Unpatched Firefox 1.5 Exploit Made Public

ThatGuyGreg writes "C|Net is reporting that an unpatched exploit in Firefox 1.5 has been made public, making it very easy for ne'er-do-well-sites to cause your browser to crash on startup with a single visit. Until a patch is released, it is recommended that you disable your history.dat file."

FC4, 1.5

[(1+-sqrt(5))*(2**-1)]

I can report that the exploit doesn't work on FC4, with the latest 1.5 built from source.

Re:FC4, 1.5

The Mozilla people are also reporting that the exploit doesn't seem to work on any version of 1.5:

Mozilla Foundation, which released Firefox, said it was not able to confirm the browser would crash or be at risk of a DOS attack, after visiting certain Web sites.

"We have gotten no independent verification that it crashes (Firefox), but there have been a lot of attempts to try," Schroepfer said.

Apparently they're having a hard time duplicating this particular bug. Has anyone here on /. seen it actually happen?

Re:FC4, 1.5

[swtaarrs]

Yeah....the article says it affects XP SP 2

Re:FC4, 1.5

[FoXDie]

Go to http://www.apple.com/ipod/features.html and tell me if I'm the only one that has Firefox crash from that page without fail, since the upgrade to 1.5

Re:FC4, 1.5

[ParnBR]

You're not the only one. I also had it crashing... And it didn't crash before.

Re:FC4, 1.5

It works fine for me, but it also tells me that I'm missing a plugin. Maybe the problem is with one of your plugins?

Re:FC4, 1.5

[ChronoReverse]

Not only does it crash Firefox for me, it also crashes Internet Explorer. Did Apple break something?

Re:FC4, 1.5

[ChronoReverse]

Looking at the error message, it looks like it's something to do with Quicktime h.264. I'm using QT Alternative so that might be the culprit. The strange thing is that 1.66 is supposed to supported Quicktime's H.264 and certainly works for the trailers and other videos I've watched.

Re:FC4, 1.5

LOL... Why don't you people use Opera?

Re:FC4, 1.5

[runningduck]

Works for me. 1.5 from m.o.

Re:FC4, 1.5

Odd... worked fine here. What am I missing?

My 1.5 reports as follows:

Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051206 Firefox/1.5

Re:FC4, 1.5

[ParnBR]

Yes, you're probably right. It seems to be a problem with the Windows version of the Quicktime plug-in. I tried it with IE and it crashed, too, but this time I noticed it was trying to load ipodfeatures.mov (or something like that). Mine is 7.0.2. I bet Opera would crash too, but I'm tired of crashing my browsers. =P

Re:FC4, 1.5

[mebob]

I'm pretty sure that it is the new QuickTime 7 plugin causing that.
As other have posted, it crashes IE as well. And every firefox crash I've had since I've installed 1.5 appears to have been QuickTime related!!!
All happening after installing 7 except for one.

Re:FC4, 1.5

[devinoni]

Worked fine here. Of course I have a completely fresh install of 1.5.

Re:FC4, 1.5

[Newrad]

LOL... why don't you people just manually call up a dialup provider chirp into the phone?

Re:FC4, 1.5

yes. try using opera and then click on "videos" and tell me that bono's ugly mug is actually being display ON the ipod and not BESIDE it.

Re:FC4, 1.5

[jamstar7]

Didn't crash for me.

Using:
firefox-1.5-1.1.fc4.nr
mozilla-nspr-devel-1.7.12-1.5.1
mozilla-nspr-1.7.12-1.5.1
openvrml-mozilla-plugin-0.15.10-1
mozilla-flash-7.0.25-1.1.fc2.dag
mozilla-nss-1.7.12-1.5.1
mozilla-devel-1.7.12-1.5.1
mozilla-1.7.12-1.5.1
mozilla-nss-devel-1.7.12-1.5.1

OS is Fedora Core 4 with the usual updates...

Re:FC4, 1.5

[John+Hurliman]

Confirmed to crash Firefox 1.5 final in Windows XP, don't have access to my Gentoo box at the time.

Re:FC4, 1.5

[MooUK]

Doesn't QUITE crash, but gives an error message recommending closing firefox.

Re:FC4, 1.5

[hdparm]

FC5-test1-rawhide, with Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051129 Fedora/1.5-1 Firefox/1.5 renders this without any problems. I'm using windows qt plugins from MPlayer install and content on that site won't play unless I upgrade to qt ver. 7 but it's not crashing.

Re:FC4, 1.5

[lumber_13]

LoL, Man if this would have been IE issue ! Everyone would have just jumped on and on and on.

Re:FC4, 1.5

[shawb]

You're missing Windows and Quicktime. I've had many plugins crash firefox in the past, although I seem to be getting less of it with 1.5. Or maybe I just haven't gone to the pages that crash firefox.

Re:FC4, 1.5

Doesn't crash here, Firefox 1.5 on Ubuntu 5.10.

Re:FC4, 1.5

[zootm]

Works for me. Windows XP SP2, Firefox 1.5 official. I'm not using the newer version of the Quicktime codecs, though, which many seem to be reporting as the problem.

Certainly doesn't seem to be a Firefox-specific bug, from the sibling posts here. Is there more information on this?

Re:FC4, 1.5

Quicktime is Satan. I haven't allowed it on any of my personal systems for years.

Re:FC4, 1.5

[bill_kress]

Works fine. Of course, I don't put quicktime or flash on my FF browser, I put them on IE and use open in IE when I really want them.

Re:FC4, 1.5

[Evil+Pete]

Doesn't crash 1.5 here (on Win2k). Though I haven't got the plugin installed. If it requires the plugin then I think the problem lies with Apple.

Re:FC4, 1.5

[Directrix1]

Well, tell Microsoft to open up their source. And then maybe somebody might defend it.

Re:FC4, 1.5

[pyrosim]

Not only did it crash, but it locked up my entire box. Fedora Core 4, Firefox 1.5, MPlayer media plugin.

Had to kill the power to get it to respond, couldn't even shell into it.

Re:FC4, 1.5

[Kitsuneymg]

I did not have a crash.
However. I run with NoScript set to block all plugins.
So that may be it.

Frankly anyone reading /. who hasn't installed noscript deserves it.

Re:FC4, 1.5

[Kitsuneymg]

I can confirm that allowing scripts/plugin on this site crashed firefox and nuked my history file. So NoScript saves the day again!

Re:FC4, 1.5

[Jafar00]

No problem here on Gentoo. As there is no 1.5 in portage yet, I'm using the downloaded binary version from Mozilla.

Re:FC4, 1.5

[moro_666]

Hmm ...

All this is really weird and remind me more of a microsoft anticommercial for firefox than a real issue.

Compared to the "features" of IE, mozilla just crashing on a too long page title is just a sniff. At least it won't let every joe run his code on your machine like the installing exploder does ...

Re:FC4, 1.5

[lloydwood]

This report doesn't come as a surprise. I reported Bugzilla Bug 167315 [FIX] TITLE string should be "sandboxed" in September 2002, though the focus was then on not passing an infinite string to the window manager and crashing that. Title string bounding is pretty obvious, really.

Re:FC4, 1.5

[wild_berry]

I had iTunes bomb out on me while importing stuff. It's been better behaved (but not flawless) since doing an uninstall-reinstall of QuickTime 7.0.3, which I recommend you should do.

(WinXPProSP2/FireFox 1.5 is fine with that iTunes page.)

Re:FC4, 1.5

Crashed IE too. Might be a Quicktime plugin problem.

Re:FC4, 1.5

[reclusivemonkey]

This is definitely Quicktime. Firefox 1.5, no crash, just a note saying I don't have the plugin (work machine of course).

Re:FC4, 1.5

'cause the modem bandwidth's too low and I haven't perfected chirping on DSL frequencies yet.

Re:FC4, 1.5

[stuntpope]

I have Windows 2000, I have QuickTime 7.0.3 plugin and verified it works on the movie trailers on the Apple site. Yet the Apple page referred to above also crashes my Firefox 1.5. I have experieced quite a few 1.5 crashes on other sites as well.

Re:FC4, 1.5

[stuntpope]

And yet now, after viewing a movie trailer with Quicktime plugin, when I revisit the iPod features page that previously crashed, it works fine.

Re:FC4, 1.5

[mdavie]

It caused Firefox to lockup while loading image from this link. I have had a couple of other webpages that causes Firefox to stop responding while loading. If I get the browser to close complely then I get the error that it is already a running. Usally, I have to alt-Ctrl-del to bring up Task Manager and close out the process firefox.exe and then it will open back up.

Good Thing

I'm still using Internet Explorer!

Re:Good Thing

[sloths]

Did it come with a free dinosaur?

Re:Good Thing

[AgentScummy]

Mine came with Windows 3.1

Re:Good Thing

[aussie_a]

No but it does come with free spyware.

Re:Good Thing

I'm still using Mosaic on Apple Quadra 8500 running Mac OS 8.

Re:Good Thing

Christ! Listening to you lot is like some bad American film about CIA mind control... "Microsoft is bad, everything else is good!" - you're like the anti-capitalist drones that just keep regurgitating the same message every day in the hope that everyone will start to believe it.

So precious Firefox is on the hitlist too! If it has issues they should be highlighted and fixed. Just because it's non-Microsoft it doesn't mean that it's perfect.

The fix

[rnelsonee]

If it's already happened to you, just delete your history.dat file in your profile folder, and FireFox will create a new (empty) one on startup.

Re:The fix

[d34thm0nk3y]

Heh, thats funny. There are 3 highly modded posts saying to just delete the history file. Hmmm.... why would Slashdotters be so familiar with a procedure such as that?

Re:The fix

[filament]

I'm sorry, I can't read your comment because my browser has crashed.

Re:The fix

[Soul-Burn666]

Because many slashdotters, including myself, use nightly/testing versions of Firefox which are inherently unstable.
When such a thing happens to me, I rename the profile dir and run the program again. If it crashes, it's a bug in the program -> Revert to older build.
If it doesn't, start moving files there or make a copy of your profile and start removing files.
Soon enough, you will find the offending files in the profile dir. In this case, history.dat.

slashdot article title too terse

[x0n]

"Unpatched firefox 1.5 exploit made public recently by an unknown source who refused to name himself or other..." *crash*

Obligatory Jamaican Response

[dotslashdot]

Dat file will be history, man.

Re:Obligatory Jamaican Response

[uberjoe]

You mean: "Dat file will be history Mon.

Re:Obligatory Jamaican Response

But the exploit was published on Wed.

Re:Obligatory Jamaican Response

[conteXXt]

One word.

"Orange"

Jah forgive me for dis one.

Re:Obligatory Jamaican Response

[ichigo+2.0]

"Those who do not learn from history are doomed to repeat last week, mon." - Jamaican Haiku

History.dat

[Life700MB]

One more reason to work on mess that the history.dat file format is!

--
Superb hosting 2400MB Storage, 120GB bandwidth, ssh, $7.95

Only crashes?

