| 9:39 pm on Dec 8, 2005 (gmt 0)|
Gut feeling says this'll turn into a code execution exploit.
Response time for this kind of flaw is generally pretty good, but I feel the Fx dev's have quite a lot to learn when it comes to distributing fixes. Let's hope the new update system in 1.5 works as it's supposed to.
| 12:31 am on Dec 9, 2005 (gmt 0)|
And the interesting part will start now: how long before this will be fixed?
| 1:09 am on Dec 9, 2005 (gmt 0)|
I'm having trouble understanding the chatter among the developers at Firefox/Mozilla but it goes something like this.
1) The demonstrated code from packetstorm does NOT crash FF or exploit vulnerability as claimed. It only slows FF down but it would require an incredibly large download to make this happen (assuming it's even possible).
2) There is some question as to whether this 'vulnerability' actually exists. Some can't even reproduce the problem. Others are questioning if this is even a Firefox bug. (This is the part I had the most trouble understanding the back and forth between developers).
3) There is one easy workaround that a user can do to disable the potential problem, if it really exists. There are two working patches for the slowing down bug already submitted as of noon 12/8 (today).
| 1:12 am on Dec 9, 2005 (gmt 0)|
|The demonstrated code from packetstorm does NOT crash FF |
Worked for me ;)
(Well not strictly a crash, but I was unable to view web pages with it, DoS is a better name I spose ;))
| 1:29 am on Dec 9, 2005 (gmt 0)|
More from CNET:
In fact, from packetstorm themselves: "Ullrich, however, said while the potential may exist, it has not been proven either way that malicious code could be executed."
And, from Firefox: "Mozilla Foundation, which released Firefox, said it was not able to confirm the browser would crash or be at risk of a DOS attack, after visiting certain Web sites. And Mozilla has not received any reports from users of such a problem..."
| 3:18 am on Dec 9, 2005 (gmt 0)|
Not a vulnerability at all, just a simple bug which could make
Firefox crash. The announcement seems to be riding on the hype over the FF1.5 release more than anything - there is very little substance to the claims.
| 12:40 pm on Dec 10, 2005 (gmt 0)|
Here's the Mozilla response on the subject:
Assuming, as they say, that there's no crash as originally claimed, then this isn't going to be an issue.