Slashdot Mirror
Another Denial of Service Bug Found in Firefox 2
An anonymous reader writes "A second security flaw that could cause the new Firefox 2 browser to crash
has been publicly disclosed.
The vulnerability lies in the way the open-source browser handles
JavaScript code. Viewing a rigged Web page will cause the browser to exit,
a representative for Mozilla, the publisher of the software, said
Wednesday. Contrary to claims on security mailing lists, the bug cannot be
exploited to run arbitrary code on a PC running Firefox 2, the
representative said.
This flaw in the JavaScript Range object is different than the
denial-of-service vulnerability in Firefox 2 that was confirmed by Mozilla
last week. That bug is related to a more serious security hole, which was
fixed in earlier versions of Firefox, the organization has said.
The two 'crashers' are the only publicly released vulnerabilities that
have been confirmed by Mozilla in the week since Firefox 2 was launched.
The issues are only minor, the organization has said."
It used to be that if one an application crashed and it was called just that: it crashed. Today its a DOS attack! Imagine how many DOS my old Windows 3.11 had... come to think of it, it only had one DOS.
We present "DOS reloaded"!
Is anyone else thinking that running firefox 2 with noscript installed means this vulnerability is no big deal?
It also has a beginner's privacy bug: (full disclosure: my blog) http://tech-dissect.blogspot.com/2006/10/firefox-p rivacy-bug.html.
In short: Ctrl-Shift-Del doesn't delete everything you expect it to delete, your browse history can still be recovered.
Except let's see how long it takes for the Firefox team to patch up these flaws as opposed to IE.
Another bug?? I want a refund! It's free? I want double my money back!
Fight Spammers!
You could install NoScript addon... Great utility :)
It doesn't matter how long.
I'm sure Microsoft will still get hammered even if it issues 0-day patches.
Virtual Betting on Facebook for non-geeks.
I remember reading about the memory leak. While others see this as a "failure" of the browser, I see it as increasing the odds that the browser exits and frees up your memory. I mean, how hard is it to re-open a browser?
IANA*
Yahoo! mail seems to use a less dangerous of these vulnerabilities - while stable versions earlier than 2.0 would crash, 2.0 only crashes when exiting Yahoo! Mail or when closing all the tabs of Yahoo Mail. Firebird 0.7 is not affected
I filed a bug for another DoS over a year ago and they still haven't fixed it:
Crash Firefox
The insta-crash only seems to work on Linux though.
https://bugzilla.mozilla.org/show_bug.cgi?id=29871 7
Actually, I have no problem bashing FF either. I'm fair about it.
1. Is it a security hole or a just bug?
2. Likelihood of encountering bug
3. Overall effect of the bug
4. Time it takes to actually patch bug (ie no turn-off workarounds)
If it's just a bug that takes a specially coded web site to just crash my browser, I'm not too worried.
Security flaws or common crashes will get me annoyed.
In the end it doesn't really matter. /. posters are a small but vocal fringe group who more likely than not will have no measurable effect on the browser market. The true test is what the public at large thinks, and they seem to think that Microsoft is relatively good at what they do, but the more tech-savy among the general population has found that Firefox has a better feature set. A couple bugs on either side aren't going to sway a bunch of people one way or another, because bugs "Just Happen". It's an accepted part of computing, and nobody really cares. IE users will feel smug, Firefox users will download a patch, and next time the roles will be reversed. It just doesn't matter.
Slashdot needs a "-1, Wrong" moderation option.
The Urban Hippie
How slashdotters start pointing and laughing when there's a IE exploit, doesn't matter how big or small, and always the "workaround" is looked at as unacceptable.
When it's about Firefox, they immediatly relativate it and minimalize it. "Oh, just install noscript", "tis just a small exploit", "well, why not restart your browser? If it crashes, so what? Why don't you click the icon again? You lazy bastard!"...
I even read some comments, in reply that there's said IE 7 feels better then FF 2.0, that the faults in FF are acceptable. It's a complete double standard.
For me, Firefox 2.0 is worthless; bloathed, crashes constantly, and is just not workable anymore. I've been using Firefox from the very start, but Firefox 2.0 make me switch to Opera.
I think we can keep recursing like this until someone returns 1
What a load of utter crap, calling a bug that crashes an application a "Denial of Service'. Morons!
