Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Another Denial of Service Bug Found in Firefox 2

Posted by samzenpus on Thu Nov 02, 2006 02:05 AM
from the be-more-secure dept.
Security Mozilla The Internet IT
An anonymous reader writes "A second security flaw that could cause the new Firefox 2 browser to crash has been publicly disclosed. The vulnerability lies in the way the open-source browser handles JavaScript code. Viewing a rigged Web page will cause the browser to exit, a representative for Mozilla, the publisher of the software, said Wednesday. Contrary to claims on security mailing lists, the bug cannot be exploited to run arbitrary code on a PC running Firefox 2, the representative said. This flaw in the JavaScript Range object is different than the denial-of-service vulnerability in Firefox 2 that was confirmed by Mozilla last week. That bug is related to a more serious security hole, which was fixed in earlier versions of Firefox, the organization has said. The two 'crashers' are the only publicly released vulnerabilities that have been confirmed by Mozilla in the week since Firefox 2 was launched. The issues are only minor, the organization has said."
+ -
story

Related Stories

[+] IT: Firefox Zero-Day Code Execution Hoax? 215 comments
Akon writes, "eWeek is running a follow-up story on the claim by two hackers that Firefox's implementation of JavaScript is critically flawed and could result in code-execution attacks. Turns out this is a possible hoax that was overblown for laughs." Mozilla's engineers say the risk is limited to a denial-of-service issue. From the article: "'As part of our talk we mentioned that there was a previously known Firefox vulnerability that could result in a stack overflow ending up in remote code execution. However, the code we presented did not in fact do this, and I personally have not gotten it to result in code execution, nor do I know of anyone who has... I have not succeeded in making this code do anything more than cause a crash and eat up system resources, and I certainly haven't used it to take over anyone else's computer and execute arbitrary code,' Spiegelmock said." Spiegelmock also stated that the claim that there were 30 other undisclosed exploits was made solely by his co-presenter, Andrew Wbeelsoi.
[+] Nine Reasons To Skip Firefox 2.0 606 comments
grandgator writes, "Hyped by a good deal of fanfare, outfitted with some new features, and now available for download, Firefox 2.0 has already passed 2 million downloads in less than 24 hours. However, a growing number of users are reporting bugs, widening memory leaks, unexpected instability, poor compatibility, and an overall experience that is inferior to that offered by prior versions of the browser. Expanding on these ideas, this list compiles nine reasons why it might be a good idea to stick with 1.5 until the debut of 3.0, skipping the "poorly badged" 2.0 release completely." OK, maybe it's 10 reasons. An anonymous reader writes, "SecurityFocus reports an unpatched highly critical vulnerability in Firefox 2.0. This defect has been known since June 2006 but no patch has yet been made available. The developers claimed to have fixed the problem in 1.5.0.5 according to Secunia, but the problem still exists in 2.0 according to SecurityFocus (and I have witnessed the crash personally). If security is the main reason users should switch to Firefox, how do we explain known vulnerabilities remaining unpatched across major releases?"
Update: 10/30 12:57 GMT by KD : Jesse Ruderman wrote in with this correction. "The article claims that Firefox 2 shipped with a known security hole This is incorrect; the hole is fixed in both Firefox 1.5.0.7 and Firefox 2. The source of the confusion is that the original version of this report demonstrated two crash bugs, one of which was a security hole and the other of which was just a too-much-recursion crash. The security hole has been fixed but we're still trying to figure out the best way to fix the too-much-recursion crash. The report has been updated to clear up the confusion."
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Another Denial of Service Bug Found in Firefox 2 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • Old times (Score:5, Insightful)

    by managementboy (223451) on Thursday November 02 2006, @02:10AM (#16685441) Homepage
    It used to be that if one an application crashed and it was called just that: it crashed. Today its a DOS attack! Imagine how many DOS my old Windows 3.11 had... come to think of it, it only had one DOS.

    We present "DOS reloaded"!
    • If you read the article, Microsoft is calling one of their's a design decision. I love those undocumented features...

    • Re:Old times (Score:5, Insightful)

      by cperciva (102828) on Thursday November 02 2006, @02:52AM (#16685651) Homepage
      It used to be that if one an application crashed and it was called just that: it crashed. Today its a DOS attack!

      Not necessarily. Application-crashing bugs are Denial of Service bugs if they can be triggered remotely.

