Forgot your password?
typodupeerror
Mozilla The Internet Security Worms IT

Mozilla Firefox 1.0.7 DoS Exploit 438

Posted by Hemos
from the to-be-confirmed-or-not-confirmed dept.
An anonymous reader writes "Whitedust Security are reporting on a new exploit for Firefox which apparently affects all versions of the browser from 1.0.7 down. From the article: "If this exploit has made it out into, or indeed been retrieved from the wild is unknown at this time. However it is clear that this exploit will indeed need patching as soon as possible.""
This discussion has been archived. No new comments can be posted.

Mozilla Firefox 1.0.7 DoS Exploit

Comments Filter:
  • A 1.0.7 exploit that only affects everything below 1.0.7!
    • Re:Brilliant header! (Score:5, Informative)

      by Hey Pope Felcher . . (921019) on Monday October 17, 2005 @09:30AM (#13808615)
      . . . RTFA,

      milw0rm.com have released proof of concept code for a denial of service exploit which apparently affects all versions of the Mozilla Foundations popular Firefox browser from version 1.0.7 downward.

      Remember, on Slashdot always read the article, it is generally only a coincidence if the summary has any bearing on the actual linked text.
      • Re:Brilliant header! (Score:2, Informative)

        by LnxAddct (679316)
        Regardless, this exploit doesn't effect 1.5, it's in beta but technically the explot is already fixed... just needs to be back ported:)
        Regards,
        Steve
        • Re:Brilliant header! (Score:3, Informative)

          by NickFitz (5849)

          <pedantry>
          Well, strictly speaking, unless 1.5 has been explicitly modified with the intention of fixing this exploit, it's just that it doesn't work on 1.5. It's entirely possible that a change in 1.5 has prevented the exploit from working but, as it wasn't done as a fix, a further change in 1.5.n (or 1.n where n > 5) will allow the exploit to work again. In other words, there may be no fix to back port.
          </pedantry>

    • Re:Brilliant header! (Score:2, Informative)

      by ShadowFlyP (540489)
      TFA actually says that it affects 1.0.7 and everything downward. Running 1.0.7 here myself and the test exploit worked: locked Firefox right up.
  • totally off guard (Score:5, Informative)

    by Tufriast (824996) * on Monday October 17, 2005 @09:29AM (#13808600)
    I checked out the Mozilla site -- not a peep about it. I made a post there. I figure this one totally right hooked them. It's a pretty massive crash. Just makes the whole browser lock up. At least I know they'll fix it fast though...I think in 24 hours we'll see a turn around. Anyone try this with version 1.5?
    • Re:totally off guard (Score:5, Informative)

      by tbspit (460062) on Monday October 17, 2005 @09:30AM (#13808614) Homepage
      Version 1.5 is not affected.
    • Not too big a deal (Score:5, Insightful)

      by Dr. Evil (3501) on Monday October 17, 2005 @09:31AM (#13808624)

      There isn't much incentive for malicious people to crash people's browsers.

      The wording from the security company has me thinking they're just trying to make a name for themselves.

      • by Lucractius (649116)
        Malicious no... Devious yes...

        Suppose you have vested interests in Firefox not succeeding as a Web Browser and you hacked/setup some major site to lockup firefox and dramaticaly decrease tbe userbase over the course of a few hours...

    • The exploit doesn't crash v. 1.5. It just brings you to a screen that says "Mozilla" on the test page.
    • Re:totally off guard (Score:5, Informative)

      by mrgavins (49262) <[moc.prahsnivag] [ta] [todhsals]> on Monday October 17, 2005 @11:53AM (#13809591) Homepage
      Maybe because it's already fixed? Maybe because it's hardly a security issue? This is bugzilla bug 210658 [mozilla.org], it was filed in 2003, and fixed for 1.5 15 months later.
  • by Big Nothing (229456) <big.nothing@bigger.com> on Monday October 17, 2005 @09:29AM (#13808603)
    Mozilla Thunderbird 1.0.6 is also vunerable.

  • by jkind (922585) on Monday October 17, 2005 @09:30AM (#13808609) Homepage
    Why are there so many nice hackers in the world? Willing to spend their time finding exploits, post them, and even a "safe" example. Do they take pride in helping the surfing community? Why don't they just hijack the world's browsers and make us choose between "Yes" and "Okay" on their PayPal deposit sites?
    Where are the evil hackers, or have they all converted, scared about stiff http://news.bbc.co.uk/1/hi/technology/4249780.stm [bbc.co.uk] penalties?
    • by FirienFirien (857374) on Monday October 17, 2005 @09:56AM (#13808808) Homepage
      Why are there so many nice hackers in the world? Because some people believe in things like morals and society? Because not everyone is corrupt? Apart from anything else there's always the chance that if someone is a 'nice' hacker then they can act as a model for others, and will get a little return on their investment of time by coming across a warning next time instead of a Yes/Okay dialog against them.