Bart
... it is Firefox with NoScript :)
I wrote this Firefox add-on just after one of these disclosures, because the majority of the browser vulnerabilities was JavaScript related, and the suggested work-around was always "turn off JavaScript".
Disabling JavaScript as a whole seemed quite an impractical advice to me in this AJAXified Web 2.0: I thought that maintaining a white-list of trusted sites allowed to run JavaScript and keeping all the unknown web content "static" until I decided otherwise was a still safe but more convenient approach.
Since then I've been browsing the web with my shields up (NoScript can block also Java, Flash and other plugins), but I allow on the fly with one click, either temporarily or permanently, those sites which I trust and which do need dynamic client side technologies to work properly. To my surprise in 1 year and half I found few sites belonging to this category, because most places I usually browse are well designed enough to work with plain XHTML/CSS and nothing else (like Slashdot itself).
Notice: Firefox is a very safe browser because its vulnerabilities gets patched very quickly, once they're found by developers. I'm a Firefox contributor myself, and I'm very proud of the quality of the Mozilla developers community. NoScript, though, provides some extra protection even against those JavaScript/Java related vulnerabilities which have not been found yet...
There's a browser safer than Firefox, it is Firefox, with NoScript
I'll just add my 0.02 Euros by saying that domain-specific JavaScript settings are available in Konqueror, too (I don't know since which version, but 3.5.2 has them). It also has domain-specific settings for Java, images, and cookies.
Please correct me if I got my facts wrong.
when Firefox 2.0 seems to quite happily lock up on its own with no need for help from the script-kiddies?
And behold, a command prompt and he who sat upon it, his name was shutdown and -h 3:11 followed with him
I already ditched FF2 and went back to the previous version.
What is up with the developer team? Were they just so horny to get a "2.0" out before the end of the year that it was "ok" to release this thing?
You are right, there is a double standard. MS is an easy target as negative comments are expected and encouraged by the moderation system here.
Firefox is no longer Firefox most of us want. Sorry, its nearing the point where we will need to clamour for that slim browser that we had when Firefox first came out (well before the naming hassles).
As for the Netscape 4.xx title, remember the days when IE was better than Netscape? Netscape was great until the 4.xx series, you could never tell which version would work.
* Winners compare their achievements to their goals, losers compare theirs to that of others.
79%...78%...77%...76%...
tasks(723) drafts(105) languages(484) examples(29106)
I'm a Opera user and i keep wondering why do ppl adamently use a software which keeps crashing and yet they find a reason to either bash it (IE) or support it (FF fanboys) saying there is such and such workarounds. Why don't ppl switch to the browser with fewest bugs/security holes. Don't give me the crap by saying IE has lot of users so the attackers target IE. While it may be true, a common security analyser like Secunia.com has identified fewest bugs in Opera compared to FF and IE. .... and yet the slashdot crowd is so much in love with FF. and look at the comments above from FF fanboys, they just keep writing suggestions and saying how it is not a flaw. If the posting had IE instead of FF, we would've seen hundreds of posts scolding IE and Bill.
Talk about hypocrisy.
I don't want a signature.
The title reads " Another Denial of Service Bug Found in Firefox 2" but the summary says "... the bug cannot be exploited to run arbitrary code on a PC running Firefox 2, the representative said. This flaw in the JavaScript Range object is different from the denial-of-service vulnerability in Firefox 2 that was confirmed by Mozilla last week."
So which do I trust? There's no way in hell I'm gonna actually read the article!
Immediately stop using Internet if you're using one of those browsers:
.. ..
IE
Firefox
Safari
Konqueror
A new denial of service attack was discovered floating in the cyberspace, that can render any browser inoperable, and it has to be forcefully crashed and reopened. The signature of the exploit was reported to be:
while(true) alert('Hahaha, suckers!');
People are advised to immediately move to Lynx: the only browser known to be immune to this attack.
The two "crashers" are the only publicly released vulnerabilities that have been confirmed by Mozilla in the week since Firefox 2 was launched. The issues are only minor, the organization has said...
They also added, that the reason the issues are minor, is because Firefox 1.5x and later releases of the popular Mozilla browser feature a special "issue shrinking" technology, patent pending, where no matter what happens, the issue becomes small.
This is opposition to Microsoft, which appears to ship all their products with "issue expanding" FUD generator technology, now considered by many specialists as obsolete, where never mind what's the trouble, it's blown out of proportions, and brings chaos and despair among geeky web users.