[ruiner13]

If this only crashes Firefox, how is it an "exploit"? I tend to use "exploit" as something that an attacker can use to their advantage to do something malicious. This is just an annoyance to have to move my poor cursor back to the icon and issue an oh-so-painful double-click.

Re:Only crashes?

[courtarro]

There are plenty of browser denial-of-service bugs, but few of them can actually render your browser useless upon every execution. This one has a lasting effect that's more significant that the old "do while(true) alert;"-style DoS attacks. A single double-click won't fix this one; you have to delete your old history.dat file.

Re:Only crashes?

If it causes a crash, it's entirely likely that some malicious code could be injected into memory when that happens! If so, you're potentially up shit creek.

Re:Only crashes?

[HoosierPeschke]

They added a correction at the bottom of the article... (emphasis added)

Correction: This story incorrectly stated the affiliation of Mike Schroepfer, Mozilla's results in verifying the Firefox 1.5 flaw, and the nature of the problem. Schroepfer is vice president of engineering with Mozilla Corp., and Mozilla has not been able to verify its browser can crash and lead to a denial-of-service condition. The problem itself was a not security vulnerability but actually a flaw in the browser.

You are correct it's not an exploit, just a bug.

Re:Only crashes?

[Jugalator]

Crashes may be signs of buffer overruns and access violations, which is a bad thing not only from the app's and user's perspective, but also from a security perspective, e.g. if the memory space was prepared earlier with malicious code.

Re:Only crashes?

[ruiner13]

Ok, so a right click, click, then double-click :) Still easier than having to reformat and reinstall windows because my computer has become a zombie. If this were IE, being tied into the OS as it is, a crash of your browser is far more likely to have other effects on other running processes.

Re:Only crashes?

[tpgp]

I tend to use "exploit" as something that an attacker can use to their advantage to do something malicious

Well - an attacker can use this exploit to do something malicious - crash your machine :-)

Wikipedia agrees (hah! because I just edited the article*) that Denial of Services are exploits.

This is not a particularly serious exploit, (inspite of all the IE fanboys who are undoubtedly going to come out of the woodwork claiming that this proves firefox is no more secure), but it is an exploit nonetheless.

*For the humour impaired this is a joke...

Re:Only crashes?

[Thundersnatch]

The vulnerability is incorrect handling of input. In this case, the only *exploit* published so far is a DoS. But obviously there's something very wrong with the input validation in the code, and remote execution may be possible with a more clever exploit.

Witness the recent IE vulnerability, which MS didn't patch quickly because it was "only a DoS vulnerability". Of course, it turned out it was possible to execute code with the vulnerability, it just took a while for a better (worse?) exploit to be crafted.

Re:Only crashes?

[Da_Weasel]

lets say that some malicious code gets "injected" into memory when Firefox crashes. What are the dangers? If Firefox crashes then its not going to attempt to use that memory for anything...because...ummm....it's not running! If it's not running then it can't be tricked into doing something with this malicious chunk of memory. The only other thing that is going to be looking at that memory space is the OS, and that would likely only be concerned with reclaiming those blocks of memory for use by other processes once the Firefox process exits.

Just because you can make a program crash, doesn't mean you can exploit it. As a matter of fact Firefox would be more dangerous if it didn't crash and kept on chuging along using corrupt data in the history.dat.

Re:Only crashes?

You are entirely incorrect. It isn't likely or even possible to inject anything into memory when an app crashes. When an application crashes, it just crashes. It stops running, and all the memory it was using is freed. It doesn't magically gain access to the rest of memory, and even if it did, the fact that the app is not running any more would make it rather difficult to exploit that.

Re:Only crashes?

[m50d]

Most usual reason for a crash is when a program tries to access a random(ish) memory location - it has no right to, so it segfaults. But if it's doing that it's often only one more step to making it access a particular memory location - in particular, to jump into the data you've just given it.

Re:Only crashes?

Just because you can make a program crash, doesn't mean you can exploit it.

You don't understand how buffer overflows work. The easiest way to find a program that one can exploit is to throw random garbage to programs (i.e., when they read files give them crap, when they accept a login name hand them 3000 characters of garbage, when they read data from a socket send them random binary junk). The programs that crash are excellent candidates for hackers to develop exploits for. Crashing is the symptom of stack and/or memory corruption. Exploits are generated by carefully crafting this stack/memory corruption to force the program to do what YOU want it to do, instead of just crashing due to executing random garbage. In most exploits, the 3000 characters of "junk" you send them is actually 2500 characters of valid exploit code, a bunch of nulls, and a "jump to" instruction to get the program to jump to the aforementioned exploit code.

Re:Only crashes?

If only most real haxx0rs had your level of knowledge... All of us would be much safer! I envite you to begin enlightening yourself, here: http://en.wikipedia.org/wiki/Buffer_overflow

The fact is, many crashes are the result of buffer overflows. In the instance a buffer overflow exploit happens in the Windows world, it's very likely that it will happen to the administrator account, or one similarly powerful. I don't know if this crash problem is the result of buffer overflowing, or bounds checking in the program, causing itself to shutdown un harmfully, and de-allocate memory in the preferred way. Do you know this? Probably not.

If you had read the article, you'd know that you have to manually kill firefox. It doesn't fail gracefully! The memory is still allocated, the process is still running. All one has to do is write to a portion of executable area of memory (firefoxes executable), and get the OS to run it. Voilá, exploitê. Hack a busy porno site, get your exploit up unoticed, leave everything else alone, and your botnet could grow by millions of machines that were previously protected from worms!

Re:Only crashes?

[alienw]

There is nothing wrong with the input code. It works just like intended. The only problem is, it's possible to create a long title and slow down the browser startup (that is, until you clear the history file). Not to mention, who the hell uses the history feature, anyway? It's the first thing I turn off.

Re:Only crashes?

[alienw]

This is only true in some special cases. In general, simply accessing a random memory location will cause the OS to shut the program down due to an access violation. The only time you can exploit this is if you can _make_ the program access a _particular_ memory location.

Re:Only crashes?

[sbrown123]

Doesn't work that way. Overflow is to write into a memory space that is somehow executed upon. You have to have a "jump" from some executing thread in order to get the exploit code to execute. But it doesnt have to be the program it was injected in to to run the code. Thats when it gets scary.

Re:Only crashes?

[alienw]

If an idiot like you actually knew anything, you would realize that this flaw does not let you execute random code. In general, any bug which does not crash the program is very unlikely to be vulnerable to buffer overflows and such. In this case, the only thing that happens is that the browser starts slowly because it has to read a long file.

Re:Only crashes?

The other person to reply is correct -- there is NO crash. The problem is basically that the code that reads in the history.dat file has a O(N^2) component (since it's just dealing with short strings, right?!?) With a few of these nasty multi-megabyte title lines in there the browser can take several MINUTES to start up.

So it's a bug and it should be fixed, HOWEVER there is no invalid memory accesses, no browser crash, and no opprotunity for malicious code execution. This one really *IS* just a DoS

Re:Only crashes?

It is a bug that can be exploited.

A "bug" is a flaw in software that causes it to behave other than the programmer intended.

An "exploit" is the ability to willfully cause software to behave other than intended, usually by leveraging bugs in the software, which is what the posted script does.

Re:Only crashes?

[jesser]

A large percentage of Web users rely on history to make visited links appear differently than unvisited links. (On most sites, visited links appear purple and unvisited links appear blue, but only if you have history enabled.) A smaller percentage uses history for other purposes, such as recovering from a crash or accidentally closing a tab or window, remembering how they found a page, or determining whether their son looks at porn.

Re:Only crashes?

[jonadab]

> Just because you can make a program crash, doesn't mean you can exploit it

No, it doesn't mean that *necessarily*; however, there is historically a significant likelihood that such *might* be the case. The most recent IE remote arbitrary code execution exploit was formerly just a denial-of-service attack that for one reason or another never got patched, and eventually someone figured out how to make exploit it in a way that allows arbitrary code to be injected and executed. There are many other examples over time of cases wherein a flaw in some program or another, when initially discovered, was only a denial-of-service (or perhaps not even proven exploitable at all) but code injection and execution developed as a later, more sophisticated exploit of the same vulnerability.

This should definitely get fixed, preferably *before* anybody discovers a way to do more malicious things than DOS with it. (And I have little doubt it will be fixed, probably quite soon, if past history is any indication of future performance.)

Re:Only crashes?

Let me guess... you were one of the developers who worked on IE 3.0.

Re:Only crashes?

[mrchaotica]

It doesn't happen often, but once in a while I might be having a conversation, remember something I read a few days ago, and then not remember the name of the site I read it at. With the history file, I can look through it to find the info.

Incremental updates

[moonbender]

Sounds like a great opportunity to show off the snazzy automatic incremental update feature Firefox 1.5 has. Pushing a fix quickly to users who've got it enabled would be great.

Re:Incremental updates

[saskboy]

Is the notice pushed, or the actual update?

If you leave Firefox open 24/7 does it ever check for updates automatically?

Re:Incremental updates

Yeah, I'll be interested to see it as well, especially how it behaves when the user is running without administrative privileges on Windows.

I also wonder if they finally managed to make proper installers for windows which take care to uninstall previous versions, so I don't end up with multiple entries in the Add/Remove Programs list (some of which become defunct, because files get overwritten).

Re:Incremental updates

[moonbender]

I don't know about the administrative privileges, but the auto-update is very streamlined in 1.5. If you used an RC, you already were auto-updated to the final. Firefox checks for updates when its started. If there's a more recent version, it asks you whether you want to update, and if so, downloads and updates by itself transparently, without running any additional installer application. All you need to do is decide whether you want to restart the browser at once or later.

Re:Incremental updates

[Kelson]

I also wonder if they finally managed to make proper installers for windows which take care to uninstall previous versions, so I don't end up with multiple entries in the Add/Remove Programs list

Whare have you been? They fixed that ages ago. 1.0.3, I think.

Stopping the stupidity

[tjwhaynes]

For anyone out there who wants a safer experience out on the web, you owe it to yourself to install the NoScript extension and only allow whitelisted sites to run Javascript. The exploit published this morning (more a DoS and only seems to affect some but not all installations of firefox 1.5 according to SANS) uses a Javascript loop to build up an enormous topic that ends up being written into your history.dat file causing buffer overflow issues. Without Javascript, this sort of exploit is much tougher.

Cheers,
Toby Haynes

Re:Stopping the stupidity

[Psykus]

The NoScript extension itself.

Re:Stopping the stupidity

[dankelley]

The poster is right. Back when I used linux, I liked this feature.

Today I browse with Safari on OSX, and I have javascript turned off by default. This is seldom problematic, since it's easy to turn javascript on for a moment once a week when it provides more than annoying eye candy.

Re:Stopping the stupidity

[CosmeticLobotamy]

The guy who drew the logo for that forgot the wingalings and the beefy arm.

Re:Stopping the stupidity

[Psykus]

"I said consummate V's! CONSUMMATE!!!"

Re:Stopping the stupidity

[bitcastle]

No no no. JavaScript has come a long way - look at google maps and gmail - are you going to turn it off for this rare bug? perhaps if you visit lots of porn sites you might need it off...