      People who don't want their friends/family affected, people who actually care about the world they live in. I'm surprised that you seem to believe that everyone would be malicious if they could.
    • by Iriel (810009) on Monday October 17, 2005 @10:03AM (#13808859) Homepage
      Honestly, the evil hackers got smarter. Not all of them mind you (most of the famed worming script-kiddies still get caught). But all those malevolent 'hackers' know that cracking the world's browsers is too easy to trace or not worth the effort to keep under the radar. You know all those "Prescriptlon RXc dirugs 4for l0w coest!" emails? That just came specially delivered to you courtesy of the former uber-hacker of unknowable enormity. They're even worse that telemarketers that scam the elderly, and they're hoping you're the next $50 bill in their offshore account.
    • Why are there so many nice hackers in the world? Willing to spend their time finding exploits, post them, and even a "safe" example. Do they take pride in helping the surfing community?

      Maybe some, but I suspect it has more to do with ego, pride, and vanity; the same reason virus authors do it. Hackers, good and bad, love showing and/or proving to the world how smart they are.

      I suspect a fair number of "white hats" also do it to try and get noticed, like high school athletes. Posting to a security mail

  • Very vague (Score:2, Funny)

    by fa_pa (868784)
    OMG there is an exploit for firefox but we don't know anything about it but it might be dangerous. i need to switch back to IE maybe...
    • by Agret (752467)
      Dangerous? It's a DoS exploit. It causes your browser to lock up. Nothing to see here, move along.
      • Is that what it does? When I went to the demo page, all I saw was a bolded <b>Mozilla</b>. I looked at the source and it appears to have something to do with &lt;sourcetext&gt; but it didn't do anything to my browser. I was disappointed; now I have no excuse to goof off while I'm supposed to be working :^(
    • yeah, WTF? (Score:5, Insightful)

      by subtropolis (748348) on Monday October 17, 2005 @09:50AM (#13808779)
      There's this exploit, see. Click here to try it. Go on, it's ok...

      I think the poll at the top of the page should ask, "Do you trust WhiteDust security?"

      Oh, wait - that's what the 'Test the exploit' link is for.

    • Re:Very vague (Score:3, Interesting)

      by goldspider (445116)
      Are you suggesting that vulnerabilities in Firefox and other popular OSS software aren't newsworthy? Or are you saying that such news should be actively supressed for the sake of the 'movement'?
  • Nomenclature... (Score:5, Insightful)

    by gowen (141411) <gwowen@gmail.com> on Monday October 17, 2005 @09:31AM (#13808618) Homepage Journal
    How long has a webpage that makes a browser crash been called a "Denial Of Service Exploit".

    A browser that can be crashed is a very bad thing, but suggesting this is some sort of "Denial Of Service" attack, is just semantics. It doesn't crash the box, and it doesn't flood/break the network. Every other service on your machine runs as normal. That's not a Denial Of Service by the usual definition of the term.
    • Re:Nomenclature... (Score:2, Informative)

      by arkanes (521690)
      A Denial of Service attack denies you access to a service. It doesn't have to crash your box, or take it off the network. Anything that will hang or crash or flood a service (applications are services) is a DOS. They've been called that since before kiddies found out about pingflooding.
      • by khasim (1285) <brandioch.conner@gmail.com> on Monday October 17, 2005 @10:21AM (#13808974)
        Since you have to go to a specific web page, with a specific browser ... and the only thing that will happen is that your browser will crash ... is "attack" the correct term for this kind of behaviour?

        If you crash your car into a tree, did that tree "attack" you?

        If you crash your car when driving over ice, did that ice "attack" you?

        If you drive your car off a bridge and into a lake, did that lake "attack" you?

        Since you cannot use your car immediately after a crashes, are trees considered a DoS exploit?
        • If you crash your car into a tree, did that tree "attack" you?

          If you crash your car when driving over ice, did that ice "attack" you?

          If you drive your car off a bridge and into a lake, did that lake "attack" you?


