New Firefox Vulnerability Revealed

Not long after Firefox 3.5.1 was released to address a security issue, a new exploit has been found and a proof of concept has been posted. "The vulnerability is a remote stack-based buffer-overflow, triggered by sending an overly long string of Unicode data to the document.write method. If exploited, the resulting overflow could lead to code execution, or if the exploit attempts fail, a denial-of-service scenario." It's recommended that Firefox users disable Javascript until the issue is patched, though add-ons like NoScript should do the trick as well (unless a site on your whitelist becomes compromised).

Update: 07/20 00:09 GMT by KD : An anonymous reader informs us that the Mozilla security blog is indicating that this vulnerability is not exploitable; denial of service is as bad as it gets.

Turn off javascript...

[popo]

... and stop using all of your web-apps... sigh...

Re:Turn off javascript...

[Teckla]

Yeah, and half the websites out there will stop rendering then. Sadly, the vast majority of them don't need javascript to do their job, but such is the epic lame that is the average web programmer.

Or maybe most web programmers don't want to spend a lot of time and money supporting the 1% of users out there that don't have or disable JavaScript.

I'm just sayin'.

Re:Turn off javascript...

[causality]

I've disabled it today and some sites are now really much faster than usually.

I guess I really need to invest into configuring noscript.

NoScript + Adblock Plus + Adblock Plus Element Hiding Helper + the Easylist and EasyElement subscriptions for ABP = the Web as it was meant to be.

Advertising business models and entitlement mentalities (regarding ad revenue) be damned. If a Webmaster somewhere does not like that my computer is my property and will load only what I want it to load up, I recognize that their site is their property and I celebrate their right to deny me access to their site so I can find another.

You can't be serious!

[jeffliott]

I don't know anything about JavaScript or Firefox internals, but a public sounding central function call like "DOCUMENT.WRITE" having a length related buffer overflow is just unacceptable. This call is used all the time right? How could this be missed?

Re:Just patch it and let's move on.

FTFA: The vulnerability was reported to SecurityFocus (BID 35707) on July 15.

4 days > 24 hours.

Re:Defective by design

[Goaway]

http://slashdot.org/tags/defectivebydesign

Some stories tagged "defectivebydesign" that are not at all related to DRM:

"Critical Security Hole in Linux Wi-Fi"
"Apple Issues Patches For 25 Security Holes"
""Very Severe Hole" In Vista UAC Design"
"MS Responds To Vista's Network / Audio Problems"
"Apple's IPhone 3G Firmware Update Bombs"
"QuickTime .MOV + Toshiba + Vista = BSOD"
"Vista Slow To Copy, Delete Files"
"Vista Runs Out of Memory While Copying Files"
"Mark Russinovich On Vista Network Slowdown"
"Microsoft Knew About Xbox 360 Damaging Discs"
"Vista Not Playing Nice With FPS Games"

That's as far as I can be bothered to read. Go look at it yourself. That tag is cheerfully applied to many, many stories about Windows or Apple bugs.

Re:Defective by design

[causality]

Apparently some people missed the Defective by Design campaign and are completely unaware that it relates to DRM, not to arbitrary bugs.

The primary difference being that bugs like this Firefox flaw are accidental and unintentional, whereas DRM is quite deliberate hence the "defective by design" nomenclature. That's such a sharp contrast, it's reasonable to assume that someone who fails to notice it is either speaking of what they know nothing about or purposely trolling. In other words, "highly advanced incompetence is indistinguishable from malice."

There were two ideas mentioned by GP, which were the "defective by design" label and the security reputation of IE. It's useful to know where those perceptions come from whether or not you actually agree with them. I'll make a very simplified (and therefore imperfect) summary of what I perceive as their bases.

The only reason why I see such a concept as "defective by design" applied to IE is a vague one. IE (and Microsoft in general) has something of a history of implementing ideas that were predictably unsound, the most notorious of which is probably ActiveX. That's mostly because ideas which are computationally sound are often orthogonal to ideas which are most easily marketed. True to the nature of a corporation, whenever these two are in conflict, the marketing concerns will win. This is where that perception of closed-source (that is, commercial) software that the GP mentioned comes from.

ActiveX is running untrusted code from a hostile network with no sandboxing and with the full privileges of the user running the browser. Before a single line of code is ever written to implement this, you can predict in advance that this is an unsound idea which invites trouble. Microsoft wrote the code and implemented the idea anyway. IMO that was a deliberate business decision because they felt the marketing and promotion of $SHINY_FEATURE would gain them more than they would lose from the PR problems of security issues. Because of how ignorant the general public tends to be about computer security, such decision-making has been largely successful. In other words, the people at Microsoft are not a bunch of idiots who didn't know what they were dealing with. They knew and they made their decision. Still, it's better to call that "faulty design" and "poor priorities" than to hijack a very specific term like "defective by design."

Re:Defective by design

[causality]

That's as far as I can be bothered to read. Go look at it yourself. That tag is cheerfully applied to many, many stories about Windows or Apple bugs.

... by people who fail to understand the difference between "design flaw" and "implementation flaw."

A simple heuristic: if you can submit a well-written bug report and at least an attempt is made to fix the issue, it's probably not a design flaw.