 on XP sure is. Crashed and burned bad.

Don't worry about it guys. I sent Microsoft an Error Report so I'm sure they'll get right on the problem as well.

Re:totally off guard

[nmb3000]

Did it take the OS with it? ;)

Fortunately it didn't. Though I suppose if you set firefox.exe's priority to Realtime first...

Nah. This is one of those exercises I'm leaving to the reader :)

Thunderbird also vunerable

[Big+Nothing]

Mozilla Thunderbird 1.0.6 is also vunerable.

How come there are so many nice hackers?

[jkind]

Why are there so many nice hackers in the world? Willing to spend their time finding exploits, post them, and even a "safe" example. Do they take pride in helping the surfing community? Why don't they just hijack the world's browsers and make us choose between "Yes" and "Okay" on their PayPal deposit sites?
Where are the evil hackers, or have they all converted, scared about stiff http://news.bbc.co.uk/1/hi/technology/4249780.stm penalties?

Re:How come there are so many nice hackers?

[FirienFirien]

Why are there so many nice hackers in the world? Because some people believe in things like morals and society? Because not everyone is corrupt? Apart from anything else there's always the chance that if someone is a 'nice' hacker then they can act as a model for others, and will get a little return on their investment of time by coming across a warning next time instead of a Yes/Okay dialog against them.

People who don't want their friends/family affected, people who actually care about the world they live in. I'm surprised that you seem to believe that everyone would be malicious if they could.

Re:How come there are so many nice hackers?

[Iriel]

Honestly, the evil hackers got smarter. Not all of them mind you (most of the famed worming script-kiddies still get caught). But all those malevolent 'hackers' know that cracking the world's browsers is too easy to trace or not worth the effort to keep under the radar. You know all those "Prescriptlon RXc dirugs 4for l0w coest!" emails? That just came specially delivered to you courtesy of the former uber-hacker of unknowable enormity. They're even worse that telemarketers that scam the elderly, and they're hoping you're the next $50 bill in their offshore account.

Very vague

[fa_pa]

OMG there is an exploit for firefox but we don't know anything about it but it might be dangerous. i need to switch back to IE maybe...

Re:Very vague

[Mistshadow2k4]

A good hosts file can fix that, no matter what browser or OS you're running.

(I'm in the mood to be helpful today instead of giving my usual serving of sarcastic remarks. God knows why.)

Re:Very vague

[goldspider]

Are you suggesting that vulnerabilities in Firefox and other popular OSS software aren't newsworthy? Or are you saying that such news should be actively supressed for the sake of the 'movement'?

Nomenclature...

[gowen]

How long has a webpage that makes a browser crash been called a "Denial Of Service Exploit".

A browser that can be crashed is a very bad thing, but suggesting this is some sort of "Denial Of Service" attack, is just semantics. It doesn't crash the box, and it doesn't flood/break the network. Every other service on your machine runs as normal. That's not a Denial Of Service by the usual definition of the term.

Re:Nomenclature...

[arkanes]

A Denial of Service attack denies you access to a service. It doesn't have to crash your box, or take it off the network. Anything that will hang or crash or flood a service (applications are services) is a DOS. They've been called that since before kiddies found out about pingflooding.

Re:Nomenclature...

[m50d]

A browser that can be crashed is a very bad thing, but suggesting this is some sort of "Denial Of Service" attack, is just semantics. It doesn't crash the box, and it doesn't flood/break the network. Every other service on your machine runs as normal. That's not a Denial Of Service by the usual definition of the term.

Yes it is. If you did exactly the same thing to, say, apache or proftpd or mysql - don't crash the box, don't break the network, every other service runs normal - it would be a DoS. Calling this attack a DoS provides some very important information - it doesn't allow execution of arbitrary code, just locks up the browser. The only thing that's possibly unusual here is applying the term to a client rather than a server program, but a DoS is absolutely the correct term.

Re:Nomenclature...

[gowen]

If you did exactly the same thing to, say, apache or proftpd or mysql

They're all servers.

Servers <=> Service <=> Denial Of Service.

See how that works?

Re:Nomenclature...