      There's a fundamental difference between "I can make my copy of FireFox crash" and "I can make your copy of FireFox crash".
      • It is, but it seems that the term is broadly. In many cases, the term DOS was often used as a term to describe an attack which would render an entire system inoperable. That is to say, when I heard it used in this context, I expected that it would crash the browser, and lock or disable the OS. As it is, it's still an annoying bug, but having to simply restart the browser hardly seems as serious as a full-out machine crash.

      • Re:Old times (Score:4, Insightful)

        by jesser (77961) on Thursday November 02 2006, @04:49AM (#16686109) Homepage Journal
        More to the point, there's a fundamental difference between "I can make your copy of Firefox crash when you visit my site" and "I can make your copy of Apache crash".

        Crash bugs in client software such as web browsers are "crashes", not "DoS vulnerabilities".

  • Install (Score:2, Informative)

    by ms1234 (211056)
    You could install NoScript addon... Great utility :)
  • I remember reading about the memory leak. While others see this as a "failure" of the browser, I see it as increasing the odds that the browser exits and frees up your memory. I mean, how hard is it to re-open a browser?
    • ``I remember reading about the memory leak. While others see this as a "failure" of the browser, I see it as increasing the odds that the browser exits and frees up your memory.''

      You mean like garbage collection? I seem to recall that one McCarthy, in the late 1950s, came up with an algorithm that does that _without_ requiring the program to be restarted. Perhaps the FF2 team could look into that.
  • How slashdotters start pointing and laughing when there's a IE exploit, doesn't matter how big or small, and always the "workaround" is looked at as unacceptable.

    When it's about Firefox, they immediatly relativate it and minimalize it. "Oh, just install noscript", "tis just a small exploit", "well, why not restart your browser? If it crashes, so what? Why don't you click the icon again? You lazy bastard!"...

    I even read some comments, in reply that there's said IE 7 feels better then FF 2.0, that the fa
    • ``For me, Firefox 2.0 is worthless; bloathed, crashes constantly, and is just not workable anymore. I've been using Firefox from the very start, but Firefox 2.0 make me switch to Opera.''

      And for those of you wishing to stick with open source software, there's Konqueror. Compared to Firefox, it runs faster, uses way less memory, and several of the new features in Firefox 2 (like an integrated spell checker) have been available for ages. I can't comment on the stability, as neither Firefox (1; I haven't ran 2
    • I already ditched FF2 and went back to the previous version.

      What is up with the developer team? Were they just so horny to get a "2.0" out before the end of the year that it was "ok" to release this thing?

      You are right, there is a double standard. MS is an easy target as negative comments are expected and encouraged by the moderation system here.

      Firefox is no longer Firefox most of us want. Sorry, its nearing the point where we will need to clamour for that slim browser that we had when Firefox first cam

    • Re: (Score:3, Insightful)

      by snero3 (610114)

      Personally I think the comments you are referring to come from a number of different factors

      1. Microsoft is often not the one to admit the security flaw. Where as Mozilla/firefox community is.
      2. Often Microsoft will denie the flaw pointed out in point number 1
      3. There have been numerous occurrences where an IE bug has allowed a whole PC to be taken over from bug that either MS denies exists or is very slow to patch. Holes like that in firefox generally get patched well before it is public knowledge.
      4. for
    • What are these "slashdotters" that think and act as one?

      Perhaps you should use :

      Whenever I read a discussion, there is usually some group of posters that play down an issue, some who play it up and those that use it as a platform for discussion of wider issues. Often those who shout the loudest have the least to say.

    • Re: (Score:3, Interesting)

      by molnarcs (675885)
      Agreed. I don't have a problem with the interface, but I can't imagine how shoddy the coding must be seeing the resources it needs to run. For older machines (I have to maintain a few in a comp lab) FF simply doesn't work, while Opera has no problems on the same machines (this are limited functionality FreeBSD boxes with fluxbox and a simplified menu). You won't notice how heavy Firefox is on relatively modern hardware, but as you go down to a PII (and to 64Mb RAM) - you'll find that Opera works fine, while
    • It achieves a sort of sacred status in which people engage in flat-out denial that there are issues because they put too much blind faith in the development process behind it. They will tell you that the only real way of proving anything is the scientific method and then turn around and say they have complete faith that this is the year of Linux on the desktop. This is the primary reason why this site is not considered respectable among some IT professionals: it thrives only on fanboys and huge amounts of b
      • I find it strange that there are so many people who all have different experiences with FF. For me it just works, regardless of which version it is, and regarless of the OS I run it on (Windows, Linux, or OS X).

