Welcome to WebmasterWorld Guest from 54.198.222.129

Forum Moderators: incrediBILL

Message Too Old, No Replies

First Vulnerability for Firefox 1.5 (released version) Announced - PoC

     
9:11 pm on Dec 8, 2005 (gmt 0)

10+ Year Member



Packetstorm Security has released proof of concept code that causes a buffer overflow and denial of service on the Firefox browser. Long and short of it is, history.dat stores various pieces of information on websites you've visited.
9:39 pm on Dec 8, 2005 (gmt 0)

10+ Year Member



Gut feeling says this'll turn into a code execution exploit.

*sigh*

Response time for this kind of flaw is generally pretty good, but I feel the Fx dev's have quite a lot to learn when it comes to distributing fixes. Let's hope the new update system in 1.5 works as it's supposed to.

12:31 am on Dec 9, 2005 (gmt 0)

10+ Year Member



[packetstormsecurity.org...]

And the interesting part will start now: how long before this will be fixed?

1:09 am on Dec 9, 2005 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



I'm having trouble understanding the chatter among the developers at Firefox/Mozilla but it goes something like this.

1) The demonstrated code from packetstorm does NOT crash FF or exploit vulnerability as claimed. It only slows FF down but it would require an incredibly large download to make this happen (assuming it's even possible).

2) There is some question as to whether this 'vulnerability' actually exists. Some can't even reproduce the problem. Others are questioning if this is even a Firefox bug. (This is the part I had the most trouble understanding the back and forth between developers).

3) There is one easy workaround that a user can do to disable the potential problem, if it really exists. There are two working patches for the slowing down bug already submitted as of noon 12/8 (today).

1:12 am on Dec 9, 2005 (gmt 0)

10+ Year Member



The demonstrated code from packetstorm does NOT crash FF

Worked for me ;)

(Well not strictly a crash, but I was unable to view web pages with it, DoS is a better name I spose ;))

1:29 am on Dec 9, 2005 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



More from CNET:

In fact, from packetstorm themselves: "Ullrich, however, said while the potential may exist, it has not been proven either way that malicious code could be executed."

And, from Firefox: "Mozilla Foundation, which released Firefox, said it was not able to confirm the browser would crash or be at risk of a DOS attack, after visiting certain Web sites. And Mozilla has not received any reports from users of such a problem..."

3:18 am on Dec 9, 2005 (gmt 0)

WebmasterWorld Senior Member encyclo is a WebmasterWorld Top Contributor of All Time 10+ Year Member



Not a vulnerability at all, just a simple bug which could make
Firefox crash. The announcement seems to be riding on the hype over the FF1.5 release more than anything - there is very little substance to the claims.
12:40 pm on Dec 10, 2005 (gmt 0)

10+ Year Member



Here's the Mozilla response on the subject:

[mozilla.org...]

Assuming, as they say, that there's no crash as originally claimed, then this isn't going to be an issue.

 

Featured Threads

Hot Threads This Week

Hot Threads This Month