Re:Stopping the stupidity

[ZachPruckowski]

NoScript does a whitelist. So if I wanted javascript at ______.google.com, I'd add that to the whitelist, and all would be well. Takes 10 seconds, if that.

Re:Stopping the stupidity

[affliction]

For anyone out there who wants a safer experience out on the web. you owe it to yourself to install the NoScript extension and only allow whitelisted sites to run Javascript

This is also for people who want a completely boring and utterly useless web experience. I fail to see the informational value of crippling your browser in such a manner.

Re:Stopping the stupidity

[crazyphilman]

You've got it wrong. It's not a permanent javascript block. It just means that when you go to a site, you do two clicks with your mouse. You can either temporarily turn on javascript for that site, or permanently turn it on (if it's a site you trust).

The really, really nice feature of this tool is that when you go to enable javascript, you can see all of the several domains that are trying to run javascript on your machine, and only enable the one for the site itself. It's a very nifty tool. It even lets you ban Java, Flash, and other forms of interactivity (until you enable them, that is, on a case by case basis). Whitelists are the best approach for this sort of thing.

And it can save your bacon, if you accidentally go to a site that's trying to stick it to you. It gives you that last chance to back out before something wretched happens. You know?

Re:Stopping the stupidity

[6*7]

That is why noscript is so great, you can (temporarily) whitelist the sites that need it (if you trust them).

Re:Stopping the stupidity

[bitcastle]

holy crap you guys are paranoid. javascript is pretty benign and to have to whitelist sites is hugely annoying, even if it takes only 10 seconds. that can add up to hours worth of time every year! :) that being said i do code my javascript menus so that you can still navigate with no js, it just requires an extra page refresh (which can also add up to hours over the course of a year). i haven't gone so far as to code slideshows without js - too painful waiting for refreshes even on fast connections (heck even on localhost).

Re:Stopping the stupidity

[6*7]

"javascript is pretty benign and to have to whitelist sites is hugely annoying, even if it takes only 10 seconds."

Don't worry, it takes between 2 and 3 seconds.

"i haven't gone so far as to code slideshows without js - too painful waiting for refreshes even on fast connections (heck even on localhost)"

Bad or lazy coder or just a troll?

1) Just use the tricks that have been around for ages. One page x you just have a 0x0 img of the next image. Only drawback is that the first page takes longer to load.
2) use the link element to specify the next page (http://www.w3.org/TR/html4/struct/links.html#h-12 .3). Decend browser will preload that page.
3) add all the scripting you want on top of that.

Results in a fast slideshow without the need of scripting, when clientside scripting is enabled the user may even have a better experience. Added bonus might be better indexing by searchengines.

Re:Stopping the stupidity

Whitelisting you do once. You have to close the JS popups that get past the default pop-up blocker EVERY TIME. I find that whitelisting the site you're actually visiting and leaving the advertisers' sites blocked works spectacularly as an enhanced pop-up blocker with minimal effect on the displayed page (In most cases, I can't tell a difference).

Also consider the following: WPTS used to take minutes to load. Whitelisting WPTS and leaving userland blocked has two discernible effects on the page: The number of comments is no longer displayed (If I want to see the number of comments without loading them for some reason, I can still temporarily whitelist userland)...and load time is now practically instantaneous.

I'll put a second or two whitelisting the odd site I haven't visited before up against three or four seconds each closing multiple recurrent JS popups and minutes at a time waiting for content that is largely irrelevant to the material I'm looking for any day. And remember, I only need to whitelist the page if it doesn't display or operate correctly totally blocked. Most do.

Re:Stopping the stupidity

[Spacejock]

I've been using this extension for a week and I'm really happy with it. 90% of the scripts serve ads or count website visits, so who cares if they don't run? A couple of times I've had sites not work properly, but a quick click of the 'enable' option soon fixes that.

Cheers
Simon Haynes (No relation to the parent poster. At least, not to my knowledge.)

Re:Stopping the stupidity

[riflemann]

NoScript only lets me whitelist sites. I'd use it if I could have it allow by default and blacklist certain sites.

Why? Because rather than being of the "i hate JS and only want to run it in certain places" type, I'm an "let it run but i'll turn it off on annoying sites" person.

Re:Stopping the stupidity

So Flash is boring ? And I suppose java can do MORE than Flash can ?

raspberry to you...

Re:Stopping the stupidity

[HorsePunchKid]

I knew I had looked at NoScript before, but I couldn't remember why I wasn't using it. I installed it again just to see, and now I recall. It's got this list of sites that are permanently whitelisted; a bunch of crap I've never heard of. Very annoying tactic.

Anyway, it turns out you can get around it with a bit of effort. Just open up the directory that the extension lives in, find the file defaults/preferences/noscript.js and the lines that obviously contain domain names. Trim the cruft from the "permanent" setting and the "default" setting. You may need to edit your prefs.js, too; I did things out of order, and so I'm not entirely sure.

Seems to work fine now, and without a bunch of sites that I have no reason to trust.

DOS

[kihjin]

The 'exploit' seems only capable of a Denial of Service. There's no proof to indicate that malicious code could be executed.

Plus, read this (from the article):

"We have gotten no independent verification that it crashes (Firefox), but there have been a lot of attempts to try," Schroepfer said.

So, this is all very hypothetical then?

ummmm

[Prince+Vegeta+SSJ4]

thats what thet get for making an extension that runs explorer within firefox https://addons.mozilla.org/extensions/moreinfo.php ?application=firefox&id=1419 *ducks*

Not an "exploit"

[joetainment]

This isn't even related to security. Its just a bug.... lots of apps crash when something happens. Doesn't mean its ok, but it doesn't represent a security issue does it? (Unless I'm missing something...)

Re:Not an "exploit"

[bwd]

Yea, it's no big deal. It just causes the browser to crash. Move along.

Not.

Re:Not an "exploit"

[tyler_larson]

Yea, it's no big deal. It just causes the browser to crash. Move along.

No, the browser does not crash. It just takes longer to start up because it has 10 megs of history to parse instead of a few K.

It really is no big deal.

From the better-than-the-alternative dept

Notice it says "crash browser" and not "crash computer" or "fill with spyware".

Re:From the better-than-the-alternative dept

[Spy+der+Mann]

Heh, the same was said about IE6's window() bug.

Remember: If it segfaults your program, it might as well make it execute code!

Re:From the better-than-the-alternative dept

Remember: If it segfaults your program, it might as well make it execute code!

Except that the out-of-range memory is never accessed, and no more code is excecuted. A segmentation fault means that the kernel had to shut down that particular process because it tried to access memory that wasn't allocated to it. It segfaults instead of allowing the memory access; it doesn't allow the access, and then segfault afterward.

Re:From the better-than-the-alternative dept

Opera, anyone?

Tin Hats Need Not Fear

[courtarro]

Those of us with sturdy tin hats already have our histories disabled. Take that, evil!

Re:Tin Hats Need Not Fear

[TubeSteak]

With your histories disabled, how will you know when history is repeating itself?

Re:Tin Hats Need Not Fear

[Penguin]

I considered that too, but my Firefox deletes my history on random intervals even when not asked to. Might as well disable it alltogether.

Re:Tin Hats Need Not Fear

[raehl]

Those of us with sturdy tin hats already have our histories disabled.

Those of us with wedding rings do that too.

Re:Tin Hats Need Not Fear

[initialE]

Take that, evil!
Oh come on, Take That may have sucked at singing, but evil?

Really

[jupiter_ganymede]

Is it just me or is this a pretty worthless report? I can't really see this as being an exploit anyone would care about unless you happen be work for a certain company in Redmond.

Re:Really

Who, Nintendo of America? Why would they care?

Re:Really

[Anonymousse]

The question is: would you post a similar message if this was in fact an error in iexplore? I remember a similar problem with Microsoft's browser family, where one could simply write a tag in an html file (don't rememer what it was), and the browser would die. Personally, I found that very amusing, and definitely one of many reasons not to use it. Now, Firefox has had quite a few serious issues, and when things like this happens after 1.5 has left the beta stage, this is definitely one of several reasons not to use it.

Back to IE for me

Getting my machined 0wned is one thing, but I just can't have my browser crashing.

Um... Did you RTFA? It's not an exploit

[Schrade]

Quote from the bottom of the article:

Correction: This story incorrectly stated the affiliation of Mike Schroepfer, Mozilla's results in verifying the Firefox 1.5 flaw, and the nature of the problem. Schroepfer is vice president of engineering with Mozilla Corp., and Mozilla has not been able to verify its browser can crash and lead to a denial-of-service condition. The problem itself was a not security vulnerability but actually a flaw in the browser.

Read the article before you consider posting it with a sensational title!

IE's execution of arbitrary code

[Dreadlord]

Before someone starts saying Firefox is vulnerable to exploits just as IE, this exploits crashes the browser and only that, now compare this to IE's execution of arbitrary code.

No software is perfect, but still, Firefox is clearly ahead.

Re:IE's execution of arbitrary code

[ClamIAm]

And a while back firefox had a bug (in Windows) that allowed access to a shell. Knowing the number of people that run with admin access, this is just as bad. I'm not saying FF is as bad as IE, just that bugs can be brutal. (and undescriminating)

Re:IE's execution of arbitrary code

What's clear is that anybody that know anything of security knows that this is opening possible code execution, even if current known exploit doesn't do that.

Re:IE's execution of arbitrary code

[KylePflug]

Wow, a pre-emptive counter-flame.

Re:IE's execution of arbitrary code

[I'm+Don+Giovanni]

I saw no posts regarding IE, but you're so ycophantically defensive of FF that you felt the need for a pre-emptive strike. LOL

Re:IE's execution of arbitrary code

[Dreadlord]

The origin of the bug is Windows and its shell: protocol, Mozilla simply handled those links back to the OS ad it does with protocols it doesn't know how to handle, other programs like MS Word were vulnerable to the very same exploit.

It was fixed 24 hours after full disclosure, and only Win32 versions of Mozilla were vulnerable, doesn't this ring a bell?

Anyway, read this link for more info.

Good test for the new Update System

[brandonp]

This will be a good test for the new Update System that was implemented in Firefox 1.5. Too bad it will need to be utilized so soon.

With the speed that the Firefox developers release their fixes and the ease of getting those fixes with the new system, I hope this will develop as proof of how well Firefox can handle these situations.

--
Brandon Petersen
http://www.brandonpetersen.com/

Re:Good test for the new Update System

[Ronald+Dumsfeld]

Updates you say? Can I have 1.5 first please?

Yes, the British English version isn't available yet. Is this a clever ploy to get everyone using American English?

Re:Good test for the new Update System

[mlefevre]

No. There was an issue with some links to things in the British version. That issue has now been resolved, and it's just waiting for the build to get through the rest of the release process - should be out in the next day or two.

Re:Good test for the new Update System

Couldn't they have released the version without the links to mozilla-europe and then released a patch via the updater.

You would have struggled to find a single brit who even noticed the 'issues' let alone cared less.

Re:Good test for the new Update System

Especially since people from outside of Europe will be using the British English version, for example people from most Commonwealth countries.