[MightyYar]

Wow... what a big ball of... nothing. All they did was find some html that crashes Firefox. Big deal! Have you seen Bugzilla lately? Should I just start randomly submitting bugs from Bugzilla, start calling them DOS exploits, and make the front page of Slashdot?

Re:Nomenclature...

[gowen]

i) Web browsing isn't a server process, it's a client process.
ii) You can kill the browser and go to another web page. Hell, you can just start another instance of the web browser. Which must take all of three nanoseconds.

If you prevent login, or send a SYN flood that prevents http connections, you can't just restart the appropriate service. If you really can't see why causing a client to crash is different from preventing a server from functioning, I suggest you look in some elementary computer science textbooks.

I don't have time any more time to explain the basics to fools.

Worm Code

[Agret]

What follows is the source code made avaliable on the site.

Mozilla

# milw0rm.com [2005-10-16]

I have 1.0.7 and it caused me to crash :(

Not too big a deal

[Dr.+Evil]

There isn't much incentive for malicious people to crash people's browsers.

The wording from the security company has me thinking they're just trying to make a name for themselves.

Re:Not too big a deal

[sqlrob]

Look at the source. It's an unclosed tag, so it's likely an infinite loop.

Re:Not too big a deal

[stevey]

Not necessarily.

I reported some DOS bugs against firefox which will kill a browser by essentially saying:

• Give me a table of 1000000 rows and 1000000 columns.

The browser dies. Probably because it attempts to either a) allocate all the system's memory and the kernel kills it, or b) at some point memory allocation fails and the program terminates.

Not all crashes are buffer overflows, or exploitable.

• Kill Your Browser

Re:Not too big a deal

[Mattwolf7]

I followed your "Kill Your Browser" link clicked on everything. And this is the same window that was supposed to be killed... I dunno but those must be Windows specific, I am running Gentoo with FF 1.0.7

Re:Not too big a deal

[Kimos]

No crashes for me either using 1.0.7 on MS Win at work. I'll check Ubuntu at home. The pages are mostly a bunch of garbage inserted into HTML tags. I assume it just strips it out as nonsense.

Someone was saying that you could crash by calling a 1,000,000x1,000,000 table. There must be some safeguards in browsers to protect against that kind of thing aside from failed memory allocation from the OS, otherwise it would be simple to bring a system to its knees (not that it's really that hard already).

Re:Not too big a deal

[Anthracks]

None of them fazes 1.5 beta builds either as far as I can tell, at least on Windows 2000 here at work. No trouble at all loading any of those pages.

Re:Not too big a deal

[StonedRat]

If all this bug does is cause the browser to crash then it's nothing. I know of numerous ways to cause IE to crash using pefectly valid CSS. Does anyone care? Nope. Micro$oft sure as hell won't fix them because they're not really a security risk. I know how to lock up Opera using CSS too, which has been known about by the Opera team for a long while.

Re:Not too big a deal

[confuted]

None of them affected Firefox version 1.0.7 on Windows XP with SP2 here at work - they didn't even do so much as slow it down. Do those pages actually crash anybody's browser?

Re:Not too big a deal

[Jaseoldboss]

That's right, this isn't even a DoS exploit as the service is not affected. It's just a browser crash.

Also, at least if you kill Firefox it doesn't take down Windows Explorer and all your filesystem browsing windows with it.

Re:Not too big a deal

[tomatensaft]

They haven't yet fixed this bug as well (I tried it today, and my Firefox 1.0.7 crashed)...

<script>
a = new Array(); while (1) { (a = new Array(a)).sort(); }
</script>

Re:Not too big a deal

[Lucractius]

Malicious no... Devious yes...

Suppose you have vested interests in Firefox not succeeding as a Web Browser and you hacked/setup some major site to lockup firefox and dramaticaly decrease tbe userbase over the course of a few hours...

Re:Not too big a deal

[maxwell+demon]

I reported some DOS bugs against firefox

I didn't know there's a DOS port of Firefox. :-)

Re:Not too big a deal

[Blkdeath]

I followed your "Kill Your Browser" link clicked on everything. And this is the same window that was supposed to be killed... I dunno but those must be Windows specific, I am running Gentoo with FF 1.0.7

If you follow the README URL, you'll notice that the bugs referenced were confirmed agianst 1.0.4 and older, but are all fixed in 1.0.7.

Try to keep the suppositions about Windows bugs to yourself unless you have even some inkling of understanding of the situation. It makes us all look bad.

So...

[LiquidCoooled]

This can freeze your browser.

Wheres the vulnerability? when does the spyware attack? Do I need to reinstall Windows?
Should I buy a virus checker?

Anyone stupid enough to host this "exploit" on their site are just dumb,
"oooooh it makes your firefox freeze" BFD - stay away from dodgy parts of the net

(goatse is a bigger "exploit" and generally leads to complete machine shutdown/restart as you attempt to hide it from your colleagues)

Re:is this NOT an OLD version

[pbranes]

1.5 is beta, dude. 1.0.7 is the latest final release of firefox. 1.0.7 is like 1 month old.

Tested the exploit

[jurt1235]

And after I clicked on it, nothing happened, the browser just said: mozilla

Apparently firfox 1.0.7 on linux is not affected. So not all versions of firefox are affected.
Advisory: Install linux, then restart your browser and have fun.

Re:Tested the exploit

[Stevyn]

I'm running firefox 1.0.7 on gentoo and it froze up. top showed 99% cpu usage just before I killed it. I also tried it on my ubuntu box with firefox 1.0.7 and it froze too. So it seems it's affecting firefox running on linux machines

Re:Tested the exploit

[thegoogler]

using 1.0.7 on ubuntu right now, and it did indeed lock up

hmm

Exploit

The exploit is:

<html><body><strong>Mozilla<sourcetext></body></ht ml>

and it also makes Mozilla suite 1.7.12 hang.

The sourcetext tag is used when a parser error occurs; the Mozilla DOMParser will accept any string and always returns a valid XML DOM object, but in the case that the string was malformed, it returns something like this:

<parsererror xmlns="http://www.w3.org/1999/xhtml">XML Parsing Error: mismatched tag. Expected: </strong>. Location: file:///1253.html Line Number 3, Column 37:<sourcetext> (text here) </sourcetext></parsererror>

which you may have seen formatted before in a nice red-on-yellow page.

Re:Exploit

[kavin]

sounds like my bug (supposedly fixed in mozilla 1.8a4).

i found and reported the browser specific elements "parsererror" and "sourcetext" in september 2004: see mozbug 210658.

bugzilla.mozilla.org/show_bug.cgi?id=210658

you can see the browser specific elements in a source diff:

bonsai.mozilla.org/cvsview2.cgi?diff_mode=context& whitespace_mode=show&file=nsHTMLTags.cpp&branch=&r oot=/cvsroot&subdir=mozilla/parser/htmlparser/src& command=DIFF_FRAMESET&rev1=1.46&rev2=1.47

sadly, i don't believe this fix has been backported to firefox 1.0x.

- p

--
ps. my previous /. report on same:
http://it.slashdot.org/comments.pl?sid=68828&cid=6 295508

OMG, this is bad!

[ArsenneLupin]

Almost as bad (and scaringly simple) as the <form><input type crash></form> sploit for Internet Exploder.

I guess I'll just stick with Konqueror.

PoC Code *is* in the wild

[OverlordQ]

Despite the article summary if you click through and read it you'd find that there is code out there.

Danger Will Robinson test your firefox Danger Will Robinson

But...

[supersocialist]

...it shows an "update" icon, which updates when clicked. How much easier could it be without hijacking your system to do it for you?

Re:But...

[Pneuma+ROCKS]

...it shows an "update" icon, which updates when clicked. How much easier could it be without hijacking your system to do it for you?

Although I agree that it's pretty trivial to update Firefox, some users don't notice the icon, or don't recognize what it does. If they RTFM or just hovered over it they would, but many don't. Another con is the fact that you have to download the full Firefox installer and run it all over again. That is not very friendly.

Thankfully, the Mozilla folks have recognized this and have improved the update system significantly on the upcoming Firefox 1.5. The update system downloads a patch, not the full installer, and installs it on the background. Then it just notifies the user that the new version will be installed when he restarts the browser. That way even the average Joe can stay updated.

Re:Blame the hacker culture (-1, opposes groupthin

[Cerv]

Linux is *not* user friendly, and until it is linux will stay with >1% marketshare.

