Unpatched Firefox 1.5 Exploit Made Public

ThatGuyGreg writes "C|Net is reporting that an unpatched exploit in Firefox 1.5 has been made public, making it very easy for ne'er-do-well-sites to cause your browser to crash on startup with a single visit. Until a patch is released, it is recommended that you disable your history.dat file."

FC4, 1.5

[(1+-sqrt(5))*(2**-1)]

I can report that the exploit doesn't work on FC4, with the latest 1.5 built from source.

Re:FC4, 1.5

The Mozilla people are also reporting that the exploit doesn't seem to work on any version of 1.5:

Mozilla Foundation, which released Firefox, said it was not able to confirm the browser would crash or be at risk of a DOS attack, after visiting certain Web sites.

"We have gotten no independent verification that it crashes (Firefox), but there have been a lot of attempts to try," Schroepfer said.

Apparently they're having a hard time duplicating this particular bug. Has anyone here on /. seen it actually happen?

Re:FC4, 1.5

[FoXDie]

Go to http://www.apple.com/ipod/features.html and tell me if I'm the only one that has Firefox crash from that page without fail, since the upgrade to 1.5

Re:FC4, 1.5

[mebob]

I'm pretty sure that it is the new QuickTime 7 plugin causing that.
As other have posted, it crashes IE as well. And every firefox crash I've had since I've installed 1.5 appears to have been QuickTime related!!!
All happening after installing 7 except for one.

Good Thing

I'm still using Internet Explorer!

Re:Good Thing

[sloths]

Did it come with a free dinosaur?

Re:Good Thing

[AgentScummy]

Mine came with Windows 3.1

The fix

[rnelsonee]

If it's already happened to you, just delete your history.dat file in your profile folder, and FireFox will create a new (empty) one on startup.

Obligatory Jamaican Response

[dotslashdot]

Dat file will be history, man.

Re:Obligatory Jamaican Response

[uberjoe]

You mean: "Dat file will be history Mon.

Re:Obligatory Jamaican Response

But the exploit was published on Wed.

Only crashes?

[ruiner13]

If this only crashes Firefox, how is it an "exploit"? I tend to use "exploit" as something that an attacker can use to their advantage to do something malicious. This is just an annoyance to have to move my poor cursor back to the icon and issue an oh-so-painful double-click.

Re:Only crashes?

[courtarro]

There are plenty of browser denial-of-service bugs, but few of them can actually render your browser useless upon every execution. This one has a lasting effect that's more significant that the old "do while(true) alert;"-style DoS attacks. A single double-click won't fix this one; you have to delete your old history.dat file.

Re:Only crashes?

If it causes a crash, it's entirely likely that some malicious code could be injected into memory when that happens! If so, you're potentially up shit creek.

Stopping the stupidity

[tjwhaynes]

For anyone out there who wants a safer experience out on the web, you owe it to yourself to install the NoScript extension and only allow whitelisted sites to run Javascript. The exploit published this morning (more a DoS and only seems to affect some but not all installations of firefox 1.5 according to SANS) uses a Javascript loop to build up an enormous topic that ends up being written into your history.dat file causing buffer overflow issues. Without Javascript, this sort of exploit is much tougher.

Cheers,
Toby Haynes

Re:Stopping the stupidity

[Psykus]

The NoScript extension itself.

Re:Stopping the stupidity

[CosmeticLobotamy]

The guy who drew the logo for that forgot the wingalings and the beefy arm.

DOS

[kihjin]

The 'exploit' seems only capable of a Denial of Service. There's no proof to indicate that malicious code could be executed.

Plus, read this (from the article):

"We have gotten no independent verification that it crashes (Firefox), but there have been a lot of attempts to try," Schroepfer said.

So, this is all very hypothetical then?

ummmm

[Prince+Vegeta+SSJ4]

thats what thet get for making an extension that runs explorer within firefox https://addons.mozilla.org/extensions/moreinfo.php ?application=firefox&id=1419 *ducks*

Not an "exploit"

[joetainment]

This isn't even related to security. Its just a bug.... lots of apps crash when something happens. Doesn't mean its ok, but it doesn't represent a security issue does it? (Unless I'm missing something...)

Tin Hats Need Not Fear

[courtarro]

Those of us with sturdy tin hats already have our histories disabled. Take that, evil!

Um... Did you RTFA? It's not an exploit

[Schrade]

Quote from the bottom of the article:

Correction: This story incorrectly stated the affiliation of Mike Schroepfer, Mozilla's results in verifying the Firefox 1.5 flaw, and the nature of the problem. Schroepfer is vice president of engineering with Mozilla Corp., and Mozilla has not been able to verify its browser can crash and lead to a denial-of-service condition. The problem itself was a not security vulnerability but actually a flaw in the browser.