Since when has a crashing browser been a security problem?
Back when mozilla was young, certain sites would make it regularly crash. I just didn't go back to those sites. The browser was still far superior to IE, which drives me nuts if I have to use it.
Was that link supposed to crash my firefox? Nothing happened using Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061025 BonEcho/2.0 (mmoy CE K8C-X01)...
Any technology distinguishable from magic, is insufficiently advanced.
If you go search Firefox's bug database for bugs with the "crash" and "testcase" keywords at any time, you'll find dozens of known crash bugs. I imagine it's the same for any other major browser. Meanwhile, very few sites intentionally crash web browsers. It makes more sense for developers to focus on lowering the average time between crashes (by fixing the most common crashes), or on fixing actual security holes, than to focus on squashing the largest number of crash bugs.
Why are CNet and Slashdot so interested in these particular two crash bugs? They aren't crashes that can be exploited to run arbitrary code.
The shareholder is always right.
Of course they will - there shouldn't have been a problem in the first place, rolling out patches is a pain, "what about the ones they've not told us about?", etc.
Make no mistake, a lot of people on here aren't so much pro-OSS as they are anti-MS.
(Disclaimer: I have not and never will use IE as my primary browser)
It's official. Most of you are morons.
Firefox 2.0 on Linux - yup, it crashes. Even worse the session save feature causes it to crash when it starts up next time. I had to hand-edit sessionsaver.js to stop it reopening the URL.
Rich.
libguestfs - tools for accessing and modifying virtual machine disk images
With a tremendous amount of code there is bound to be bugs. The difference between Firefox and IE will be what the Firefox team does about the bugs, and how serious they are. If the Firefox team doesn't handle the bugs well and the bugs are "serious", Firefox might be, *gasp*, put in the same bucket as IE! I'll still use it though..
It crashed my Firefox 1.5 on Linux...
Weird... opening the image directly doesn't crash...
today i switched back to IE after getting sick of firefox.
yes, i am ashamed to admit it. but help me solve the problem anyway.
i read about this somewhere (slashdot i think), where sites with flash ads make firefox hang, where i have to end process using the task manager in windows. the site in question is friendster. turning off flash isn't really an option, as i use flash for other sites, and my adblock plus doesn't work on flash ads.
so what do you think?
I have bad karma. What do I care what you think?
Are you kidding? Internet Explorer has so many DoS/crash bugs, I don't think a new one would ever make Slashdot - it's just not news anymore (take a look at the Browser Fun blog for some examples, though it's out of date by now). Konqueror has a few too (take MangleMe to it and you'll see what I mean), and I bet Safari and Opera do as well.
So, what, is it a link like <a href="javascript:window.close()">Click Here for Money!!!</a> that causes this "DOS"?
If I can interrupt your usage of a particular program remotely, it IS a denial of service attack. I am denying you the ability to use a service.
DoS does not always involve botnets, although they are one way to bring a service down.
Registered Linux user #421033
This is not new because There isnt a browser out there with no flaw, no bug, Firefox is as vulnerable as any other software, you just need to keep prying at something until you found the desired problem, problems are starting to appear in firefox because it has become largely distributed and soon enough they will be viruses specially designed for it. The truth about internet browser is, if you dont want people to find flaws, dont be big. I have never seen a hacker trying to hack a technology or software that is not taking a large market share. Have you seen MAC viruses.....i think not
FF is. That makes it much more apealing to people technically inclined.
IANAL but write like a drunk one.
It achieves a sort of sacred status in which people engage in flat-out denial that there are issues because they put too much blind faith in the development process behind it. They will tell you that the only real way of proving anything is the scientific method and then turn around and say they have complete faith that this is the year of Linux on the desktop. This is the primary reason why this site is not considered respectable among some IT professionals: it thrives only on fanboys and huge amounts of bias. Zealotry always involves a certain level of chosen ignorance.
Anyone who uses Optionsxpress and their streaming quote java application should be well aware of the bugs with Firefox and Java. Crashes, lock-ups, and randomly moving your cursor to the left one character after typing. These bugs have been listed in bugzilla for quite some time but I haven't seen anybody tackle them.
Dekker Dreyer
Being able to cause something to crash consistently is neither a denial-of-service flaw nor any other kind of security flaw. Even ignoring that, the article incorrectly mentions denial-of-service as that, in terms of security, usually refers to taking over other machines to create huge amounts of network traffic - it's the taking-over of machines that is the security flaw - the use of the machines to cause a denial of service is just an attack. You would think that the staff of a technical publication would know what they are talking about.