          Yes, yes and yes. At least that's what I'm telling my insurance company.
    • How long has a webpage that makes a browser crash been called a "Denial Of Service Exploit".

      Oddly enough, about the same length of time as has passed since Microsoft realised their stranglehold on web browsers was slipping.

      One day Redmond reformed the IE development team to try and stem the tide. The next, stories like this one started cropping up with penny-ante firefox exploits being made into front page news. Just as though crushing your browser was comparable in scale to rooting your network...

    • Re:Nomenclature... (Score:4, Informative)

      by m50d (797211) on Monday October 17, 2005 @09:58AM (#13808822) Homepage Journal
      A browser that can be crashed is a very bad thing, but suggesting this is some sort of "Denial Of Service" attack, is just semantics. It doesn't crash the box, and it doesn't flood/break the network. Every other service on your machine runs as normal. That's not a Denial Of Service by the usual definition of the term.

      Yes it is. If you did exactly the same thing to, say, apache or proftpd or mysql - don't crash the box, don't break the network, every other service runs normal - it would be a DoS. Calling this attack a DoS provides some very important information - it doesn't allow execution of arbitrary code, just locks up the browser. The only thing that's possibly unusual here is applying the term to a client rather than a server program, but a DoS is absolutely the correct term.

      • Re:Nomenclature... (Score:5, Insightful)

        by gowen (141411) <gwowen@gmail.com> on Monday October 17, 2005 @10:13AM (#13808917) Homepage Journal
        If you did exactly the same thing to, say, apache or proftpd or mysql
        They're all servers.

        Servers <=> Service <=> Denial Of Service.

        See how that works?
      • Apache, proftpd, and mysql are SERVERS and sending packets that kills server processes is properly called a DOS. Firefox is a CLIENT, sending data in response to a client request that causes the client to lock up is not a DOS.
    • You've already said it's semantics, anything that "denies" me access to my "services" is :. a Denial of Service. Thankfully I've got the IE7 Beta, and I don't think too many MSDN subscribers are rushing out to exploit it.
    • Re:Nomenclature... (Score:5, Insightful)

      by MightyYar (622222) on Monday October 17, 2005 @10:19AM (#13808949)
      Wow... what a big ball of... nothing. All they did was find some html that crashes Firefox. Big deal! Have you seen Bugzilla lately? Should I just start randomly submitting bugs from Bugzilla, start calling them DOS exploits, and make the front page of Slashdot?
    • This is a targetted DoS as it denies Firefox the ability to function. We're just conditioned to a DoS being a major outage type of event where all communication to or from a system on a network is blocked, while this specifically affects a single application's ability to communicate (so far).
  • Worm Code (Score:4, Funny)

    by Agret (752467) <alias...zero2097@@@gmail...com> on Monday October 17, 2005 @09:31AM (#13808623) Homepage Journal
    What follows is the source code made avaliable on the site.

    Mozilla

    # milw0rm.com [2005-10-16]

    I have 1.0.7 and it caused me to crash :(
  • So... (Score:5, Insightful)

    by LiquidCoooled (634315) on Monday October 17, 2005 @09:31AM (#13808625) Homepage Journal
    This can freeze your browser.

    Wheres the vulnerability? when does the spyware attack? Do I need to reinstall Windows?
    Should I buy a virus checker?

    Anyone stupid enough to host this "exploit" on their site are just dumb,
    "oooooh it makes your firefox freeze" BFD - stay away from dodgy parts of the net

    (goatse is a bigger "exploit" and generally leads to complete machine shutdown/restart as you attempt to hide it from your colleagues)
    • Anyone stupid enough to host this "exploit" on their site are just dumb,

      Not on their own site of course. But just imagine some Windows luser's wet dream comes true, and he finds a hole in some high profile Apache site. Just hax0r it, and put that sploit on every page of it, and then bam!

    • This can freeze your browser.

      It's as bad as Google Maps with far too many location tags and polygons.
    • Serisouly, if you made a .Net web app, you can make it use so much resources that it will freeze your PC (your PC will use so much of the pagefile). IE will happily run this app without asking you, even after SP2. Anyone with Visual Studio and .Net can do this as well. Make an ASP.NET Web Application and have it create an array of a ton of strings. IE will take up all your resources.