Re:Good test for the new Update System

What is the problem? Are British too stupid understand Americanized English? I grew up learning "Queen English" but I still have to get by with Americanzied English. Just treat those few Amercianized English words as spelling mistake.

Vulnerability of known projects

With the spotlight on Firefox, it's obvious a lot more crackers and hackers are going to start looking at Mozilla Foundation's code. While previously there was little incentive for crackers to exploit vulnerabilities in MoFo's code, you can't say that now, with all the attention Firefox caught.

It's up to them to fix their software as soon as vulnerabilities are reported now.

Automatic update

[cdn2k1]

This seems to be a good test for the new "automatic update" feature in FF 1.5. I hope they can use this feature to address these security issues in a timely manner without all this fanfare.

It's completely retarded...

[ninja_assault_kitten]

The guy who reported it called it a 'buffer overflow' and clearly had no understanding of what it actually meant.

which
most users won't figure out.

this proof of concept will only prevent someone from reopening
their browser after being exploited. DoS if you will. however, code
execution is possible with some modifcations.

Tested with Firefox 1.5 on Windows XP SP2.

ZIPLOCK

-->

heh
function ex() {
            var buffer = "";
              for (var i = 0; i ZIPLOCK says CLICK ME

Re:It's completely retarded...

[Trillan]

Um. A buffer overflow is whenever the code attempts to store a large data element in a small buffer without adequate protection. This is what Firefox does when you attempt to start up and it hits the too-large history entry.

I haven't looked at Mozilla's parser code, so it isn't clear exactly effect the buffer overflow will have. But it is a buffer overflow by definition.

Re:It's completely retarded...

[ninja_assault_kitten]

Ok, clearly you have no idea what a buffer overflow is either... heh.

Also, just an FYI, everything below the first line on my original post was actually a paste of the original Firefox advisory.. unfortunately Slashcode stripped out most of it and it looks like me talking.

Re:It's completely retarded...

[Trillan]

A buffer overflow is when a large amount of data is put in a small buffer without safeguards, because data will be written outside of the designated buffer. Period.

There are different requirements for it to be exploitable, which is maybe what you're thinking of, but a buffer overflow itself is that simple: big data, small buffer, data overwrites stuff outside of the buffer.

Re:It's completely retarded...

[ninja_assault_kitten]

Actually, you went too far. A buffer overflow, in it's most simple state, is simply exceeding the bounds of allocated buffer space. It does not always result in information being writen outside the of the buffer.

Exploitability has nothing to do with my definition.

Re:It's completely retarded...

[Trillan]

You're still wrong, but you're getting closer closer. A buffer overflow is a *write* past bounds. Exceeding bounds on a read is not a buffer overflow. (That is a problem, too, but not the same problem.) This is what I said in my original post (you know, the one you replied to saying I had "no idea").

A crash can often lead to an overflow exploit

[MushMouth]

When an app crashes (firefox does quite often for me) it means that it is doing something that the programmer didn't expect. That could be all sorts of things, from taking all the cpu, to writing to memory that it shouldn't be. Most overflow exploits started as mere crashes.

Re:A crash can often lead to an overflow exploit

Even if most overflow exploits start as crashes, it doesn't mean most crashes are overflow exploits. Certainly worth investigating, but assuming that every crash is an exploitable vulnerability and publishing a news story based on that assumption is dumb.

Re:A crash can often lead to an overflow exploit

[pclminion]

Most overflow exploits started as mere crashes.

While that is true, this could also be a simple null pointer dereference, caused by incomplete error handling in the code somewhere. Those sorts of failures are typically not exploitable.

Just because A implies B, does not necessarily mean that B implies A. All overflows are crashable bugs, but not all crashable bugs are overflowable.

It's easy enough to find out -- load the core file into gdb and look at the instruction that crashed. If it's a null reference, chances are this bug is no big deal.

Re:A crash can often lead to an overflow exploit

[killjoe]

You seem to be confusing "could be" with "is". Yes this "could be" all sorts of things but it's not a security hole. It doesn't even crash the browser, it just slows it down for a while.

Re:A crash can often lead to an overflow exploit

[MushMouth]

I guess you guys failed to read the words "CAN OFTEN" in my comment title. Not that it is known that this particular one does, but anytime you have an app crash from an outside influence it is what else that is possible to do with it isn't always known and can lead to much more than just a DOS. While you can delude yourself into thinking that this is nothing. Remember that the IE "critical" bug from last week was just a DOS for six months.

Re:A crash can often lead to an overflow exploit

[Illserve]

By that logic, half the goddamned internet is exploting Safari.

Heh

[aftk2]

cause your browser to crash on startup with a single visit.

I've seen this exploit in the wild: it's called the MySpace Profile Page.

Re:Heh

LOL that's so true.

Re:Heh

[Geoffreyerffoeg]

Speaking of MySpace, is there a way (short of filling Firefox with FlashBlock, AdBlock, NoScript, KillTheWabbit, or whatever other anti-active-content extensions they have) to view MySpace profiles/information without loading any of the simultaneous nonsense my friends seem to want loading by default? E.g., if I log in, is there an option to disable this? Or is there a relatively complete RSS feed for profiles?

Someone needed to create a scoop.

[Godeke]

Correction: This story incorrectly stated the affiliation of Mike Schroepfer, Mozilla's results in verifying the Firefox 1.5 flaw, and the nature of the problem. Schroepfer is vice president of engineering with Mozilla Corp., and Mozilla has not been able to verify its browser can crash and lead to a denial-of-service condition. The problem itself was a not security vulnerability but actually a flaw in the browser.

Wow, that is accurate reporting, which was then amplified in the summary to the point of absurdity.

Re:Someone needed to create a scoop.

[NickFortune]

Well quite.

C|Net, by their own admission, got almost every pertinent detail of the story wrong. The only way they could have have been further off target would be if they assigned the flaw to Internet Explorer. Personally, I'm not going to hold my breath waiting for that mistake to see print.

As a side note: I'm not normally one to slag off Slashdot's editors, but might I ask for a little more investigation before parrotting the lastest MS anti-Firefox propaganda? This is the third story this quarter portraying a browser crash as a security exploit. Given that the last IE flaw involved the execution of arbitary code, some evidence of editorial perspective would be nice.

Inevitable..

[lonasindi]

This is, in my opinion, just an example of the downside to popularity. As more and more people begin to use firefox, more and more people will find ways to break it. I use both firefox and iexplore on different machines, for the simple reason that on my new laptop, iexplore does not render images properly, and firefox was the easiest fix. I do not believe in zealotry, especially for web browsers, since firefox is losing some security it had due to obscurity. This is relatively minor news, but I think it's just the beginning of equalization between the browsers.

Re:Inevitable..

[ClamIAm]

I do not believe in zealotry, especially for web browsers, since firefox is losing some security it had due to obscurity.

First and most importantly, a piece of software does not become "less secure" as more people use it. Its security is dependent upon the code inside it, not the number of people who use it. I also find it strange that base your view that you "don't believe in zealotry for web browsers" on the fact that Firefox is losing "security through obscurity" protection. It makes no logical sense.

Re:Inevitable..

[lonasindi]

I don't really 'base' my argument against zealotry on this point, it seemed a natural progression. I do admit this was poor wording on my part.
 
While it is true that the actual security of a piece of software is not affected by its popularity, it is inevitable that any more popular software is more likely to be scrutinized by people looking for ways to break it, than is software with a very small percantage of a market.

Is that a Product plug I see?

[_the_bascule]

In testing Firefox 1.5 without a system running McAfee security software, the Firefox 1.5 browser would stall and not respond to a user's mouse, said Johannes Ullrich, chief research officer for the Sans Institute

Empahsis mine.

What's all that about then?

Re:Is that a Product plug I see?

No, just a badly worded summary of the original storm center diary entry in which the ISC handler attributes the possible FAILURE of this bug to crash firefox to the McAfee software, which, in his mind, has some mystical power to optimise firefox's inefficient string parsing algorithm even when it's deactivated!

This bug is slightly lame, even as DOS -- There are no confirmed reports from half-or-more-brain-having people that it even crashes the browser in the first place. All it does is make the subsequent startups slow, especially noticable in slower machines.

See bug 319004 at bugzilla.mozilla.org.

Re:Is that a Product plug I see?

[spitzak]

Good question. Another one is people saying that it requires Windows SP2 and does not work on other versions of Windows or on Linux. But the description of the bug is that reading in the history.dat file causes a buffer overflow that crashes it on startup. It would seem likely that this bug would exist on all operating systems, or at least be the same on all Windows systems.

Though not a security issue, a "DOS" that permanently crashes Firefox even when you run it again is pretty bad.

Re:Is that a Product plug I see?

[jesser]

Why should someone have to have more than half a brain before we take their word for it that it crashes for them?

aint working

I have winxp machine with FX 1,5 and after clicking on the link nothing realy happends .. i mean sure uses a lot of cpu but i open a new tab close previous and everything works fine... i dot knnow where's the exxploit part ;].
If thats an exploitn i think most OS are vunerable to my 31337 exploit while(1);

1.0.7 Also vulnerable

[sheepoo]

I ran the proof of concept on my installation of 1.0.7 (WinXP SP2) and it crashed the next time I opened FF. Task Manager showed that FF was eating up the memory like crazy. I deleted the history.dat file (which was 10 MB in size!!!!!!!) and sanity returned instantly :)

Re:1.0.7 Also vulnerable

[JazzCrazed]

The proof of concept doesn't crash Firefox 1.5 on either my Ubuntu Linux laptop nor my Windows XP SP2 desktop. After running it, though, it immediately screws up the window title that appears in the taskbar; in Ubuntu, it's stuck on AAAAAAAA... no matter what page I'm viewing. And in Windows, the title is simply blank. But the browsers continue to run seemingly unaffected otherwise.

However, after closing, opening up again is extremely slow. A couple of times in Ubuntu it apparently took so long to load that a window popped up saying the program stopped responding and suggested I force quit it. In Windows, despite taking a long time, it always managed to open successfully. And once the browser opened, in either OS, it ran perfectly fine.

So based on the proof of concept, at least on my machines, it's a big annoyance at worst. Annoying enough to get me to delete my history.dat's, at least.

Older versions and Mozilla?

[antdude]

Do older versions of Firefox and Mozilla have this problem?

Update

[bosewicht]

From the Article

Mozilla has not been able to verify its browser can crash and lead to a denial-of-service condition. The problem itself was a not security vulnerability but actually a flaw in the browser.

Firefox history code is horrible

In other news: Water is wet. Seriously, whoever wrote the history code needs to be shot. Once your history gets to any significant size, all operations on it start getting annoyingly slow. For me, it takes 15 seconds for firefox to open the Go menu for the first time in a session, and once you've done that, even more annoyingly there's a delay of a few seconds on every new page you visit for the rest of that session. The history sidebar is so excruciatingly slow it's practically unusable.

Re:Firefox history code is horrible

[continuouslife]

Well.... if you want something done right, do it yourself! http://developer.mozilla.org/en/docs/Download_Mozi lla_Source_Code It's open source for a reason.

