Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Firefox Vulnerability Revealed

Posted by Soulskill on from the whack-a-fox dept.

Not long after Firefox 3.5.1 was released to address a security issue, a new exploit has been found and a proof of concept has been posted. "The vulnerability is a remote stack-based buffer-overflow, triggered by sending an overly long string of Unicode data to the document.write method. If exploited, the resulting overflow could lead to code execution, or if the exploit attempts fail, a denial-of-service scenario." It's recommended that Firefox users disable Javascript until the issue is patched, though add-ons like NoScript should do the trick as well (unless a site on your whitelist becomes compromised).

Update: 07/20 00:09 GMT by KD : An anonymous reader informs us that the Mozilla security blog is indicating that this vulnerability is not exploitable; denial of service is as bad as it gets.

22 of 250 comments (clear)

  1. Turn off javascript... by popo · · Score: 4, Insightful

    ... and stop using all of your web-apps... sigh...

    --
    ------ The best brain training is now totally free : )
    1. Re:Turn off javascript... by Teckla · · Score: 4, Insightful

      Yeah, and half the websites out there will stop rendering then. Sadly, the vast majority of them don't need javascript to do their job, but such is the epic lame that is the average web programmer.

      Or maybe most web programmers don't want to spend a lot of time and money supporting the 1% of users out there that don't have or disable JavaScript.

      I'm just sayin'.

    2. Re:Turn off javascript... by commodore64_love · · Score: 3, Insightful

      Wouldn't avoiding javascript make webpages smaller & therefore load faster? Perhaps you've got a megawide connection, but when I'm traveling all I have is 50k dialup. Even at home I'm limited to a relatively slow 700k. I'd prefer a web that's mainly text and images without the bloat.

      Back in the 90s web programmers were taught to optimize and compress their pages as small as possible. It appears this lesson is no longer being taught in the schools.

      --
      "I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
    3. Re:Turn off javascript... by Anonymous Coward · · Score: 1, Insightful

      Or maybe most web programmers don't want to spend a lot of time and money supporting the 1% of users out there that don't have or disable JavaScript.

      Funny reasoning : defending actually complicating a link (for both the writer as well as the viewer of the webpage) by doing it the javascript way by claiming that most all man-and-dog have JS on anyways.

      Thats like defending robbery because allmost everyone has insurance for it ...

    4. Re:Turn off javascript... by causality · · Score: 4, Insightful

      I've disabled it today and some sites are now really much faster than usually.

      I guess I really need to invest into configuring noscript.

      NoScript + Adblock Plus + Adblock Plus Element Hiding Helper + the Easylist and EasyElement subscriptions for ABP = the Web as it was meant to be.

      Advertising business models and entitlement mentalities (regarding ad revenue) be damned. If a Webmaster somewhere does not like that my computer is my property and will load only what I want it to load up, I recognize that their site is their property and I celebrate their right to deny me access to their site so I can find another.

      --
      It is a miracle that curiosity survives formal education. - Einstein
    5. Re:Turn off javascript... by Anonymous Coward · · Score: 1, Insightful

      Alternatively, look at Slashdot itself. Yeah, it has its issues, but I have to say that I love the dynamic content loading. That's so much better (and easier on bandwidth!) than having to load a whole page just to expose a collapsed comment.

      YOU.. HAVE.. TO.. BE.. FUCKING.. KIDDING.. ME! Maybe you enjoy clicking like a monkey while browsing on your beowulf cluster. Other people just want to read all the comments on a mobile device.

      Slashdot is a fucking pig regarding CPU time and usability. The comments are fucking plain text. I can load that via GPRS in acceptable time. BUT NOOOO! The clueless idiots who think that da cool JahvahScreept is all the hype manage to package plain text (PLAIN TEXT FOR FUCK'S SAKE) into an unusable CPU massacre 50 comments at a time.

      Just give me all the comments with a single click instead of moving your fucking retarded threshold slider - which doesn't even work correctly! - and then clicking 100 times on "More", wasting tons of cycles between each update.

      Slashdot's design is so retarded I have no further words for it.

    6. Re:Turn off javascript... by Jah-Wren+Ryel · · Score: 2, Insightful

      New way:

      You left off step 0 - the server sends over a ton of javascript code that would not be transfered in the non-javascript case. Since neither case requires the retransfer of any of the images, it is easy enough for your example to go either way based on just how much extra javascript gets transferred.

      Furthermore, way too many sites have external javascript dependencies, like doubleclick, coremetrics, etc. By ignoring those we are pretty much guaranteed a faster experience.