      But this really isn't an exploit since it didn't really allow me to take any information or control of the PC. At worst

  • Tested the exploit (Score:4, Informative)

    by jurt1235 (834677) on Monday October 17, 2005 @09:33AM (#13808641) Homepage
    And after I clicked on it, nothing happened, the browser just said: mozilla

    Apparently firfox 1.0.7 on linux is not affected. So not all versions of firefox are affected.
    Advisory: Install linux, then restart your browser and have fun.
  • Exploit (Score:5, Informative)

    by Anonymous Coward on Monday October 17, 2005 @09:35AM (#13808659)
    The exploit is:

    <html><body><strong>Mozilla<sourcetext></body></ht ml>

    and it also makes Mozilla suite 1.7.12 hang.

    The sourcetext tag is used when a parser error occurs; the Mozilla DOMParser will accept any string and always returns a valid XML DOM object, but in the case that the string was malformed, it returns something like this:

    <parsererror xmlns="http://www.w3.org/1999/xhtml">XML Parsing Error: mismatched tag. Expected: </strong>. Location: file:///1253.html Line Number 3, Column 37:<sourcetext> (text here) </sourcetext></parsererror>

    which you may have seen formatted before in a nice red-on-yellow page.
  • OMG, this is bad! (Score:5, Insightful)

    by ArsenneLupin (766289) on Monday October 17, 2005 @09:35AM (#13808660)
    Almost as bad (and scaringly simple) as the <form><input type crash></form> sploit for Internet Exploder.

    I guess I'll just stick with Konqueror.

  • by OverlordQ (264228) on Monday October 17, 2005 @09:35AM (#13808663) Journal
    Despite the article summary if you click through and read it you'd find that there is code out there.

    Danger Will Robinson test your firefox [thedarkcitadel.com] Danger Will Robinson
  • Mozilla too.. (Score:3, Interesting)

    by Dynamoo (527749) * on Monday October 17, 2005 @09:43AM (#13808724) Homepage
    It also locks up Mozila 1.7.8, so I guess it will also do the same to Netscape 8 if using the Firefox renderer.

    There's not much to it though:

    <!--
    posidron@tripbit.net

    Vulnerable: Mozilla Firefox <= 1.0.7
    Mozilla Thunderbird <= 1.0.6
    -->

    <html><body><strong>Mozilla<sourcetext></body></ht ml>

    Ah well, not much harm done. Of course, there's nothing to stop Microsoft putting it into MSN deliberately to break the browser, in much the same way they tried to nobble Opera [slashdot.org] some months back.

  • Who cares? (Score:5, Informative)

    by brunes69 (86786) <slashdot AT keirstead DOT org> on Monday October 17, 2005 @09:43AM (#13808726) Homepage

    So clicking on a link can lock up the browser. So what?

    How is this any different from this, which effectively locks up *all* current browsers?

    <script>
    while(true){
    alert('Haha!');
    }
    <script>

    This is hardly important. I don't see any way this can crash my machine or infect me with a trojan.

    PS if you want a fix for the above vote for bug 61098] at bugzilla [mozilla.org].

    • Re:Who cares? (Score:3, Informative)

      by m50d (797211)
      How is this any different from this, which effectively locks up *all* current browsers?

      It doesn't lock up links (which has a lovely "kill script" button on any javascript dialog) and I'm told opera will let you simply close the tab.

  • by putko (753330) on Monday October 17, 2005 @09:49AM (#13808766) Homepage Journal
    Here's the exploit:
    <html><body><strong>Mozilla<sourcetext></body></ht ml>
    Note: that last thing really is "html", but I think slashcode rewrites it.

    Any ideas as to what is going wrong?
  • by courtarro (786894) on Monday October 17, 2005 @09:56AM (#13808807) Homepage
    It's hardly news to be able to DoS a browser. I DoS both FF and IE regularly while working on DHTML scripts, often when I use a debugging "alert" in the wrong place. Try this one and see how much farther you get during your morning browsing:

    <html>
    <body onmousemove="while(1) alert('ooooh');">
    &nbsp;
    </body>
    </html>

    Watch out before you run it! You wouldn't want to lose that Xanga post you've been working on.
  • by CNeb96 (60366) on Monday October 17, 2005 @10:02AM (#13808849)
    This crasher bug has no effect on my post 1.5 beta 2 version of firefox on Linux. Gecko/20051017. A new crasher bug is also not news. There are hundreds of ways to crash mozilla. Lets face it most browsers aren't at a state to jump every time there is a new bug to crash or "DOS Them" as the article states. Just another security site trying to make themselves look good at a products expense. How much money does it cause companies like the Mozilla Organization to release a new version of their browser, just to put an end to the bad press of a so called "exploit"?
  • by Douglas Simmons (628988) on Monday October 17, 2005 @10:11AM (#13808905) Homepage
    Unless somehow this is truly "in the wild" sasser style, which I highly doubt, I'm more inclined to piss and moan for a fix for all these firefox process running away and ram leaking like ... the levees. But I guess that's just not as sexy a thing to get everyone all freaked out over. Or maybe I'm the only one opening up over a hundred tabs on my pr0n hunts.