I'll take a nice, safe browser crash with over an ActiveX control or buffer overflow executing arbitrary code on my local machine any time.
Nobody sane ever said Firefox has no bugs and no security holes.
However, those said holes tend to be fewer than IE, less severe and patched faster.
I've got to say, that was a truly terrible troll.
Everything in moderation, including moderation itself
Feature := Bug as described by the marketing department.[1]
[1] From the glossary of an Apple ][ manual.
A rose by any other name would smell as sweet;
A chrysanthemum by any other name would be easier to spell
FlashBlock?
What's nice about FlashBlock is that it still draws the place where the Flash applet is placed, and then you can click on it if you want to see it. Actually, since I've installed it, I haven't really needed AdBlock too much. (Banner ads don't bother me that much, though.) No annoying audio, unless you want it. No Flash-originating popups. It's actually sort of interesting just to see the "hidden" Flash on some pages that are obviously used for some sort of tracking. There are a few times where the Flash applet is specified to cover part of the page, so that you have to click on it to activate it, then click on it to close/hide it, but that's pretty rare. In fact, the only place I can remember it being a problem is SI.com, which is probably not a site most Slashdotters visit very often.
99% of Firefox users don't even know what noscript is.
You could just turn JavaScript off in the options...
Even still, it's not a big deal. Browser users tend not to complain. They just start it up again and avoid that page.
This is not the signature you're looking for.
Forgive me if this is a stupid question...I don't know much about the Mozilla org, or for that matter, how open source collaboration works in real life.
I had the opposite experience, I'm afraid. I found I was enabling scripts/plugins/etc for probabbly about half the sites I visited more than one page on. Worse, many of those were sites I would most want that stuff disabled on -- e.g., MySpace. Eventually, I decided that I was effectively just browsing the same as without NoScript, but with more clicks and page reloads.
I suspect this has a lot to do with personal browsing habits and preferences. If you haven't tried NoScript yet, it's probabbly worth trying, to see if it will work for you. But, it didn't work for me, I'm afraid.
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
A non-exploitable bug is not a security flaw , it is a bug.
If there were pages with the intention to crash firefox other than those proof of concept ones. I would worry
It is not only a rule for firefox: When the initial Opera 9 had DoS exploits, nobody really abused them
It Is mostly because a good hacker would like to have the biggest odds so they target IE
In fact, no matter how vulnerable the alternatives are they are simply not targetted
I will just stick to Firefox+NoScript , I consider executing code in my computer a privilege that I would only give to certain webpages, it also saves me from the new kind of annoying popups, those that use pure html and no windows.I would say that if opera had a noscript plugin I would switch, but that's not true, I simply don't like opera mostly for interface reasons (for example the mouse doesn't become a I when you are over text, hoo) And it doesn't even allow plugins.
Copyright infringement is "piracy" in the same way DRM is "consumer rape"
Just crashing browsers is easy enough. Even just with HTML. Remember this story?
(A bit of self promotion.) I took his idea and incorporated it into a genetic programming system that manages to crash most browsers. It also finds HTML source that causes browsers to work for a looooonnnggg time to render a single page (in one case 19 hours for a page). The HTML is not particularly legal, but then there is no guarantee that any web page you load into a browser will follow any particular standard. Source (Java) is available at sourceforge - unpack and look for subdirectory "html". (Warning: As this is an evolving program subject to random hackery to "enhance" things, it is commented sketchily, way underdocumented and far from pretty in most places.)
For me, Firefox 2.0 is worthless; bloathed, crashes constantly, and is just not workable anymore.
What is this "bloathedness" of which you speak?
I've been running FFv2.0 on my home machine for 5 days with my usual full complement of 25+ extensions[*], sessions longer than 24 hours, usually 8-12 tabs open, often using OOo and the GIMP concurrently (under WinXP at 1.6 GHz with 768 MB ram). For the enriched experience and development tools that FF offers, it isn't bloated. It is more stable in this development environment than FFv1.5 was.