      Alternatively, look at Slashdot itself. Yeah, it has its issues, but I have to say that I love the dynamic content loading. That's so much better (and easier on bandwidth!) than having to load a whole page just to expose a collapsed comment.

      Well, we are going to have agree to disagree here. For me, that interface is terrible. I fucking hate clicking every couple of seconds just to read what ought to be there in the first place, it totally kills the flow of reading the comments. I don't care how it is implemented, it is a terrible UI design.

      Instead of going all dynamic with a ton of individual database accesses, a smart designer could pre-build entire pages of article comments for the handful of common settings (view at +5, +4, +3, etc) gzip them up and store them in ram every 15-30 seconds and hugely reduce the cpu load on the server, minimize bandwidth consumption and keep the UI human-friendly.

      And if you wondering about my sig it is more about how some things now require javascript to get done on slashdot, there are no non-javascript alternatives. That's the kind of bad design that will chase off the most technical users.

      --
      When information is power, privacy is freedom.
    7. Re:Turn off javascript... by risk+one · · Score: 2, Insightful

      Or maybe most web programmers don't want to spend a lot of time and money supporting the 1% of users out there that don't have or disable JavaScript. I'm just sayin'.

      That's not really the point. Most websites are built on a lot of different client-side technologies. HTML, CSS, JavaScript, Flash, and god knows what else. And you're not implementing for just the few technologies you use, but for all four or five implementations of each technology by different major browsers. So if you use HTML/CSS/JavaScript and support the top five browsers, that that's fifteen implementations that can behave unexpectedly on your code. And that's just the ones you can test during development. In about a year ad a half, each of those browsers will have a new version out with new quirks and new unexpected behaviors.

      The best way to ensure that your code won't embarrass you, is to make sure it degrades gracefully. That if one of those elements fails, the site will still work, and work in a way that you can reasonably predict. That means starting with working HTML. Adding CSS, making sure it works and then adding javascript (or perhaps doing the JS first, if your site relies on it for a lot of things).

      If you start out coding JavaScript, the only way to be sure it keeps working is to test it every situation it might be used, and you can't test on browsers that haven't been released yet. That's why so many businesses are now stuck with IE6. Because the people that made their intranet software didn't feel like supporting some percentage of the market. It's not about support, it's about proper design.

    8. Re:Turn off javascript... by causality · · Score: 2, Insightful

      Whereas entitlement mentality regarding access to other people's content is fair game, right?

      Way to entirely miss the fact that I addressed this point. Really now, reading comprehension is important. You may laugh at me for saying that, but really it seems to be on the decline. I often feel on online forums, including those which are far less trollish than this one, that there are two versions of my posts: the one I actually wrote that says what it says and doesn't say what it doesn't say, and the fictitious one to which someone else is responding. Considering the quality of most public education, you were probably shortchanged in this department unless you enjoy reading on your own and can see it as a skill to be honed like any other. Unfortunately, few people are so actively and deliberately involved in their own advancement. If reading comprehension does not come easily for you, be assured that any reasonable effort necessary to achieve it is worthwhile.

      So, I did address the point. If you think I addressed this point in a faulty manner, feel free to explain where I erred and how my reasoning may be corrected. This is a concept known as constructive criticism, and its effects are twofold. First, it demonstrates that you really do have a superior point of view on which your objection is founded and that you are not just bitching, which is frankly what this looks like. Second, it shows why my view is inferior and needs to be abandoned and replaced by a better one, possibly yours.

      Pretending like I have not addressed this point, as you have done, only reveals a glaring weakness on your part. Such weaknesses are not found in people who have a solid foundation for their position. It's a shame to see such weakness from a person who could choose something better (that's you!).

      Should you decide that you have the decency and the fortitude to engage me on this subject, I'll help you out by revealing a premise behind my reasoning: I would never put content on the WWW, with no passwords or other restrictions, unless I wanted that content to be publically accessible by anyone who wants to download and view all or part of it in any way they please. To think otherwise is a total failure to understand the nature of the Internet. If the nature of the Internet doesn't suit me, including the freedom of users to control which content they download and how it is displayed, then it's my responsibility to find a medium which does suit me and publish my content there. It's quite simple.

      The mentality you just displayed is trivially deconstructed, as I have partially done here. It does concern me that individuals don't seem to put any effort into similarly evaluating their own ideas. You're probably just a troll, and don't think for a moment that this hasn't crossed my mind. I probably just wasted my time with you, and that's alright. I like the chance, however slim, that maybe you aren't and maybe I haven't. My bet is that I'll never see your response to this, but occasionally people do surprise me.

