| 2:04 pm on Nov 22, 2005 (gmt 0)|
That advisory hasn't been updated, but the same DOS can be replicated with Firefox 1.0.7 on Debian Linux, so it's bigger than MS or IE.
| 2:08 pm on Nov 22, 2005 (gmt 0)|
Firefox 1.5beta is reported to crash. So FF users should be safe if they update.
edit: and on linux not just any code or program can be run for normal users
| 2:33 pm on Nov 22, 2005 (gmt 0)|
Folks can try the Proof of Concept here:
Windows XP, Firefox 1.0.7 - 100% CPU usage from first link.
| 2:52 pm on Nov 22, 2005 (gmt 0)|
Just tried FF 1.04 (XP) and FF simply locked up.
| 2:55 pm on Nov 22, 2005 (gmt 0)|
Same for my 1.5 beta. Had to terminate it.
| 3:51 pm on Nov 22, 2005 (gmt 0)|
I've only got IE6 at work so I won't try it ;)
| 4:35 pm on Nov 22, 2005 (gmt 0)|
When I tested it, Calc.exe did not open therefore, in the absence of information to the contrary, I think Firefox is safe.
Without looking at the code, I imagine it is some sort array-bound hack that is likely to be browser-specific and fairly easy to fix (unless your name is Microsoft).
| 4:38 pm on Nov 22, 2005 (gmt 0)|
Calc.exe doesn't open for me on Win XP SP2 with IE either, it just closes the browser with the "Send this error to MS?" popup - so there must be specific configuration variables that are prerequisites here.
| 8:27 pm on Nov 22, 2005 (gmt 0)|
| 8:49 pm on Nov 22, 2005 (gmt 0)|
From what I can see, SP2 doesn't correct the problem. MS has said they'll address the issue as part of their critical update process.
People who want to turn off IE active scripting as a preventative measure might find this useful: How to stop 'Active Scripting' [blogs.zdnet.com]. This will break some sites, although if you need to access the scripting they can be added to the Trusted list.
| 10:00 pm on Nov 22, 2005 (gmt 0)|
On my XP Pro with SP2:
* IE 6 : launches calc.exe, crashes IE
* FF 1.0.7: huge prompt, CPU runs at 100%
* Opera 8.5: no problems ;)
| 1:39 am on Nov 23, 2005 (gmt 0)|
I tried the exploit page with Konqueror 3.4.1 and nothing untoward happened at all - no lock up or even slowdown. I guess that means Konqueror is safe. :)
| 1:44 am on Nov 23, 2005 (gmt 0)|
Didn't have any problems with Opera
| 4:28 pm on Nov 23, 2005 (gmt 0)|
FireFox 1.07 100%
CPU usage goes up to 100% Firefox becomes unusable (has to be restarted)
| 6:29 pm on Nov 23, 2005 (gmt 0)|
Same IE as mrMister, but I do have calc.exe open. (Win XP)
FF goes up to 50%CPU for me and becomes unusable.