I think you meant "less than," rather than "greater than".

Mozilla too..

[Dynamoo]

It also locks up Mozila 1.7.8, so I guess it will also do the same to Netscape 8 if using the Firefox renderer.

There's not much to it though:

<!--
posidron@tripbit.net

Vulnerable: Mozilla Firefox <= 1.0.7
Mozilla Thunderbird <= 1.0.6
-->

<html><body><strong>Mozilla<sourcetext></body></ht ml>

Ah well, not much harm done. Of course, there's nothing to stop Microsoft putting it into MSN deliberately to break the browser, in much the same way they tried to nobble Opera some months back.

Who cares?

[brunes69]

So clicking on a link can lock up the browser. So what?

How is this any different from this, which effectively locks up *all* current browsers?

<script>
while(true){
alert('Haha!');
}
<script>

This is hardly important. I don't see any way this can crash my machine or infect me with a trojan.

PS if you want a fix for the above vote for bug 61098] at bugzilla.

Re:Who cares?

[m50d]

How is this any different from this, which effectively locks up *all* current browsers?

It doesn't lock up links (which has a lovely "kill script" button on any javascript dialog) and I'm told opera will let you simply close the tab.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:How come...

[ArsenneLupin]

not to mention global warming will continue"...

You got it all wrong. That particular problem has more to do with Athlon processors than with Internet Exploder.

Here is the exploit (the text of the html)

[putko]

Here's the exploit:

<html><body><strong>Mozilla<sourcetext></body></ht ml>

Note: that last thing really is "html", but I think slashcode rewrites it.

Any ideas as to what is going wrong?

Re:Here is the exploit (the text of the html)

[randyflood]

You can also use italic in place of strong (and probably some other things too, but I haven't ehaustively tested them...)

You can also encrypt the whole thing as a JavaScript and have it dynamically decrypted by a JavaScript and printed out to the Web Browser as mentioned here: http://justfriends4n0w.blogspot.com/

yeah, WTF?

[subtropolis]

There's this exploit, see. Click here to try it. Go on, it's ok...

I think the poll at the top of the page should ask, "Do you trust WhiteDust security?"

Oh, wait - that's what the 'Test the exploit' link is for.

Re:How come...

[smooth+wombat]

The difference between FF having an issue and IE having an issue is that when FF has an issue it only affects the browser itself. When IE has an issue it can cause issues with your entire operating system because the browser (an application) has been retro-welded into the OS.

Also, FF is being developed by people who aren't getting paid (well, most aren't) for their service compared to Microsoft, a multi-billion dollar corporation which has had 10 years to try and get the bugs out of their product.

A browser DoS?

[courtarro]

It's hardly news to be able to DoS a browser. I DoS both FF and IE regularly while working on DHTML scripts, often when I use a debugging "alert" in the wrong place. Try this one and see how much farther you get during your morning browsing:

<html>
<body onmousemove="while(1) alert('ooooh');">
&nbsp;
</body>
</html>

Watch out before you run it! You wouldn't want to lose that Xanga post you've been working on.

crasher bug != news

[CNeb96]

This crasher bug has no effect on my post 1.5 beta 2 version of firefox on Linux. Gecko/20051017. A new crasher bug is also not news. There are hundreds of ways to crash mozilla. Lets face it most browsers aren't at a state to jump every time there is a new bug to crash or "DOS Them" as the article states. Just another security site trying to make themselves look good at a products expense. How much money does it cause companies like the Mozilla Organization to release a new version of their browser, just to put an end to the bad press of a so called "exploit"?

Re:How come...

[courtarro]

Also, FF is being developed by people who aren't getting paid (well, most aren't) for their service compared to Microsoft, a multi-billion dollar corporation which has had 10 years to try and get the bugs out of their product.

We cannot use this as an excuse in the open-source community; it's very dangerous. When you are trying to convince the general population that FF is superior to IE and can be successful in an enterprise environment, which is generally the goal, you can't consider the two to be on equal footing in performance and features and then shoot it down by relegating it to a niche position. Though we realize the FF devs are volunteering a lot of time, we want to convince others that it doesn't matter, or in fact, it improves their ability to solve problems.

how's this possible

[Douglas+Simmons]

Unless somehow this is truly "in the wild" sasser style, which I highly doubt, I'm more inclined to piss and moan for a fix for all these firefox process running away and ram leaking like ... the levees. But I guess that's just not as sexy a thing to get everyone all freaked out over. Or maybe I'm the only one opening up over a hundred tabs on my pr0n hunts.