        Nice sig, BTW

  • There's a browser safer than Firefox... (Score:4, Interesting)

    by Giorgio Maone (913745) on Thursday November 02 2006, @04:52AM (#16686135) Homepage

    ... it is Firefox with NoScript [noscript.net] :)

    I wrote this Firefox add-on just after one of these disclosures, because the majority of the browser vulnerabilities was JavaScript related, and the suggested work-around was always "turn off JavaScript".

    Disabling JavaScript as a whole seemed quite an impractical advice to me in this AJAXified Web 2.0: I thought that maintaining a white-list of trusted sites allowed to run JavaScript and keeping all the unknown web content "static" until I decided otherwise was a still safe but more convenient approach.

    Since then I've been browsing the web with my shields up (NoScript can block also Java, Flash and other plugins [noscript.net]), but I allow on the fly with one click, either temporarily or permanently, those sites which I trust and which do need dynamic client side technologies to work properly. To my surprise in 1 year and half I found few sites belonging to this category, because most places I usually browse are well designed enough to work with plain XHTML/CSS and nothing else (like Slashdot itself).

    Notice: Firefox is a very safe browser because its vulnerabilities gets patched very quickly, once they're found by developers. I'm a Firefox contributor myself, and I'm very proud of the quality of the Mozilla developers community. NoScript [noscript.net], though, provides some extra protection even against those JavaScript/Java related vulnerabilities which have not been found yet...

    • I'll just add my 0.02 Euros by saying that domain-specific JavaScript settings are available in Konqueror, too (I don't know since which version, but 3.5.2 has them). It also has domain-specific settings for Java, images, and cookies.
    • Thanks man! I just started using it recently. You have to get used to it, but I really like it! Especially that if you allow a site to run javascript, no external javascript from, say, advertizers get run :) Very cool add-on!
  • The title reads " Another Denial of Service Bug Found in Firefox 2" but the summary says "... the bug cannot be exploited to run arbitrary code on a PC running Firefox 2, the representative said. This flaw in the JavaScript Range object is different from the denial-of-service vulnerability in Firefox 2 that was confirmed by Mozilla last week."

    So which do I trust? There's no way in hell I'm gonna actually read the article!
    • There's no contradiction between the sentences you pasted. It's entirely possible that there are two (or more) "denial of service" bugs (bugs that can't be exploited to run arbitrary code, but do make your browser crash/exit) in Firefox 2.
      • Yeah but the summary refers to two bugs, a bug announced last week which is a DOS bug and a bug announced this week which isn't. The title says that there are more than one DOS bugs in Firefox. I presumed that the bug announced this week was also a DOS bug but it isn't. Tis a but confusing. It looks like Slashdot's reporting on the week-old bug.

  • Third d.o.s. attack affects ALL BROWSERS! (Score:4, Funny)

    by suv4x4 (956391) on Thursday November 02 2006, @06:17AM (#16686543)
    Immediately stop using Internet if you're using one of those browsers:

    IE
    Firefox
    Safari
    Konqueror .. ..

    A new denial of service attack was discovered floating in the cyberspace, that can render any browser inoperable, and it has to be forcefully crashed and reopened. The signature of the exploit was reported to be:

    while(true) alert('Hahaha, suckers!');

    People are advised to immediately move to Lynx: the only browser known to be immune to this attack.

  • Issue shrinking (TM) technology (Score:3, Funny)

    by suv4x4 (956391) on Thursday November 02 2006, @06:23AM (#16686571)
    The two "crashers" are the only publicly released vulnerabilities that have been confirmed by Mozilla in the week since Firefox 2 was launched. The issues are only minor, the organization has said...

    They also added, that the reason the issues are minor, is because Firefox 1.5x and later releases of the popular Mozilla browser feature a special "issue shrinking" technology, patent pending, where no matter what happens, the issue becomes small.

    This is opposition to Microsoft, which appears to ship all their products with "issue expanding" FUD generator technology, now considered by many specialists as obsolete, where never mind what's the trouble, it's blown out of proportions, and brings chaos and despair among geeky web users.
  • If you go search Firefox's bug database for bugs with the "crash" and "testcase" keywords at any time, you'll find dozens of known crash bugs. I imagine it's the same for any other major browser. Meanwhile, very few sites intentionally crash web browsers. It makes more sense for developers to focus on lowering the average time between crashes (by fixing the most common crashes), or on fixing actual security holes, than to focus on squashing the largest number of crash bugs.

    Why are CNet and Slashdot so in
  • With a tremendous amount of code there is bound to be bugs. The difference between Firefox and IE will be what the Firefox team does about the bugs, and how serious they are. If the Firefox team doesn't handle the bugs well and the bugs are "serious", Firefox might be, *gasp*, put in the same bucket as IE! I'll still use it though..
  • So, what, is it a link like <a href="javascript:window.close()">Click Here for Money!!!</a> that causes this "DOS"?

