Another Denial of Service Bug Found in Firefox 2

An anonymous reader writes "A second security flaw that could cause the new Firefox 2 browser to crash has been publicly disclosed. The vulnerability lies in the way the open-source browser handles JavaScript code. Viewing a rigged Web page will cause the browser to exit, a representative for Mozilla, the publisher of the software, said Wednesday. Contrary to claims on security mailing lists, the bug cannot be exploited to run arbitrary code on a PC running Firefox 2, the representative said. This flaw in the JavaScript Range object is different than the denial-of-service vulnerability in Firefox 2 that was confirmed by Mozilla last week. That bug is related to a more serious security hole, which was fixed in earlier versions of Firefox, the organization has said. The two 'crashers' are the only publicly released vulnerabilities that have been confirmed by Mozilla in the week since Firefox 2 was launched. The issues are only minor, the organization has said."

Old times

[managementboy]

It used to be that if one an application crashed and it was called just that: it crashed. Today its a DOS attack! Imagine how many DOS my old Windows 3.11 had... come to think of it, it only had one DOS.

We present "DOS reloaded"!

Re:Old times

[cperciva]

It used to be that if one an application crashed and it was called just that: it crashed. Today its a DOS attack!

Not necessarily. Application-crashing bugs are Denial of Service bugs if they can be triggered remotely.

There's a fundamental difference between "I can make my copy of FireFox crash" and "I can make your copy of FireFox crash".

Re:Old times

[jesser]

More to the point, there's a fundamental difference between "I can make your copy of Firefox crash when you visit my site" and "I can make your copy of Apache crash".

Crash bugs in client software such as web browsers are "crashes", not "DoS vulnerabilities".

Re:LOL IE Users!

[Mikachu]

Except let's see how long it takes for the Firefox team to patch up these flaws as opposed to IE.

Re:So funny

[snero3]

Personally I think the comments you are referring to come from a number of different factors

1. Microsoft is often not the one to admit the security flaw. Where as Mozilla/firefox community is.
2. Often Microsoft will denie the flaw pointed out in point number 1
3. There have been numerous occurrences where an IE bug has allowed a whole PC to be taken over from bug that either MS denies exists or is very slow to patch. Holes like that in firefox generally get patched well before it is public knowledge.
4. for the longest time IE was the ONLY browser that would work properly on a windows environment and MS thought that was a "fair and just" way to do business.
5. Firefox is OSS, so you can go in there and fix/find the bug yourself where as with IE you have to rely on MS fixing it for you.

As for you issues with it crashing I think that is a bit personal/related to your system? Come on! you swapped to a completed different browser after little over a week of use? I personal run firefox 2 on OS X, windows XP/2000 and Linux (FC4,RHEL4u3) and have had not problems on any platform, but maybe that is just me.

Re:2.0 Good reasons to switch to Opera

[Ash-Fox]

I'm a Opera user

Good for you

and i keep wondering why do ppl adamently use a software which keeps crashing

Firefox v2 has only crashed once on me, when I tried to get it to crash on that bug. It's never crashed otherwise.

yet they find a reason to either bash it (IE) or support it (FF fanboys) saying there is such and such workarounds.

Well, the fact they suggest workarounds is a good thing in my opinion. It's good that there are workarounds.

Why don't ppl switch to the browser with fewest bugs/security holes.

Links doesn't provide what I need.

Don't give me the crap by saying IE has lot of users so the attackers target IE.

Alright, netcraft showed that Apache was the dominant webserver, yet the webserver that gets exploited the most is IIS -- This could be the case with other Microsoft software if they were put into that situation.

While it may be true, a common security analyser like Secunia.com has identified fewest bugs in Opera compared to FF and IE.

They've identified even fewer in Links.

and yet the slashdot crowd is so much in love with FF.

I can't speak for Slashdot, however I use Firefox (not always official mozilla builds) primarily because it runs on all the architectures I use. That includes PPC and ARM. It runs on most of the operating systems I use (unfortunately not on AmigaOS though). Also other browsers lack really important functions I need.

and look at the comments above from FF fanboys, they just keep writing suggestions and saying how it is not a flaw.

I see people saying it isn't a exploit. But rather something that causes a crash. A exploit meaning, "A hardware or software vulnerability that can be 'exploited' by a hacker to gain access to a system or service."

If the posting had IE instead of FF, we would've seen hundreds of posts scolding IE and Bill.

Could you show me a Slashdot article about a bug that causes IE to crash, no exploits. Just for comparison please.

Talk about hypocrisy.

Using your own logic, why aren't you using Links anyway? It's "the browser with fewest bugs/security holes".

Re:LOL IE Users!

[Richard+Steiner]

Make no mistake, a lot of people on here aren't so much pro-OSS as they are anti-MS.

Of course. Remember that many of the PC hobbyists on this site predate the general acceptance of the FOSS movement, and that many of us remember Microsoft from their DOS and Win 3.1 days as well as their more recent attempts at world domination.

After 20 years of dealing with that company, one tends to develop well-entrenched opinions about the quality of their software and the ethics (or lack thereof) behind Microsoft's business practices.