And let's suppose it is in the wild and to get infected I don't have to go to some Russian site selling stolen credit cards. Can anyone see how that could be possible? You'd have to go to a site knowingly and maliciously designed to exploit this, right?

The operative word is "attack".

[khasim]

Since you have to go to a specific web page, with a specific browser ... and the only thing that will happen is that your browser will crash ... is "attack" the correct term for this kind of behaviour?

If you crash your car into a tree, did that tree "attack" you?

If you crash your car when driving over ice, did that ice "attack" you?

If you drive your car off a bridge and into a lake, did that lake "attack" you?

Since you cannot use your car immediately after a crashes, are trees considered a DoS exploit?

Re:The operative word is "attack".

[drstock]

If you crash your car into a tree, did that tree "attack" you?

If you crash your car when driving over ice, did that ice "attack" you?

If you drive your car off a bridge and into a lake, did that lake "attack" you?

Yes, yes and yes. At least that's what I'm telling my insurance company.

Re:The operative word is "attack".

[SuperJason]

If I set up a bear trap to get you, and you step into it, it is an attack. Same thing with laying landmines to stop advancing troops. I guess it's debateable, but I think it's an attack if it's a trap that you are unaware of, and that someone set up to "attack" you.

Fix

[Mongoose]

Install better plugins for flash/pdf/etc or just remove the bad plugins. You get the same affect in windows if you're a moron and install the old adobe 5.0 plugin that hangs. When the plugin hangs or uses a lot of cpu it affects the browser.

If you didn't know this I guess the joke is on you. Welcome to russia.

Re:How come...

[sicking]

Also, FF is being developed by people who aren't getting paid (well, most aren't) for their service compared to Microsoft, a multi-billion dollar corporation which has had 10 years to try and get the bugs out of their product.

That does not matter in the least. As a user deciding which software to use I don't care how it was developed in the least. What I care about is what I get for my money. FOSS software has no more of an excuse for bugs and exploits then propriatry.

And I say that as one of the mentioned developers who have worked on mozilla for years, most of which unpaied.

That said, this advisory doesn't mean anything. Sure, it's bad that a website can crash your browser, but that has always been the case with any browser released. But it's not nearly as bad as exploits that allow sites to steal your data or hack into your system, which this so far does not claim to be.

And no matter what, what happened to responsible reporting? Releasing exploits in the wild without giving the developers a chance to develop a patch first is just plain stupid and shows a complete lack of professionalism.

Security Bug

[digitalgimpus]

Ok, this isn't really a security bug. It's a crasher. If this is a security bug, so is this one (you'll likely need to cp/paste into new window to open) that I discovered a few years ago.

IMHO "security" bugs are for ones that have an impact on "security". If it doesn't fit that criteria, it's not a security issue.

A JS permissions exploit would be a security bug. So would the IDN issues, and buffer overflows...

but a crasher? I think that's pushing the benchmark. It's not really a DoS... it's a crash/hang.

It would be a security issue if say, it caused 911 to become unavailable, or killed US Radar systems... but not for crashing a web browser.

I think people have been pushing for a while in hopes of getting new security bugs. And that's all products, not just Moz. There are legitimate security bugs, but I don't think this qualifies. IMHO you need to be able to do something that violates security to be a security issue.

Um, DOS is not that serious

[bcmm]

No remote execution or personal data being revealed, it just hangs the browser. It doesn't even seem to slow down the rest of the system, it just makes Firefox unresponsive. So?

It's easy to do that to almost any browser. Loading a lot of really big images will crash Firefox when it runs out of memory, and has the side-effect of slowing the rest of the system (or probably crashing it if it's based on windows 9x).

The "exploit's" entire HTML source reads like this:
<html><body><strong>Mozilla<sourcetext></body></ht ml>

It's clearly a silly bug, but I feel that saying "it is clear that this exploit will indeed need patching as soon as possible" is excessive hype. This is not a security issue. This is part of the known problem that Firefox is not very tolerant of buggy code, which is a general serious issue that does need fixing.