    • Re:LOL IE Users! (Score:4, Insightful)

      by Mikachu (972457) <mikazuchi@@@gmail...com> on Thursday November 02 2006, @02:32AM (#16685571) Homepage
      Except let's see how long it takes for the Firefox team to patch up these flaws as opposed to IE.
      • It doesn't matter how long.

        I'm sure Microsoft will still get hammered even if it issues 0-day patches.
        • Of course they will - there shouldn't have been a problem in the first place, rolling out patches is a pain, "what about the ones they've not told us about?", etc.

          Make no mistake, a lot of people on here aren't so much pro-OSS as they are anti-MS.

          (Disclaimer: I have not and never will use IE as my primary browser)

          • Make no mistake, a lot of people on here aren't so much pro-OSS as they are anti-MS.

            Of course. Remember that many of the PC hobbyists on this site predate the general acceptance of the FOSS movement, and that many of us remember Microsoft from their DOS and Win 3.1 days as well as their more recent attempts at world domination.

            After 20 years of dealing with that company, one tends to develop well-entrenched opinions about the quality of their software and the ethics (or lack thereof) behind Microsoft

      • Re: (Score:3, Interesting)

        by paul248 (536459)
        I filed a bug for another DoS over a year ago and they still haven't fixed it:

        Crash Firefox [purdue.edu]

        The insta-crash only seems to work on Linux though.
        • Was that link supposed to crash my firefox? Nothing happened using Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061025 BonEcho/2.0 (mmoy CE K8C-X01)...

        • Firefox 2.0 on Linux - yup, it crashes. Even worse the session save feature causes it to crash when it starts up next time. I had to hand-edit sessionsaver.js to stop it reopening the URL.

          Rich.

        • Actually, I have no problem bashing FF either. I'm fair about it.

          1. Is it a security hole or a just bug?
          2. Likelihood of encountering bug
          3. Overall effect of the bug
          4. Time it takes to actually patch bug (ie no turn-off workarounds)

          If it's just a bug that takes a specially coded web site to just crash my browser, I'm not too worried.

          Security flaws or common crashes will get me annoyed.
        • In the end it doesn't really matter. /. posters are a small but vocal fringe group who more likely than not will have no measurable effect on the browser market. The true test is what the public at large thinks, and they seem to think that Microsoft is relatively good at what they do, but the more tech-savy among the general population has found that Firefox has a better feature set. A couple bugs on either side aren't going to sway a bunch of people one way or another, because bugs "Just Happen". It's an a
        • Are you kidding? Internet Explorer has so many DoS/crash bugs, I don't think a new one would ever make Slashdot - it's just not news anymore (take a look at the Browser Fun blog for some examples, though it's out of date by now). Konqueror has a few too (take MangleMe to it and you'll see what I mean), and I bet Safari and Opera do as well. [blogspot.com]
    • Since when has a crashing browser been a security problem?
      Back when mozilla was young, certain sites would make it regularly crash. I just didn't go back to those sites. The browser was still far superior to IE, which drives me nuts if I have to use it.

      • Interesting you say that, the Gentoo Linux Firefox ebuild (package) maintainers recently added a "restrict-javascript" USE flag (install option) which installs the NoScript extension system wide (for all users).
    • Bart,

      Your website acts a bit strange on FF 2.0. Pictures on the text. Take a look at it, it doesn't come over very professionally this way.

      Moderators, please mod me down OT.
    • If I can interrupt your usage of a particular program remotely, it IS a denial of service attack. I am denying you the ability to use a service.

      DoS does not always involve botnets, although they are one way to bring a service down.

    • Re: (Score:3, Insightful)

      by Ash-Fox (726320)

      I'm a Opera user

      Good for you

      and i keep wondering why do ppl adamently use a software which keeps crashing

      Firefox v2 has only crashed once on me, when I tried to get it to crash on that bug. It's never crashed otherwise.

      yet they find a reason to either bash it (IE) or support it (FF fanboys) saying there is such and such workarounds.

      Well, the fact they suggest workarounds is a good thing in my opinion. It's good that there are workarounds.

      Why don't ppl switch to the browser with fewest bugs/security holes.

    • FF is. That makes it much more apealing to people technically inclined.
      • Interestingly, your blog crashes Konqueror on my machine. Repeatedly.
        Does not crash Konqueror 3.5.5 using KDE 3.5.5 here.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.