[*]Manifest of add-ons:
- 1-Click-Weather
- AdBlock Filterset G Updater
- AdBlock Plus
- Answers
- Calculator
- ChromeEditPlus
- ColorZilla
- CustomizeGoogle
- DomInspector
- eQuake
- Firebug
- FlashBlock
- FoxNotes
- GetMail
- GMail Space
- HTML Validator
- IE View
- Image Zoom
- MeasureIt
- Nuke Anything Enhanced
- Pearl Crescent Page Server Basic
- Performancing
- SpiderZilla
- Sun Cult
- Tabbrowser Preferences
- Talkback
- Web Developer
- Wikipedia Lookup Extension
I will add Blockfall and Colorful Tabs, and possibly Blogger Bar, to this when these become available on v2.0Of course. Remember that many of the PC hobbyists on this site predate the general acceptance of the FOSS movement, and that many of us remember Microsoft from their DOS and Win 3.1 days as well as their more recent attempts at world domination.
After 20 years of dealing with that company, one tends to develop well-entrenched opinions about the quality of their software and the ethics (or lack thereof) behind Microsoft's business practices.
Mainframe/UNIX Bit Twiddler and long time Windows/Linux Hobbyist.
The Theorem Theorem: If If, Then Then.
Shocking, so I'm denied service to a website which denies service. Hmmm, perhaps I'll try another site.
What's funny is that this case is specifically accounted for by the dialog that pops up when Firefox recognizes a crash and attempts to load a new session. This dialog is impossible without an extension to get rid of while still keeping the session saver functionality (for this reason precisely). So either... you aren't using the native session saving, or you broke something else. OR! you could be over blowing what's going on and saying that "When I tried to reload my session using the session saver functionality it crashed" which would of course be true, and the fix would be to simple not load the session at startup.
~ Anders
Sorry I couldn't think anything else after reading the title of your post.
Now zealots mod me down again.
We are Turing O-Machines. The Oracle is out there.
Amen to that. Microsoft has not only not changed their stripes, but they've gotten worse. Well, some things are better; if you got a defective paper tape of Altair basic, gates wouldn't replace it. These days your retailer will replace a defective CD.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
which would of course be true, and the fix would be to simple not load the session at startup.
And then lose the hundred or so other windows I've got open. Great idea! This is why I had to edit sessionsaver.js if you'd actually bothered to read my posting.
Rich.
libguestfs - tools for accessing and modifying virtual machine disk images
I did read your post, but your post also implied that Firefox defaulted to crashing on startup, as opposed to giving you the option walk around that problem. If you had mentioned something along the lines of not wanting to loose those tabs I think that would have made for a much more reasonable post.
It's the "even if" in that statement that gets me. They dont' release fast patches. Unless it's to a hole in their DRM scheme, of course, they have to satisfy their REAL customers.
Wow. Nifty. I actually looked at the bug report though, and it looks like the issue is a bit deeper than firefox. It looks like it has to do with GTK. While not exactly an excuse for a bug, it at least explains why they haven't fixed it.
Rob
Here is an easy example, a segmentation violation by not specifying the namespace in xbl.
This is simple way to make people keep away from your site. OTOH I think I just had an idea for browser based minesweeper.
Hi Willem,
when the software patents fight was heating up, I hacked the NoSoftwarePatents image into my site. That's probably the image that's flowing into the text. I removed that now. I've also removed the "Valid HTML" link. I don't see any other problems, but if so, I wouldn't mind an email.
Thanks
Bart
Woman are denying me cervix all the time, why should firefox be any different.
Oh wait... denial of service! I need a better screen reader.
The Toyota site did crashed my firefox 2 while trying to build a truck. Very Frustrating.
JavaScript is a programming language. It is turing complete. The halting problem for it, then, is undecidable, making it impossible for any browser to detect all infinite loops / large amounts of memory/cpu consumption.
If theory makes you gag, check out this thread on JavaScript Denial of Service for a list of concrete examples. All of the samples are extremely effective at taking out all browsers (IE, Firefox and Opera alike).
I am more concerned about pages that can crash browsers without the intervention of JavaScript. This includes imagecrash (may crash you!), mailto crash, and an huge XML file crash. They should be preventable.
Anyway, the reason why DoS's aren't actively pursued by the black-hat community is that it's very difficult to put them to good use. Sure, it will annoy someone, but it's hard to monetize, etc.
Thanks for crashing Firefox for me asshat. I was expecting an explanation of the problem, not the actual exploit. Fortunately Firefox recovered everything and I was able to close the tab before it reloaded.