Read the article before you consider posting it with a sensational title!

IE's execution of arbitrary code

[Dreadlord]

Before someone starts saying Firefox is vulnerable to exploits just as IE, this exploits crashes the browser and only that, now compare this to IE's execution of arbitrary code.

No software is perfect, but still, Firefox is clearly ahead.

It's completely retarded...

[ninja_assault_kitten]

The guy who reported it called it a 'buffer overflow' and clearly had no understanding of what it actually meant.

which
most users won't figure out.

this proof of concept will only prevent someone from reopening
their browser after being exploited. DoS if you will. however, code
execution is possible with some modifcations.

Tested with Firefox 1.5 on Windows XP SP2.

ZIPLOCK

-->

heh
function ex() {
            var buffer = "";
              for (var i = 0; i ZIPLOCK says CLICK ME

A crash can often lead to an overflow exploit

[MushMouth]

When an app crashes (firefox does quite often for me) it means that it is doing something that the programmer didn't expect. That could be all sorts of things, from taking all the cpu, to writing to memory that it shouldn't be. Most overflow exploits started as mere crashes.

Heh

[aftk2]

cause your browser to crash on startup with a single visit.

I've seen this exploit in the wild: it's called the MySpace Profile Page.

Someone needed to create a scoop.

[Godeke]

Correction: This story incorrectly stated the affiliation of Mike Schroepfer, Mozilla's results in verifying the Firefox 1.5 flaw, and the nature of the problem. Schroepfer is vice president of engineering with Mozilla Corp., and Mozilla has not been able to verify its browser can crash and lead to a denial-of-service condition. The problem itself was a not security vulnerability but actually a flaw in the browser.

Wow, that is accurate reporting, which was then amplified in the summary to the point of absurdity.

so...

[SharpFang]

Preferences > privacy > history > [0] days; ok.
Patched. I use the history feature about twice a year, won't miss it till the right fix is found.
Not quite like disabling all the javascript in MSIE, is it?

Re:Is that a Product plug I see?

No, just a badly worded summary of the original storm center diary entry in which the ISC handler attributes the possible FAILURE of this bug to crash firefox to the McAfee software, which, in his mind, has some mystical power to optimise firefox's inefficient string parsing algorithm even when it's deactivated!

This bug is slightly lame, even as DOS -- There are no confirmed reports from half-or-more-brain-having people that it even crashes the browser in the first place. All it does is make the subsequent startups slow, especially noticable in slower machines.

See bug 319004 at bugzilla.mozilla.org.

Posting from an "Exploited" FF 1.5

[tyler_larson]

False alarm. No security-related concerns, just overenthusiastic reporting.

If you run the script below, it will create a page with a title that's quite huge. Close your browser and open it again. The browser will spin for about 2 minutes what it tries to make sense the contents of your history file. Once it's finished, you'll be back up and running, with no degradation in performance or visible side-effects. You'll be able to even view your browsing history (including the offending page). In fact, I'm posting this response after following the process described above (on WinXP), and I have a history entry entitled "AAAAAAAAAAAAAAAAA..."

A bit of an annoyance, but hardly a security issue.

Here's the official exploit code:

function ex() {
var buffer = "";
for (var i = 0; i < 5000; i++) {
buffer += "A";
}
var buffer2 = buffer;
for (i = 0; i < 500; i++) {
buffer2 += buffer;
}
document.title = buffer2;
}

Non-Story

[Midnight+Thunder]

C|Net has added the following correction at the end of the story:

"Correction: This story incorrectly stated the affiliation of Mike Schroepfer, Mozilla's results in verifying the Firefox 1.5 flaw, and the nature of the problem. Schroepfer is vice president of engineering with Mozilla Corp., and Mozilla has not been able to verify its browser can crash and lead to a denial-of-service condition. The problem itself was not a security vulnerability but actually a flaw in the browser."

So Firefox crashes, but no security vunerabilty.

Re:Firefox history code is horrible

[WWWWolf]

Once you have the idea on how sucky Mozilla's history stuff is in practice, take a look at how the stuff is actually stored in history.dat. People have been rendered insane by just a single look at that stuff. Want to make sense of this format for some obscure reason? Read this and weep. This stuff is just about the most insane thing I've ever seen.

I sure hope Mozilla folks get the unified storage plans together for Firefox 2.0, and use something like sqlite to store most of the user data. MorkDB format used by Mozilla is... just not elegant.