      --
      It is a miracle that curiosity survives formal education. - Einstein
  2. You can't be serious! by jeffliott · · Score: 4, Insightful

    I don't know anything about JavaScript or Firefox internals, but a public sounding central function call like "DOCUMENT.WRITE" having a length related buffer overflow is just unacceptable. This call is used all the time right? How could this be missed?

    1. Re:You can't be serious! by TopSpin · · Score: 2, Insightful

      This is my feeling as well. FYI: document.write is the JavaScript equivalent of write(2). It is used liberally in modern web content; I doubt there are any popular contemporary pages that don't use it.

      This code path should be impervious to any overflow exploit that might conceivably appear. Obviously document.write can and is used to exploit other more subtle flaws in a browser as it is capable of producing arbitrary document content, but that's not what we have here. Here we have long strings breaking document.write itself.

      Unacceptable. Fix it now. Sunday.

      --
      Lurking at the bottom of the gravity well, getting old
  3. Many eyes makes for secure code by nacturation · · Score: 3, Insightful

    Let's just hope that all those eyes are friendly. How many black hats are scouring the source code to generate exploits to sell underground? As quickly as Firefox releases patches, when these bugs aren't reported it's no better than a proprietary browser.

    --
    Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
  4. Re:Just patch it and let's move on. by Anonymous Coward · · Score: 4, Insightful

    FTFA: The vulnerability was reported to SecurityFocus (BID 35707) on July 15.

    4 days > 24 hours.

  5. Expect to see much more of this in the future.. by ickleberry · · Score: 2, Insightful

    .. as the horrible language that is JavaScript is extended ever more to try and emulate real desktop applications (and more pervasive advertising).

    Mang, sometimes I wish I could still get by with a browser that doesn't support JS at all, but web devs insist on building websites that absolutely require JS. For example the free SMS service for my mobile phone network (Meteor) absolutely won't work with JS disabled.

    1. Re:Expect to see much more of this in the future.. by Anonymous Coward · · Score: 2, Insightful

      I don't know why you hate web applications so much but I agree that Javascript is a horrible language. The specification is gigantic and the language is overcomplicated.

      Lua makes a much better Javascript than Javascript. Small, lightweight and fast. Besides the syntax differences Lua is otherwise semantically very similar to Javascript except with a much better design... and Lua does it with a minuscule language syntax and VM.

    2. Re:Expect to see much more of this in the future.. by xlotlu · · Score: 3, Insightful

      Whoever modded the parent as troll is a moron. Offtopic maybe, but not troll. Go ahead and mod me down too.

      The parent is right. I've had my paranoid period and tried NoScript; the web was so damn broken, and clicking to allow JS over and over again turned so tiresome that I turned to everything whitelisted by default, and finally uninstalled NoScript after the AdBlock fiasco.

      About how bad of a language JavaScript is or isn't: I personally like it, though I'd prefer Lua, or say, Python; but JS is here to stay and it serves its purpose. Except that purpose isn't replacing HTML, or turning HTTP into something it was never meant to be. Back when I was coding JS, we were doing it to improve the user experience, not replace it altogether. Nowadays "web developers" use [insert random JS framework] for everything, but the problem is so, so many use it in braindead ways. You middle click on a thumbnail expecting to open the image in a new tab, but you just get the same page with a nice # added at the end. And then there's the idiots doing <a href="javascript:">, and the utter idiots with an attitude that do onclick="submit_something_via_post" and figure out they know better how the web is supposed to work... These are usually the same idiots that will do broken browser detection based on the User-Agent string, and usually fail miserably if your browser sends along "Gecko", but not "Firefox". Say, something like "Iceweasel". For a nice example of how far this stupidity goes, try browsing VIA's site.

      You want to use XHR when clicking on a link? Or submitting a form? That's all fine and dandy, but don't break the web. It's becoming more and more like flash, with the sole difference you can view-source.

      If you're building Google Docs or Meebo, all hail JavaScript. But for mostly everything else, lack of graceful degradation with JS disabled is pure idiocy. Not just because there's paranoid people browsing with JS disabled, but because there's blind people using the web, and people with antiquated handhelds, or simply stuck in a console trying to fix nvidia's latest fuck-up. Of course, it would take building the site / web app properly from the bottom up: HTML, server interaction, CSS, JavaScript. But the "developers" these day start with YUI or Dojo: some shiny animation is the end purpose in on itself, not an improvement to conveying information.