Re:Firefox history code is horrible

[WWWWolf]

Once you have the idea on how sucky Mozilla's history stuff is in practice, take a look at how the stuff is actually stored in history.dat. People have been rendered insane by just a single look at that stuff. Want to make sense of this format for some obscure reason? Read this and weep. This stuff is just about the most insane thing I've ever seen.

I sure hope Mozilla folks get the unified storage plans together for Firefox 2.0, and use something like sqlite to store most of the user data. MorkDB format used by Mozilla is... just not elegant.

Re:Firefox history code is horrible

[WWWWolf]

Well.... if you want something done right, do it yourself!

Yeah, go ahead, assume any of us can dive right into the ginormous Firefox source tree and reimplement the entire history system overnight.

No thanks, I'm kind of waiting that the Mozilla folks finish designing and implementing the next generation stuff which should be million times better than the current absolute mess of different file formats. They know something more about this crap than I do.

Re:Firefox history code is horrible

[jesser]

The bookmarks and history code is being rewritten by a team that includes Ben Goodger. They're planning to rewrite both the backend, so it uses a proper database (based on SQLite), and the user inteface, so bookmarks can become useful again. The codename for this rewrite is "Places" and it's expected to be one of the big features of Firefox 2.

so...

[SharpFang]

Preferences > privacy > history > [0] days; ok.
Patched. I use the history feature about twice a year, won't miss it till the right fix is found.
Not quite like disabling all the javascript in MSIE, is it?

Re:so...

[J0nne]

I already do that on every browser. I never use the 'history' feature anyway, so I never saw the point of keeping it.

so it's like Netscape?

[atari2600]

"Users have to kill out of the browser and start over again. This stalled browser creates a DOS (denial of service) condition," Ullrich said.

This reminds of all those horrible years of Netscape 4.x on Solaris desktop environments when the CPU usage would spike to 95% thanks to Netscape and Netscape would need to be killed :(. And 1.0.7 is working just great for now.

Re:so it's like Netscape?

Amen. I dreaded even having to turn javascript on in that monstrosity.

thats the exploit?

[SQLz]

The browser crashes when I go to a site? OMG! If its not arbitrary code execution, don't bother me. IE has had a similar exploit since it came out. Basically, it crashes randomly when visiting a website.

Re:thats the exploit?

[Nintendork]

"IE has had a similar exploit since it came out."

You're confusing the terms "exploit" and "vulnerability". All products have vulnerabilities. The ones that the vendor are aware of are called "known vulnerabilities". When code is written that takes advantage of a vulnerability, it's referred to as an exploit. When an exploit is written for a vulnerability that is not known by a vendor, that's called a Zero Day exploit. Some will argue that a Zero Day is when an exploit is written for a vulnerability that hasn't been patched. This is not true since there are almost always workarounds provided to protect against the exploit until a patch is released.

In any case, if a web page that a user visits can cause the browser to crash and not re-open, that's considered a pretty severe DoS attack for a web browser. Not only do they lose all those pages they had open, but now they can't open their browser back up. Of course a DoS is still loads better than full blown pwnage, but that doesn't mean that the code causing the DoS isn't an exploit.

-Lucas

Re:more like...

"The problem itself was a not security vulnerability but actually a flaw in the browser."

I think a security vulnerability is a flaw in any program, and the use of said term was unnecessary.

-Mr. Chicken

Disable?

[magn3tman]

It'd be nice to mention how to disable the history.dat file.

HoFo

"C|Net is reporting that an unpatched exploit in Firefox 1.5 has been made public, making it very easy for ne'er-do-well-sites to cause your browser to crash on startup with a single visit.

Would that explain why all of a sudden firefox would hang every time I try to visit Howard Forums.

Stop the stupidity

[NineNine]

Another tip for you: if you remove the gas pedal from your car, you won't have any crashes! Really!

DOWNLOADING MORE SOFTWARE to intentionally disable part of a program that is supposed to work is 150% unacceptable.

Jesus, how bad does software have to get before people finally start to not use it? Luckily, I didn't pay anything for my Firefox installations, so I can't really bitch. But I CAN look at other, less buggy alternatives (like IE) that also offer useful features that Firefox doesn't, like Active X.

Re:Stop the stupidity

[hardaker]

DOWNLOADING MORE SOFTWARE to intentionally disable part of a program that is supposed to work is 150% unacceptable.

I've always wondered why more browsers don't have JS enable/disable widgets by default. Konqueror has had this for eons and I love it dearly. My whitelist is small and is a trusted set of hosts. (now, the only problem with Konuqueror's JS implementation is that it fails on more sites than I'd like... Though 3.5 is supposed to be much better with JS.

Re:Stop the stupidity

[javaxman]

I CAN look at other, less buggy alternatives (like IE) that also offer useful features that Firefox doesn't, like Active X.

Is that humor, or flamebait? It can be so difficult to tell...

how bad does software have to get before people finally start to not use it?

Yea, why DO people use JavaScript anyway ? But seriously, people are still using Windows, so... I guess the answer is "really, really bad".
;-)

Humor, people, humor!

Re:Stop the stupidity

[NineNine]

Actually, we use Active X for quite a few of our internal apps. There's no better replacement for it, and I've seen a lot of workarounds. For example: a DBGrid. I can slap a DBGrid into a web page in seconds with an Active X control, or I can try some buggy Javascipt kludge that works in just a few browsers, and doesn't have 50% of the functionality that a real COM object does. So, we're already using 2 browsers right now. We tried Firefox assuming that it was going to be better for more generic browsing, but with all of the secuity exploits, bugs, and the automatic updates STILL not working, it may be time to go back to IE for the sake of productivity and simplicity.

Re:Stop the stupidity

[b00m3rang]

Enjoy your stay in spyware hell.

Re:Stop the stupidity

[fredrik70]

you can't seriously argue that activex ever was a good idea for a browser on the internet, even ms acknowledge that, hence their move towards asp.net 2.0, zery-deployment stuff etc.

Re:Stop the stupidity

[ocelotbob]

Funny, I tried that IE program you mumbled about. Doesn't seem to work too well on my FreeBSD box. So I tried it on my Linux box, same thing. Seems this Micro-Soft company needs to learn a thing or two about coding...maybe 10-15 years this internet explorer thing will be ready for the desktop.

Oh, and I'd never trust any pr0n site that showed this image as pr0n.

Re:Stop the stupidity

"We tried Firefox assuming that it was going to be better for more generic browsing, but with all of the secuity exploits, bugs, and the automatic updates STILL not working, it may be time to go back to IE for the sake of productivity and simplicity."

IE doesn't have security exploits and bugs? LOL

PS: Auto updates do work, very very well. And get this, unlike IE security updates they don't require the PC to be rebooted!

Re:Stop the stupidity

[Buran]

ActiveX is useful? Yeah right. Try "walking security hole". Well, er, security holes don't walk, but you get the idea.

Re:Stop the stupidity

[mr3038]

Actually, we use Active X for quite a few of our internal apps [...] I can slap a DBGrid into a web page in seconds with an Active X control, or I can try some buggy Javascipt kludge that works in just a few browsers [...]

Oh, as opposed to ActiveX control that works in just one browser? If you're happy with just one supported browser, why not use XUL instead. It doesn't work in MSIE but it does support way more platforms than just Windows/x86. It might not seem that important now, but think about the future. Is your ActiveX componen going to work in 64 bit version of MSIE? The XUL application does work on a 64 bit platform.

Re:Stop the stupidity

DOWNLOADING MORE SOFTWARE to intentionally disable part of a program that is supposed to work is 150% unacceptable.

The NoScript extension is just a frontend for Configurable Security Policies (CAPS). You don't even need extra software to implement its features. The script policies can be written in a text editor and saved as a user.js file.

Serves you right!

If you're caught on such a trick you deserve teh haxor, b0y!

Good Thing

[Seraphnote]

Slashdot's the only website I go to!

(Oh yeah... the links, and the ads...)

(Oh and those other 3 news websites...)

(And... :)

Come on, how about a 5 for the brother

[twollamalove]

That's my favorite comment in at least a week.

Some exploit.

[bradbeattie]

I recognize that it can cause inconvenience, but come on. Exploits in IE typically result in executing arbitrary code on the user's computer. I guess this is just another argument as to why system diversity is important. If no browser had more than 20% of the market it'd be difficult to target a large portion of internet users.

Re:Some exploit.

[TubeSteak]

If no browser had more than 20% of the market it'd be difficult to target a large portion of internet users.

Ummm.... 20% is still a really big slice of the pie.

And yea, I've never heard a DoS refered to as an exploit.

Not just a crash.

[worb]

You have gotten some responses already, but I would just like to point out that I don't think "normal" crash bugs are security issues. Normal crash bugs will cause the browser to shut down, and that's it.

However, it does become a security issue if the crash leads to the possibility to execute code on the local system, or if it permanently cripples the browser, as it does in this case.

I've seen a few "normal" crash bug reported as security issues, and I think that's rather silly and might end up mudding the waters, so to speak. If people cry wolf too many times, and it turns out that it's just a crash, which we all know happen, and they can't be exploited, then people will go "oh, it's just another crash" when a real issue is revealed. Such as this one.

My first reaction when I heard about this was "what? Another crasher reported as a security flaw? When will it all end?!" But then I read more to see if I was missing something, and it turned out to be a real issue.

It might not be a big deal to those of us who know how to work around it, but imagine one of the many novice users out there being caught by this flaw. They may dump Firefox and never look back.

browser change

[ReDiLect]

Has anyone changed from firefox to opera perhaps? I've been hearing from several people that firefox can be a pain the ass at certain times, like crashes at random times, closing your browser with multiple TABS and giving you errors after closing it, several bugs,.. it also uses quite alot of memory, and this happens with my firefox too, I guess I'll give opera a try. -- http://www.e-guides.biz/

Re:browser change

[Anonimouse]

Yeah! I'll be changing *back* to Opera. I've been giving FF a go since RC3 and whilst it is fine at rendering, the memory management positively sucks. I have a top of the range laptop that handles pretty much everything including heavy java apps etc. But it just totally chokes on FF. The old FF 1.0.7 was just about manageable because it would flush out the memory when minimized. But 1.5 doesn't do that. The memory usage just goes up and up. I end up restarting every 15 minutes. Opera is maybe a tad faster and so much more efficient. I can't help but think FF is massively overrated. I'll just keep FF for testing purposes from now on.

Re:browser change

This post is not intended as a flame, I know lots of people are doing their best to improve Firefox and Mozilla etc.

Yes I have, I like and use Mozilla but Firefox isn't particularily good imo. I don't really see what the Firefox hype is all about and I've been using Firefox for a long time. Now Opera isn't much better overall but fits my needs better than Firefox (I use a segregated browsing policy: depending on what it is/threat level different browsers will be used). My main "general" browser will always be vanilla Mozilla (using it to post this).

Firefox and the focus on plugins is a nightmare, the plugins are thirdparty and I've had more than one of them (and not little unknown ones either) totally break my entire installation of Firefox forcing a reinstall and lots of messing about trying to rescue stuff.