    And let's suppose it is in the wild and to get infected I don't have to go to some Russian site selling stolen credit cards. Can anyone see how that could be possible? You'd have to go to a site knowingly and maliciously designed to exploit this, right?

  • Security Bug (Score:5, Insightful)

    by digitalgimpus (468277) on Monday October 17, 2005 @10:52AM (#13809148) Homepage
    Ok, this isn't really a security bug. It's a crasher. If this is a security bug, so is this one [mozilla.org] (you'll likely need to cp/paste into new window to open) that I discovered a few years ago.

    IMHO "security" bugs are for ones that have an impact on "security". If it doesn't fit that criteria, it's not a security issue.

    A JS permissions exploit would be a security bug. So would the IDN issues, and buffer overflows...

    but a crasher? I think that's pushing the benchmark. It's not really a DoS... it's a crash/hang.

    It would be a security issue if say, it caused 911 to become unavailable, or killed US Radar systems... but not for crashing a web browser.

    I think people have been pushing for a while in hopes of getting new security bugs. And that's all products, not just Moz. There are legitimate security bugs, but I don't think this qualifies. IMHO you need to be able to do something that violates security to be a security issue.
  • by bcmm (768152) on Monday October 17, 2005 @11:07AM (#13809251)
    No remote execution or personal data being revealed, it just hangs the browser. It doesn't even seem to slow down the rest of the system, it just makes Firefox unresponsive. So?

    It's easy to do that to almost any browser. Loading a lot of really big images will crash Firefox when it runs out of memory, and has the side-effect of slowing the rest of the system (or probably crashing it if it's based on windows 9x).

    The "exploit's" entire HTML source reads like this:
    <html><body><strong>Mozilla<sourcetext></body></ht ml>

    It's clearly a silly bug, but I feel that saying "it is clear that this exploit will indeed need patching as soon as possible" is excessive hype. This is not a security issue. This is part of the known problem that Firefox is not very tolerant of buggy code, which is a general serious issue that does need fixing.

    I wonder if this is a Gecko bug? An email version of this for Thunderbird would be very annoying.

  • by feepness (543479) on Monday October 17, 2005 @11:24AM (#13809373) Homepage
    When will they wake up and stop releasing buggy software.

    I will not have any of their software on my computer. I ONLY use Microsoft products.
  • Hmmm.. security? (Score:5, Interesting)

    by pavera (320634) on Monday October 17, 2005 @11:34AM (#13809461) Homepage Journal
    OK, the IE fanboys are really stretching now. If crashing the browser is an "exploit" then that opens a whole new avenue of attack on IE. IE crashes like this (for me) far more often then firefox, and firefox crashes just about every time I visit a site with really involved flash or those really annoying smiley face banner ads (those are firefox killers).

    ctrl+alt+del kill process is a good workaround for this "extremely dangerous" exploit. Again if this is a security vulnerability, then flash is the greatest hacking tool against firefox. Java is probably the greatest hacking tool against IE.

    People are just really desparate for Firefox to have more bugs than IE. Thanks for finding some code that should probably be cleaned up, but crashing the browser is not in any way violating the security of the system on which the browser is running.
       
  • Whitedust and DoS (Score:3, Informative)

    by thetoastman (747937) on Monday October 17, 2005 @02:02PM (#13810558)

    This hardly counts as a DoS [wikipedia.org] attack in its traditional meaning. However it is an annoying bug. I am glad to read that it has been addressed in the latest beta.

    What follows is probably an ad hominem [wikipedia.org] attack. Moderate accordingly.

    I decided to spend a little time on the Whitedust [whitedust.net] site. The site is advertised as "The Leading Independent Security News Portal".

    The site is run by a group of former crackers. Of course one has to wonder about their cracking, security, and business skills when:

    • They advertise their many connections within the underground hacker scene
    • They leave the administrative link to their PHP web site in the footer of every page
    • Their business writing would fail my mom's 7th grade remedial English class

    In short this web site has no redeeming value.

Why did the Roman Empire collapse? What is the Latin for office automation?

Working...