      By the way: did you try GMail with JS disabled? It works. It probably works in lynx too, since it works in elinks just fine. That's the way JS is supposed to be used.

      </rant>

  6. Re:Defective by design by Goaway · · Score: 4, Insightful

    http://slashdot.org/tags/defectivebydesign

    Some stories tagged "defectivebydesign" that are not at all related to DRM:

    "Critical Security Hole in Linux Wi-Fi"
    "Apple Issues Patches For 25 Security Holes"
    ""Very Severe Hole" In Vista UAC Design"
    "MS Responds To Vista's Network / Audio Problems"
    "Apple's IPhone 3G Firmware Update Bombs"
    "QuickTime .MOV + Toshiba + Vista = BSOD"
    "Vista Slow To Copy, Delete Files"
    "Vista Runs Out of Memory While Copying Files"
    "Mark Russinovich On Vista Network Slowdown"
    "Microsoft Knew About Xbox 360 Damaging Discs"
    "Vista Not Playing Nice With FPS Games"

    That's as far as I can be bothered to read. Go look at it yourself. That tag is cheerfully applied to many, many stories about Windows or Apple bugs.

  7. Re:Is That What's Crashing Xorg? by Norsefire · · Score: 2, Insightful

    So because Firefox was open when it crashed, Firefox must have caused it? Couldn't be that because most people have their browser open 99% of the time chances are that it will be open when something goes wrong?

  8. Re:Defective by design by causality · · Score: 4, Insightful

    Apparently some people missed the Defective by Design campaign and are completely unaware that it relates to DRM, not to arbitrary bugs.

    The primary difference being that bugs like this Firefox flaw are accidental and unintentional, whereas DRM is quite deliberate hence the "defective by design" nomenclature. That's such a sharp contrast, it's reasonable to assume that someone who fails to notice it is either speaking of what they know nothing about or purposely trolling. In other words, "highly advanced incompetence is indistinguishable from malice."

    There were two ideas mentioned by GP, which were the "defective by design" label and the security reputation of IE. It's useful to know where those perceptions come from whether or not you actually agree with them. I'll make a very simplified (and therefore imperfect) summary of what I perceive as their bases.

    The only reason why I see such a concept as "defective by design" applied to IE is a vague one. IE (and Microsoft in general) has something of a history of implementing ideas that were predictably unsound, the most notorious of which is probably ActiveX. That's mostly because ideas which are computationally sound are often orthogonal to ideas which are most easily marketed. True to the nature of a corporation, whenever these two are in conflict, the marketing concerns will win. This is where that perception of closed-source (that is, commercial) software that the GP mentioned comes from.

    ActiveX is running untrusted code from a hostile network with no sandboxing and with the full privileges of the user running the browser. Before a single line of code is ever written to implement this, you can predict in advance that this is an unsound idea which invites trouble. Microsoft wrote the code and implemented the idea anyway. IMO that was a deliberate business decision because they felt the marketing and promotion of $SHINY_FEATURE would gain them more than they would lose from the PR problems of security issues. Because of how ignorant the general public tends to be about computer security, such decision-making has been largely successful. In other words, the people at Microsoft are not a bunch of idiots who didn't know what they were dealing with. They knew and they made their decision. Still, it's better to call that "faulty design" and "poor priorities" than to hijack a very specific term like "defective by design."

    --
    It is a miracle that curiosity survives formal education. - Einstein
  9. Re:Defective by design by causality · · Score: 4, Insightful

    That's as far as I can be bothered to read. Go look at it yourself. That tag is cheerfully applied to many, many stories about Windows or Apple bugs.

    ... by people who fail to understand the difference between "design flaw" and "implementation flaw."

    A simple heuristic: if you can submit a well-written bug report and at least an attempt is made to fix the issue, it's probably not a design flaw.

    --
    It is a miracle that curiosity survives formal education. - Einstein
  10. Re:Is That What's Crashing Xorg? by Anonymous Coward · · Score: 1, Insightful

    Couldn't be that because most people have their browser open 99% of the time chances are that it will be open when something goes wrong?

    Sure it COULD be coincidental. It COULD be caused by many things. But, it COULD also be Firefox. But wait! The blog post now confirms that it IS Firefox 3.5.x that is causing the Xorg crash.

    But, thanks for your fanboish attempt to distract from the matter at hand. Lord knows we wouldn't want the light shone on the reality of your pet project.

    The Captcha says "SOLVED". How does it know?

  11. Re:automate protection by aidan+folkes · · Score: 2, Insightful

    which would list something like
    javascript: unsafe
    java: safe
    flash: safe

    going outside: unsafe