My experiences tell me that people should not try to use either Firefox or Mozilla as examples of the excellence of open source programs, they both seem to be somewhat poorly coded or badly thought out (inane modularization is begging for bloat people!).

It is so bad that if I had the opportunity I would actually try to make my own browser and email client because what I want is security, encryption, and ease of backup of passwords, settings, bookmarks and mail. I can do all those things in Mozilla and Firefox/Thunderbird but forget about any kind of ease of use or avoiding update hell.

Re:browser change

[lycium]

if i had mod points, i'd rate this up. it's DIREFOX!

Honestly

[gallwapa]

Does "editor" need to be changed to "poster"? One would think titles, dupes, and blatently fake (or copied) stories wouldn't make /., although as of late, there has been a disturbing trend... Regardless of what these so called "analysts" like to say, it causes a browser to crash - it doesn't allow any code to execute, or, allow some remote worm ream your system...

I don't understand....

[lotrtrotk]

what is meant by "disable".

Is the author suggesting we remove write access? Rename the file? I don't follow. "disable" is ambiguous.

i feel so unsaf on teh intarweb!!

Rendered using Microsoft's *NEW* CSS/Teenager parsing utility:

THA'TS WHY I SWETCHED TO IEXPOLRE TOOO.!

ITS MUCH BETTAR CSs COPMP1ANDCE I meEN WHy COmply WHEN You cna PWN THERE NUB ASSES??? harharAR

EVEN IT PROTECKS YOU

It *IS* a vulnerability if it actually exists.

[worb]

If it can be verified that this is indeed a valid bug in Firefox 1.5, then I would consider it a security issue.

Now, I definitely agree that normal crash bugs are NOT security issues, but in this case the browser won't start properly unless you erase the history, and all those novice Firefox switchers won't know that this workaround exists. As such, this bug, if it is actually there, will cripple Firefox for a large number of users.

Re:It *IS* a vulnerability if it actually exists.

[Schrade]

There's a bug, there's no denying it. But to post a story about a crashing bug and say it's an exploit is just plain sensationalism. But then again, that's what 'trying to scoop!16155!%!!1' is about.

You can view the progress of the bug and patches here:

https://bugzilla.mozilla.org/show_bug.cgi?id=31900 4

Posting from an "Exploited" FF 1.5

[tyler_larson]

False alarm. No security-related concerns, just overenthusiastic reporting.

If you run the script below, it will create a page with a title that's quite huge. Close your browser and open it again. The browser will spin for about 2 minutes what it tries to make sense the contents of your history file. Once it's finished, you'll be back up and running, with no degradation in performance or visible side-effects. You'll be able to even view your browsing history (including the offending page). In fact, I'm posting this response after following the process described above (on WinXP), and I have a history entry entitled "AAAAAAAAAAAAAAAAA..."

A bit of an annoyance, but hardly a security issue.

Here's the official exploit code:

function ex() {
var buffer = "";
for (var i = 0; i < 5000; i++) {
buffer += "A";
}
var buffer2 = buffer;
for (i = 0; i < 500; i++) {
buffer2 += buffer;
}
document.title = buffer2;
}

Re:Posting from an "Exploited" FF 1.5

[tyler_larson]

You'll be able to even view your browsing history (including the offending page).

Addendum:
As you might expect, if you delete the offending entry from your history, everything returns back to normal: you don't actually have to do anything drastic like delete your history.dat file, or even clear your browsing history.

Re:Posting from an "Exploited" FF 1.5

Ha-ha! You called yourself a looser!

Re:Posting from an "Exploited" FF 1.5

[Viper+Daimao]

even better, you firefox has a setting to clear your history automatically.

Tools > Options > Privacy > Settings > Check Cache and Browsing History and Clear when closing firefox

Re:Posting from an "Exploited" FF 1.5

[Hydroksyde]

It is a security issue if it causes you inconvenience, and is uninvited.

Re:Posting from an "Exploited" FF 1.5

[AeroIllini]

Well, that code may make your browser sit and spin for about 120 seconds before working, but one could conceivably make that time a whole lot longer with some exponential magic:

function ex() {
  var buffer = "A";
  for (var i = 0; i 5000; i++) {
    buffer += buffer;
  }
  document.title = buffer;
}

And that would truly be a pain in the ass.

But it occurs to me: would it be practical to add an option to Firefox which limits the physical size of your history file, which the user could specify? Then if Firefox runs into this problem, it would only read in the first 1 MB (or whatever) of history and discard the rest. This could be extended to any area where Firefox stores data that is modifiable by Javascript DOM functions. We limit the size of the cache; why not this?

Re:Posting from an "Exploited" FF 1.5

[PlusFiveTroll]

No, sounds like a Usability issue. Security != Usability.

DDOS Attacks generally dont affect the security of a site, normally data is not compromised. Unfortunalty the site is unreachable at the time.

Re:Posting from an "Exploited" FF 1.5

[bnenning]

I get identical results running the "exploit" on OS X 10.4.2. Taking a sample of Firefox when it relaunches confirms that it's spending a lot of time in nsGlobalHistory::OpenDB(), and ultimately in memory allocations and frees as it reads the huge entry. It does eventually finish and then behaves normally. This isn't a security hole, and it's only a DOS in the sense that Javascript of "while (1) {}" is.

Re:Posting from an "Exploited" FF 1.5

[SoBeIcedT]

Actually the official code is

function ex() {
var buffer = "";
for (var i = 0; i 5000; i++) {
buffer += "B";
}
var buffer2 = buffer;
for (i = 0; i 500; i++) {
buffer2 += buffer;
}
document.title = buffer2;
}

Re:Posting from an "Exploited" FF 1.5

[d34thm0nk3y]

If you run the script below, it will create a page with a title that's quite huge. Close your browser and open it again. The browser will spin for about 2 minutes what it tries to make sense the contents of your history file.

So what you are saying is that the browser is trying to process text from an outside user? That sounds pretty dangerous even if there aren't any know attacks that use it.

But whatever, I am sure the next story will be about it being patched.

Re:Posting from an "Exploited" FF 1.5

[jsight]

Actually, Firefox can catch the while (1) case... it just gives a dialog asking if you'd like to cancel the potentially DOS'ing script.

Re:Posting from an "Exploited" FF 1.5

[sholden]

Very dangerous. It should just dump that raw HTML to the screen, along with the HTTP headers rather than trying to process the text from an outside user who wrote whatever web page you happen to be looking at.

Re:Posting from an "Exploited" FF 1.5

[Fear+of+C]

It appears that the browser isn't really crashing so much as just being slow about processing huge amounts of data. The problem, however, is that as long as the link is in the history file it will be processed every time that Firefox starts up. While a veteran computer geek will simply delete the offending link from the history (or in my case, text edit history.dat and shorten it), the average casual user will probably have no idea how to fix this and assume that Firefox is bugged and gone. What's worse, an un-install will leave the profile for the next install, so a re-install will appear to fail.

Re:Posting from an "Exploited" FF 1.5

So what you are saying is that the browser is trying to process text from an outside user?

Yes, that's what web browsers do.

Re:Posting from an "Exploited" FF 1.5

but you know, in reality that data is all being stored in binary, so rather than parsing all those 0's and 1's into some obscure unparsed html, it should just dump the whole binary data and be done with it.

Re:Posting from an "Exploited" FF 1.5

[Ambush+Commander]

What you do is a while(1) {alert('Haha!')}. The solution would be to allow people to abort scripts from the modal window (see Bug #61098), but... it's been here for 5 years and still has a status of NEW.

Re:Posting from an "Exploited" FF 1.5

[I'm+Don+Giovanni]

There's something known as the "Halting Problem". It's impossible for a browser to "catch" all infinite loops that may lurk in a script.

Re:Posting from an "Exploited" FF 1.5

[ultranova]

There's something known as the "Halting Problem". It's impossible for a browser to "catch" all infinite loops that may lurk in a script.

However, it is trivial to catch all scripts that run over x seconds: just wait for x seconds and abort them if they are still running.

Similarly, it is possible to count the number of alert boxes shown and abort and disable all scripts in the page after 5th.

Re:Posting from an "Exploited" FF 1.5

[cp.tar]

[offtopic]Is it you, math_baby?[/offtopic]

What about the automatic privacy features?

[Not_Wiggins]

I have my 1.5 version set to delete all history/caches automatically (it is an internal feature). I don't recall if it happened at startup or shutdown of the app (I'm assuming startup).
Would that be a viable workaround (especially for those who don't care about/want history)?

Re:What about the automatic privacy features?

Actually in preferences and security. It will clear out any security information you want on shutdown.

Non-Story

[Midnight+Thunder]

C|Net has added the following correction at the end of the story:

"Correction: This story incorrectly stated the affiliation of Mike Schroepfer, Mozilla's results in verifying the Firefox 1.5 flaw, and the nature of the problem. Schroepfer is vice president of engineering with Mozilla Corp., and Mozilla has not been able to verify its browser can crash and lead to a denial-of-service condition. The problem itself was not a security vulnerability but actually a flaw in the browser."

So Firefox crashes, but no security vunerabilty.

Re:Non-Story

[david_costanzo]

So Firefox crashes, but no security vunerabilty.

A crash *is* a security vulnerability; it's a denial-of-service attack. My credit card numbers are safe and the attacker hasn't executed arbitrary code on my machine, but they did crash an application which I was using and potentially had unsaved data on. From what the article says, the exploit (if it exists) can continue to deny me the use of Firefox until the damage is repaired by manually deleting my history.dat file. The ability to deny someone the use of the Web is denial-of-service vulnerability. And the fact that the "fix" requires deleting user data is somewhat signficant.

As far as security vulnerabilities go, this one may be relatively benign, but that doesn't mean it's not a security vulnerability. Do you feel secure knowing that your browser could crash if you clicked on the wrong link? I don't.

And if this is a buffer overflow, as the article suggests, it may be possible to use it to execute arbitrary code, which would make this a critical vulnerability.

I wonder...

If there is a fix for the insane memory leak that Firefox has. After installing 1.5, it gets up to 150M usage after a couple of hours with just 3-8 tabs open. After using the same instance for about half a day or so it's at 350M and the whole OS slows down until you close it and start another one. Even IE never did that crap to me. It's a shame.

Re:I wonder...

[6*7]

The leak is IMHO priority 1. Next is to fix the javaplugin. Java in firefox is teribly slow (if it works at all), Mozilla is much much faster with the exact same plugin.

Re:I wonder...

[MooUK]

I was investigating whether that leak was a plugin, but it does seem to be the FF core.

On the other hand... It's not AS bad, it seems, without Adblock. Try it yourself.

Re:I wonder...

[millennial]

I'm currently up to 159.86 MB used, with five tabs open. Not only that, but clicking "Clear Private Data" puts Firefox's CPU usage upwards of 65% if I haven't done it in a while. I've also occasionally had Firefox randomly close itself on me, without any user interaction or errors/warnings.

