homepage Welcome to WebmasterWorld Guest from 54.197.183.230
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / Browsers / Firefox Browser Usage and Support
Forum Library, Charter, Moderators: incrediBILL

Firefox Browser Usage and Support Forum

    
First Vulnerability for Firefox 1.5 (released version) Announced - PoC
kahuna

10+ Year Member



 
Msg#: 49 posted 9:11 pm on Dec 8, 2005 (gmt 0)

Packetstorm Security has released proof of concept code that causes a buffer overflow and denial of service on the Firefox browser. Long and short of it is, history.dat stores various pieces of information on websites you've visited.

 

asquithea

10+ Year Member



 
Msg#: 49 posted 9:39 pm on Dec 8, 2005 (gmt 0)

Gut feeling says this'll turn into a code execution exploit.

*sigh*

Response time for this kind of flaw is generally pretty good, but I feel the Fx dev's have quite a lot to learn when it comes to distributing fixes. Let's hope the new update system in 1.5 works as it's supposed to.

koen

5+ Year Member



 
Msg#: 49 posted 12:31 am on Dec 9, 2005 (gmt 0)

[packetstormsecurity.org...]

And the interesting part will start now: how long before this will be fixed?

drhowarddrfine

WebmasterWorld Senior Member 5+ Year Member



 
Msg#: 49 posted 1:09 am on Dec 9, 2005 (gmt 0)

I'm having trouble understanding the chatter among the developers at Firefox/Mozilla but it goes something like this.

1) The demonstrated code from packetstorm does NOT crash FF or exploit vulnerability as claimed. It only slows FF down but it would require an incredibly large download to make this happen (assuming it's even possible).

2) There is some question as to whether this 'vulnerability' actually exists. Some can't even reproduce the problem. Others are questioning if this is even a Firefox bug. (This is the part I had the most trouble understanding the back and forth between developers).

3) There is one easy workaround that a user can do to disable the potential problem, if it really exists. There are two working patches for the slowing down bug already submitted as of noon 12/8 (today).

pixel_juice

10+ Year Member



 
Msg#: 49 posted 1:12 am on Dec 9, 2005 (gmt 0)

The demonstrated code from packetstorm does NOT crash FF

Worked for me ;)

(Well not strictly a crash, but I was unable to view web pages with it, DoS is a better name I spose ;))

drhowarddrfine

WebmasterWorld Senior Member 5+ Year Member



 
Msg#: 49 posted 1:29 am on Dec 9, 2005 (gmt 0)

More from CNET:

In fact, from packetstorm themselves: "Ullrich, however, said while the potential may exist, it has not been proven either way that malicious code could be executed."

And, from Firefox: "Mozilla Foundation, which released Firefox, said it was not able to confirm the browser would crash or be at risk of a DOS attack, after visiting certain Web sites. And Mozilla has not received any reports from users of such a problem..."

encyclo

WebmasterWorld Senior Member encyclo us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 49 posted 3:18 am on Dec 9, 2005 (gmt 0)

Not a vulnerability at all, just a simple bug which could make
Firefox crash. The announcement seems to be riding on the hype over the FF1.5 release more than anything - there is very little substance to the claims.

asquithea

10+ Year Member



 
Msg#: 49 posted 12:40 pm on Dec 10, 2005 (gmt 0)

Here's the Mozilla response on the subject:

[mozilla.org...]

Assuming, as they say, that there's no crash as originally claimed, then this isn't going to be an issue.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Browsers / Firefox Browser Usage and Support
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved