*sigh*

Response time for this kind of flaw is generally pretty good, but I feel the Fx dev's have quite a lot to learn when it comes to distributing fixes. Let's hope the new update system in 1.5 works as it's supposed to.

And the interesting part will start now: how long before this will be fixed?

1) The demonstrated code from packetstorm does NOT crash FF or exploit vulnerability as claimed. It only slows FF down but it would require an incredibly large download to make this happen (assuming it's even possible).

2) There is some question as to whether this 'vulnerability' actually exists. Some can't even reproduce the problem. Others are questioning if this is even a Firefox bug. (This is the part I had the most trouble understanding the back and forth between developers).

3) There is one easy workaround that a user can do to disable the potential problem, if it really exists. There are two working patches for the slowing down bug already submitted as of noon 12/8 (today).

The demonstrated code from packetstorm does NOT crash FF

Worked for me ;)

(Well not strictly a crash, but I was unable to view web pages with it, DoS is a better name I spose ;))

In fact, from packetstorm themselves: "Ullrich, however, said while the potential may exist, it has not been proven either way that malicious code could be executed."

And, from Firefox: "Mozilla Foundation, which released Firefox, said it was not able to confirm the browser would crash or be at risk of a DOS attack, after visiting certain Web sites. And Mozilla has not received any reports from users of such a problem..."

[mozilla.org...]

Assuming, as they say, that there's no crash as originally claimed, then this isn't going to be an issue.