I wonder if this is a Gecko bug? An email version of this for Thunderbird would be very annoying.

Re:How come...

[mysticgoat]

[about slashdot's 'failure' to treat MS and FOSS screw-ups with equal equanimity] Why not offer equal critiques, and understanding, for any product regardless.

It has taken more than a decade of loathsome business practices, corrupt corporate ethics, and abusively bad coding practices for Microsoft to earn the unique status it holds on Slashdot and other fora where people who've been in the business for a while congregate. Would you deny Microsoft the community recognition it has strived so hard for so long to achieve?

Re:Run this through the /. filter...

[freeweed]

1. A bug is found in Microsoft software that allows remote execution of code on your machine, without user intervention.
2. Story is posted on Slashdot.
3. People rightly comment on it.

Show me the stories of bugs that simply crash IE. Really. I'm curious. Because there are literally hundreds of ways to crash IE with a malformed webpage. These don't make it as Slashdot stories. Pretty much the only vulnerabilities in MS software posted here are ones that allow an attacker to actually DO SOMETHING NASTY.

Contrast this with OSS, where we post every single meaningless bug in a piece of software, even if it has hardly any practical effect.

If anything, the double standard is that we're far more critical of OSS here than MS.

Mo$illa is evil...

[feepness]

When will they wake up and stop releasing buggy software.

I will not have any of their software on my computer. I ONLY use Microsoft products.

Hmmm.. security?

[pavera]

OK, the IE fanboys are really stretching now. If crashing the browser is an "exploit" then that opens a whole new avenue of attack on IE. IE crashes like this (for me) far more often then firefox, and firefox crashes just about every time I visit a site with really involved flash or those really annoying smiley face banner ads (those are firefox killers).

ctrl+alt+del kill process is a good workaround for this "extremely dangerous" exploit. Again if this is a security vulnerability, then flash is the greatest hacking tool against firefox. Java is probably the greatest hacking tool against IE.

People are just really desparate for Firefox to have more bugs than IE. Thanks for finding some code that should probably be cleaned up, but crashing the browser is not in any way violating the security of the system on which the browser is running.

Re:FUD, Proof of concept

[An+Onerous+Coward]

"Great example of more FUD for the fire (no pun intended)."

Are you sure? This sentence seems to just scream, "Pun intended! Pun really really really intended!" I realize that puns are the red-headed stepchildren of the humor world, but if you're going to make them, at least stand up for them afterwards.

RTFA

[einhverfr]

Ok, you might be a troll, or flamebait, but it is worth a response...

This discussion is not any different than it would be if it was about IE. There are always those saying "no big deal" about IE security flaws, and plenty of people screaming blood on this conversation. Maybe the balance is slightly altered because so many of us have been burned by IE though....

Having said that.... This is no big deal. Even TFA says "This is not an advisory, just a comment" indicating that the authors don't think it is a big deal either.

I know DOS too!

[blwrd]

Just create a large (~500Mb) file full of zeroes. gzip it, and place it on your webpage. Most browsers open .gz files in the browser, and loading something like 500Mb in the browser takes some time. May not crash the browser, but is definately as DOS as the articles "exploit" :P

Did anyone *see* the exploit

[metalmaniac1759]

Mozillay ></html></pre>

That's it - that's the frikkin' exploit! How the f*** is open source software supposed to be more secure when bugs like this creep into a post 1.x release!

Nandz.

Whitedust and DoS

[thetoastman]

This hardly counts as a DoS attack in its traditional meaning. However it is an annoying bug. I am glad to read that it has been addressed in the latest beta.

What follows is probably an ad hominem attack. Moderate accordingly.

I decided to spend a little time on the Whitedust site. The site is advertised as "The Leading Independent Security News Portal".

The site is run by a group of former crackers. Of course one has to wonder about their cracking, security, and business skills when:

• They advertise their many connections within the underground hacker scene
• They leave the administrative link to their PHP web site in the footer of every page
• Their business writing would fail my mom's 7th grade remedial English class

In short this web site has no redeeming value.