To clarify

[tool462]

So are you trying to say it's a feature?

re: IE not buggy joke

> But I CAN look at other, less buggy alternatives (like IE)

Heheh, made me laugh out loud!

Web 2.0

[web20]

In the Web 2.0 world, timely Firefox patches are going to be increasing neccesary. With Web 2.0 technologies such as AJAX and Ruby on Rails, security is going to become a top priority. With such synergestic software as Firefox, you can be sure that Web 2.0 will be the best web ever.

But who would bother?

sites which cause your browser to crash with a single visit

Yeah, sounds like a wonderful way of generating traffic and boosting google revenue.

Must be joking

[Charles+Dodgeson]

The effect makes restarting Firefox very very slow (several minutes). I've just tested on OS X and on SuSE 9.3. Once that is done you can clear history through Prefences. If you don't want to wait, you can remove or manually edit history.dat.

The claim of a buffer overflow is nonsense. I suspect that that claim is a joke. The only thing that makes this mild borking work is a very long document title. In setting that up, the author uses a variable called "buffer" and "buffer2". Just because a JS variable gets named "buffer2" and gets set to something very long doesn't make this a buffer overflow. I like to think that the guy must be joking, instead of actually being that stupid.

But in the end, there is a bug to be fixed in Firefox

Re:Must be joking

[Breakfast+Pants]

Is this the same thing as this (this link is safe to click but read carefully before clicking the links within)? It is a buffer overflow on IE but on Firefox it just completely freezes up the browser/potentially opens tons of windows.

Re:Must be joking

[Charles+Dodgeson]

Is this the same thing as this

Unfortunately you left out the link, so I don't know what "this" is supposed to be. But from your description ...

It is a buffer overflow on IE but on Firefox it just completely freezes up the browser/potentially opens tons of windows.

No, it isn't anything like that. I'll find the direct link to the "exploit" (unfortunately and non-coincidentally I've erased my visit history since then) but it's just few links from the FA. So here's the so-called exploit. It serves up as plain text so it's safe.

Re:Must be joking

[Breakfast+Pants]

Here's the link I meant to send.

Conversation with girlfriend/wife

[PoprocksCk]

"No, the history hasn't been cleared because I've been looking at porn! It's the exploit, I tells ya! The exploit!"

Digimon?

[tepples]

Is "Historymon" one of the new Digimon or something?

wow such quality reporting

read the whole article theres a correction at the bottom lol

lol no

[LostBurner]

Just tell all your buddies on AIM: lol no this is not an exploit

Re:lol no

[TubeSteak]

Just tell all your buddies on AIM: lol no its not its an exploit

Fixed that for ya

News.com.com story

Informative :)

[kentyman]

I love how this is considered Informative.

What? Oh, Jamaicans say "mon" instead of "man". I should write that important information down. Maybe it should be added to http://en.wikipedia.org/wiki/Jamaican_English.

Keep that information flowin', mon! Irie!

Shabba!

Omission

You forgot to use leverage as a verb.

Re:HUMANS UGLY . 8=D (_*_) . TROLLS BEAUTIFUL

Should be modded Informative.

doesn't crash FF 1.0.7 on Kubuntu Linux

[jayloden]

I'm running Firefox 1.0.7 on Kubuntu (Breezy Badger) and it doesn't crash here. It definitely hung for a good long while on the next startup while it tried to parse the history file, but it did eventually start up normally.

Windowmanager is the problem, not Firefox

[sveni]

It seems that the problem is somehow related to the windowmanager. Firefox passes the value of the title string to the windowmanager on startup which tries to display it in the window title. This fails if the string is very long, depending on the window manager. If you use MWM then firfox starts with no problem, despite a delay because of the time needed to load the bloated history.
Can anyone approve this?

Sven

This isn't a problem.

[erunaheru]

There is no security breach involved here at all. It's not even a very bad bug. Clicking an infected link (as I've done) doesn't crash your browser, it doesn't keep it from reopening, it doesn't cause a buffer overflow. All it does is make Firefox take a unusually long time to open the next time. Admittedly, an inexperienced or impatient person might think this is a crash , but it's really not.

P.S. The original code is found at http://packetstormsecurity.org/0512-exploits/firef ox-1.5-buffer-overflow.txt (note that this is a text file. It needs to be changed to HTML and have a link clicked to work.)

P.P.S. I'm using Firefox 1.5 on Windows XP SP2, both of them fully updated.

Re:This isn't a problem.

[erunaheru]

Also, I watched the memory usage while it was trying to start and there was no unusual activity. It didn't even reach Firefox's usual (high) levels until right at the end, presumably when it actually got past the bug.

It causes the browser to crash?

[manifoldronin]

Big deal, it's not like my browser is part of the operating system. /wink

Could Potentially Be Nasty With User Content

[patio11]

Obviously, any website that lets users specify javascript in, e.g, a forum or blog post is going to be a cross-site-scripting nightmare. However, and while I'm not entirely sure of this, it would seem that an overly long HTML title would cause this bug itself, correct? A lot of the bulletin board software I've seen uses the thread title as the page title. Assuming that somewhere out there there is some similar blog/forum software which doesn't impose a size limit on the title ("Duh, people wouldn't be able to read it all, why would someone use more than 30 characters or so", you know the drill), this could potentially be pretty nasty. Go to a forum you've been going to for years, click on a post whose title scrolls off the right side of your screen, and watch as the next time you try to open a browser session it refuses to start. How many people would, without reading this article, connect the trusted forum to the bug, or think of eliminating history.dat, of all things?

This assumes that you can actually force the exploit without javascript. If Firefox clips HTML titles then the vulnerability would be much less severe. Of course, as soon as someone figures out a way to turn the buffer overrun into an arbitrary code execution this jumps to the top of the pile... remind me, why are we still using unchecked buffers in a zero-trust application like a web browser?

Almost a problem

[Perseid]

The .js code didn't crash my browser, an I did indeed have a history entry called AAAAA(...), so nuts to that.

On the other hand, though, having a 12MB history file DID slow the browser down considerably, especially while the history window itself was open.

I suppose, then, that if you managed to create a 500MB header, that would cause some computers extreme issues, but it desn't sound like it could be used for a buffer overrun, because Firefox does actually seem to be interpreting the huge topic correctly.

Maybe we should all start using Mosaic. After all, I don't know of any Mosaic exploits. :)

FYI: How to disable history.

[mnemotronic]

In Firefox:

1. Tools / Options / Privacy
2. Expand "History" section.
3. Set "Remember visited pages ...etc..." to 0
4. "Ok"

History file "history.dat" (for Windows users), is under

C:\Documents and Settings\your_login_id\Application Data\Mozilla\Firefox\Profiles\

. If you've created a profile, "history.dat" will be in the directory bearing the same name. If you're using the default profile, it will be in the "default.XXX" directory, where "XXX" is some random set of characters.

iPod features site does not crash my Firefox

[xdc]

Go to http://www.apple.com/ipod/features.html and tell me if I'm the only one that has Firefox crash from that page without fail, since the upgrade to 1.5

Works fine for me, using Firefox 1.5 on WinXP (Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051111 Firefox/1.5). I also have Macromedia Flash Player 8,0,220,0 and QuickTime 7.0.2a63 installed, although I don't know whether they are invoked by the page. When I run QuickTime by itself, it says it has expired and I need to download a new version.

This is a WINDOWS bug

Firefox is just ancilliary. Really, I wish folks would get the two separate. FF on linux is not FF on windows. NOT. It's totally different. This article should be about another *windows* exploit, that happens to manifest itself when someone running WINDOWS OS and using a WINDOWS application experiences some problems.

I wish they would actually have TWO NAMES for that browser, because they are DIFFERENT THINGS. And I also wish that sometime, somewhere, a serious effort be made to make an OPEN OS ONLY browser and stop doing MS jobs for them. Doing free coding for Microsoft to make their operating system only marginally better is beyond ludicrous. You might as well become a jock* for all the good it will do.

*sorry, I normally don't cuss like that

gentoo already has it patched in portage

[Pr0xY]

I am by no means trying to plug gentoo, but I did just noticed that they added a patch to version 1.5 in portage to address this issue (seems to cap titles in history to 65535 bytes.

I wonder if the gentoo team plans to submit their patch upstream to mozilla...

proxy

CORRECTION

[MooUK]

Sorry, having just posted that, it THEN crashed when I closed the Apple tab.

Stop bothering with history.dat's mork format

[4D6963]

While they're trying to make a patch for this, that would be nice if they thought about dropping mork aka the stupidest file format in the world to let's say, whatever database format they can find. anything but not mork, please. (ok, i'm nearly off topic)

Re:Stop bothering with history.dat's mork format

De-Morkification is already in progress, and version 2.0, scheduled for release next year, is planned to be 100% Mork-free. The replacement is a real, but lightweight, database store.

Re:Stop bothering with history.dat's mork format

[4D6963]

glad to hear that. and glad to hear that it would be lightweight, cuz I heard it may be XML, and if so, history.dat files would have got much huger.

Do you know if the chosen format is readable?

Feature

[bigmauler]

HA! Crash the browser by visiting a site? That has been possible with IE for years...just goes to show how behind the times open source is.

Nope

[denjin]

Doesn't crash mine on xp. 1.5+session saver.

Why focus on JavaScript?

[Kelson]

Sure, the proof of concept uses JavaScript. But the problem itself has nothing to do with scripting. One could easily generate a 2.5MB HTML file with a really long title. 2 million "A"s in a row will probably compress pretty well, so if you serve it with on-the-fly compression, it doesn't have to take much extra time or bandwidth to retrieve.

Bingo: exploited with no scripting involved at all.

Re:Why focus on JavaScript?

[Giorgio+Maone]

NoScript 1.1.3.5 prevents all the possible variants anyway truncating titles (JavaScript forged or not) to 255 characters by default.

Re:Why focus on JavaScript?

[bill_mcgonigle]

I've got plenty of JavaScript-related crashes already with Firefox 1.5. e.g.:

Thread 0 Crashed:
0 <<00000000>> 0x202bd0ac 0 + 0x202bd0ac
1 libmozjs.dylib 0x06040004 js_InitObjectClass + 0x98
2 libmozjs.dylib 0x06002464 JS_SetGlobalObject + 0x118
3 libmozjs.dylib 0x06002a10 JS_ResolveStandardClass + 0x270
4 org.mozilla.firefox 0x0022343c nsWindowSH::NewResolve(nsIXPConnectWrappedNative*, JSContext*, JSObject*, long, unsigned int, JSObject**, int*) + 0x308
5 org.mozilla.firefox 0x004478b0 GetIdentityObject(JSContext*, JSObject*) + 0xd5c
6 libmozjs.dylib 0x060418bc js_LookupPropertyWithFlags + 0x2cc
7 libmozjs.dylib 0x06042098 js_GetProperty + 0xb4
8 org.mozilla.firefox 0x00091ca8 XPCWrappedNativeScope::SetGlobal(XPCCallContext&, JSObject*) + 0x74
9 org.mozilla.firefox 0x000869c0 nsXPConnect::InitClassesWithNewWrappedGlobal(JSCon text*, nsISupports*, nsID const&, unsigned int, nsIXPConnectJSObjectHolder**) + 0x2ec
10 org.mozilla.firefox 0x00242854 nsJSContext::InitContext(nsIScriptGlobalObject*) + 0x150
11 org.mozilla.firefox 0x0024383c NS_CreateScriptContext(nsIScriptGlobalObject*, nsIScriptContext**) + 0x78
12 org.mozilla.firefox 0x00686b4c nsDocShell::EnsureScriptEnvironment() + 0x100

I hit one about once a day. So, having a 'go javascript' button seems pretty good right now. Thank goodness for SessionSaver.

what is so hard about text and images?

[lycium]

WAY too damn often, when i have a couple instances open loaded with tabs, the piece of shit will just spin at 100% cpu usage, totally unresponsive, and not allow me to save any tabs. don't get me started on the "obsessive update" "feature" that just wants to update like crazy every 5 minutes in some previous version; took them HOW long to fix that?

[i know it's "extra" and not to be taken for granted that people fix free software, but DAMN people, make some good use of your time or don't bother haxx0ring it. better use of your time would be to write a little doc on how people could understand the code base, and fix things properly]

while i'm on the topic, dammit, it's 2005, how hard can it be to write a program (esp with the myriad APIs like dx, gdi etc that make even the scrolling someone else's problem!) that loads, displays and maybe even saves some pages, without crashing or locking up? it's just *text and images*, what is so fancy and difficult about these browsing "engines" that hasn't been done a million times in the last who knows how many years of programming history?

being a programmer myself, i find it amazing that even though this is exactly the sort of thing we've been doing (and trained to do- oh my, have we had the training: flow charts, extreme programming, etc etc AD NAUSEUM) for yeaaaars, it STILL manages to just get worse and worse somehow! if the codebase weren't so huge and bukkake-style-coded i might been able to do something about it, perhaps even other mere mortals...

*phew*, sorry about that.

Re:what is so hard about text and images?

[lycium]

oh yeah, one last thing: yes, firefox has been getting steadily WORSE. i remember a time when it surfed just like it does now, minus all the bullshit and crashing. anyone else? basically, wtf?!

it's opera time for me, i love opensource and all but that's no reason to use decaying/rotten software.

Don't care!

[obeythefist]

At least trusty ol' firefox has never let me down. And it's not integrated irrevocably with my desktop OS!

Kinda helps a whole lot really.

Though, MS is going a long way to "fixing" the problems with IE - we'll never get the option to uninstall it.

Re:Don't care!

[MissingDividends]

The only thing wrong with MSIE is that it is installed...

Re:Don't care!

[obeythefist]

I have no problem with IE being installed by default on Windows boxes. Microsoft can bundle any apps they like and that is never a problem for me. Why?

Because Linux and OS X installs do it as well. Every operating system out there comes with extra fluff nowadays, and yes it is bloaty, but it's acceptable for me because it increases my utility. I like that. I like that my OS of choice (whatever it may be) does heaps of stuff right out of the box.

The only problem is, with IE, there's no opt-out. You can't uninstall it, and you can't choose not to install it when you install the rest of Windows. That is a problem, as it is consistently demonstrated that IE is not required for Windows to function, it is just there as a legacy of the browser wars.

Re:Don't care!

[MissingDividends]

I should have been a little clearer... It is incorperated to the point that if it were to be uninstalled, the operating system wouldn't work (believe me, I've tried, if you uninstall MSIE forcefully, windows explorer stops working correctly or, in some cases, at all) I like the idea of a web and file browser in one, but I would like to be able to disable part of all of it even if it can't be uninstalled. I meant exactly what I said; the problem is that it is installed, not that it comes installed, but that it is always (if you want windows explorer to function properly) installed... I don't work much with macs, but every Linux Distro I've worked with (serveral free ones) come with an option to remove the packaged programs, or, in some cases, just not install them in the first place...

Re:Um... Did you RTFA? It's not an exploit

[darkmeridian]

The FTA didn't make up it's mind until after the story was in the story queue for a while.

It was a correction.

Easy solution

[GeorgeMcBay]

There is an easy solution to this problem, switch to Internet Explorer. Internet Explorer doesn't have this bug and it isn't cluttered by lots of useless feature bloat like tabbed browsing or silly plugins.

A WAY BETTER WORKAROUND WITH NO DEFIENCIES

Add the following line to your pres.js oder enter it using the about:config dialog

user_pref("capability.policy.default.Title.text.se t", "noAccess");

As you can clearly see, this will disable the ability to manipulate the Document's Title with JavaScript. I already had this, and many other proactive hardenings, already implemented since a long time... in fact, almost every known security hole didn't ever apply to me.

unpatched?

[linforcer]

Heh. This story is only a few hours old and look at the latest Gentoo ebuild's changelog *mozilla-firefox-1.5-r1 (08 Dec 2005) 08 Dec 2005; Jory A. Pratt +files/1.5/mozilla-firefox-1.5-history.patch, +mozilla-firefox-1.5-r1.ebuild: patch to fix history DoS So much for unpatched.

Hardly news. I've crashed Lynx with big TITLE tags

Yes, you heard it right. Lynx. It has been vulnerable for years if you use a ton of certain ASCII characters in the TITLE tag when the character set is IBM US codepage. It also crashes when it browses local directories that have files with timestamps from 1901.

So Firefox crashes. Big deal. I crash every software I ever touch. Internet Explorer crashes when rendering a certain file that is 12 bytes long.

When someone finds a non-Javascript Firefox crash that actually executes malicious code (or just crashes after rendering a file smaller than 13 bytes), wake me up, and then I might consider it news.

AAAAAAA?

[GQuon]

In fact, I'm posting this response after following the process described above (on WinXP), and I have a history entry entitled "AAAAAAAAAAAAAAAAA..."

AAAAAAA!

IE sucks?

hahahahahahahaha!

Chumps.

Fill your disk?

[penguinoid]

I'm just pulling this out of my ass, but could you fill someone's disk with this exploit? For your script, this would be a 2.5 Mb file, but is there any limit? Also, a better script would be:

var buffer = "A";
for (var i = 0; i < 40; i++) {
buffer += buffer;
}

which will produce a terabyte

how to work around this

[Heembo]

There are some simple work-arounds to project yourself from this exploit.

From http://isc.sans.org/diary.php?storyid=920

Go to Tools -> Options. Select the Privacy Icon, and then the History tab. Set the number of days to save pages at 0. This will disable writing anything to history.dat as far as I can tell, and should nullify the exploit. Readers have confirmed that this workaround does prevent the buffer overflow. You can also change your privacy settings to delete personal info when you close Firefox.

Another workaround is to modify prefs.js while Firefox has not been started and put in the line:

user_pref("capability.policy.default.HTMLDocument. title.set","noAccess");

Lastly, you can also run the NoScript extension, found here. (Which I have not looked at in depth.) However, there are other ways of exploiting this where NoScript might not work.

Some users have reported being unable to reproduce this error. I will test more to try to establish what makes this work and not. So far it appears Mac users are not affected by this.

Bugzilla Bug 319004

[Val314]

Its https://bugzilla.mozilla.org/show_bug.cgi?id=31900 4 (copy/paste link, Bugzille doesnt like /. Links)

According to a Comment there a workaround is setting

user_pref("capability.policy.default.HTMLDocument. title.set","noAccess");

Work on mem leak

[tqft]

Soem comment and direction to work taking place about 2/3 way down

http://www.squarefree.com/burningedge/2005/12/04/2 005-12-04-trunk-builds/#comments

But Why?

Why would all those porn sites want to crash my browser when I am just about to enter my credit card number?!?!

Damn 1.5 can't even render the two yahoo+intel pics at the top of slashdot on the reply screen. or did yahoo and intel merge and I missed it on yahoo news? or slashdot? i tell ya, this intarnet gets harder and harder to use each day. Yatel? Inthoo? Yathoo? Yathooey? Yahoo Inside? yatel.com? Schnarf.

at least I read the /. each day, so I only have to read about sploits for my browser about once a month, instead of eaZ^a.%@*gd^

Error: Connection closed by remote host. Please check your history settings.

But why?

[FhnuZoag]

"C|Net is reporting that an unpatched exploit in Firefox 1.5 has been made public, making it very easy for ne'er-do-well-sites to cause your browser to crash on startup with a single visit."

Why on earth would a malicious website want to do that? I'm sure there are much simpler ways of making it impossible for users to view your site.

Crash?

[BenjyD]

I don't need an exploit to make Firefox 1.5 crash, it does that quite well enough by itself. Anyone else out there running 1.5 on Ubuntu Breezy and having lots of crashes?

Same here

[Robmonster]

I get a popup about something related to Quicktime missing, but the page loads up just fine.

Works for me

[PurifyYourMind]

I have QT 7 installed too. The page pauses for a little while on load, but doesn't crash.

Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8) Gecko/20051111 Firefox/1.5

Out of the frying pan, into the fire

[aconkling]

Good, so you're just limited to other critical exploits... and poor rendering... and being open to spyware. Seriously, I think I'm going to block AC comments.

Exploit...

[gabrieltss]

I don't know about this exploit. But within about 2 hours of installing FF1.5 I reverted back to 1.07. FF1.5 had SERIOUS issues with allowing checkout on several ECommerce sites. I did file a bug in bugzilla with exact steps to reproduce. But I won't move forward with FF until some of the serious issues are fixed. I wish I had time to tear into the source to fix it myself....

QuickTime plug in.

[TangoCharlie]

The posts so far would seem to indicate that the ipod page problem is related to the QuickTime plug-in.

For the record, the page was OK for me (Firefox 1.5 on Windows 2000) with QuickTime 6.5.2, but I don't have the QuickTime browser plug-in installed.

I don't like QuickTime and/or Acrobat Reader loading within my browser, so I try never to install the plug-ins (or rather, I try to remember to remove them!).

YMMV

funny

[HalAtWork]

It's funny that you're correcting a jamaican impression, as jamaicans frequently do not spell things consistantly and write it down howefer dey like.

Whitelisting vs blacklisting.

[tjwhaynes]

The point of whitelisting is simple - by the time a javascript exploit has run, it's too late. NoScript is taking the conservative (and security minded) approach of allowing you to keep a list of the sites you trust. Given that all you need to do to enable javascript on a page is to click on the NoScript symbol in the task bar, choose "allow" or "temporarily allow" and the page will reload with javascript on.

Cheers,
Toby Haynes

Two words

[javaxman]

Actually, we use Active X for quite a few of our internal apps.

Bad idea.

You'll have to change this sooner or later. Changing it sooner is better.

You can feel free to ignore this good advice, but it *is* good advice; even Microsoft thinks you should ditch ActiveX.

Re:Two words

[NineNine]

You'll have to change this sooner or later.

Why's that? Are you or somebody you know going to come over and physically break our applications? They work fine now. There's no reason to believe that they won't continue to work just as well.

MOD PARENT UP

[quiddity]

nt

Comment removed

[account_deleted]

Comment removed based on user account deletion