Mozilla Firefox 1.0.7 DoS Exploit 438
An anonymous reader writes "Whitedust Security are reporting on a new exploit for Firefox which apparently affects all versions of the browser from 1.0.7 down. From the article: "If this exploit has made it out into, or indeed been retrieved from the wild is unknown at this time. However it is clear that this exploit will indeed need patching as soon as possible.""
totally off guard (Score:5, Informative)
Thunderbird also vunerable (Score:4, Informative)
Re:totally off guard (Score:5, Informative)
Re:Brilliant header! (Score:5, Informative)
milw0rm.com have released proof of concept code for a denial of service exploit which apparently affects all versions of the Mozilla Foundations popular Firefox browser from version 1.0.7 downward.
Remember, on Slashdot always read the article, it is generally only a coincidence if the summary has any bearing on the actual linked text.
Re:is this NOT an OLD version (Score:3, Informative)
Tested the exploit (Score:4, Informative)
Apparently firfox 1.0.7 on linux is not affected. So not all versions of firefox are affected.
Advisory: Install linux, then restart your browser and have fun.
Re:Nomenclature... (Score:2, Informative)
Re:totally off guard (Score:1, Informative)
Exploit (Score:5, Informative)
<html><body><strong>Mozilla<sourcetext></body></h
and it also makes Mozilla suite 1.7.12 hang.
The sourcetext tag is used when a parser error occurs; the Mozilla DOMParser will accept any string and always returns a valid XML DOM object, but in the case that the string was malformed, it returns something like this:
<parsererror xmlns="http://www.w3.org/1999/xhtml">XML Parsing Error: mismatched tag. Expected: </strong>. Location: file:///1253.html Line Number 3, Column 37:<sourcetext> (text here) </sourcetext></parsererror>
which you may have seen formatted before in a nice red-on-yellow page.
Re:Brilliant header! (Score:2, Informative)
PoC Code *is* in the wild (Score:5, Informative)
Danger Will Robinson test your firefox [thedarkcitadel.com] Danger Will Robinson
Re:Brilliant header! (Score:3, Informative)
The patch seems to have been in the full article since conception , but apparently it hadn't passed down the line .
these exploits are dangerous as many Slashdoters refuse to update their knowledge by reading the full article and not just the summary
But... (Score:2, Informative)
Who cares? (Score:5, Informative)
So clicking on a link can lock up the browser. So what?
How is this any different from this, which effectively locks up *all* current browsers?
<script>
while(true){
alert('Haha!');
}
<script>
This is hardly important. I don't see any way this can crash my machine or infect me with a trojan.
PS if you want a fix for the above vote for bug 61098] at bugzilla [mozilla.org].
Re:Brilliant header! (Score:2, Informative)
Regards,
Steve
Re:Not too big a deal (Score:5, Informative)
Secunia says "Not Critical" (Score:1, Informative)
Re:Nomenclature... (Score:4, Informative)
Yes it is. If you did exactly the same thing to, say, apache or proftpd or mysql - don't crash the box, don't break the network, every other service runs normal - it would be a DoS. Calling this attack a DoS provides some very important information - it doesn't allow execution of arbitrary code, just locks up the browser. The only thing that's possibly unusual here is applying the term to a client rather than a server program, but a DoS is absolutely the correct term.
Re:Tested the exploit (Score:4, Informative)
Re:Not too big a deal (Score:5, Informative)
Re:Who cares? (Score:3, Informative)
It doesn't lock up links (which has a lovely "kill script" button on any javascript dialog) and I'm told opera will let you simply close the tab.
Re:But... (Score:3, Informative)
Although I agree that it's pretty trivial to update Firefox, some users don't notice the icon, or don't recognize what it does. If they RTFM or just hovered over it they would, but many don't. Another con is the fact that you have to download the full Firefox installer and run it all over again. That is not very friendly.
Thankfully, the Mozilla folks have recognized this and have improved the update system significantly on the upcoming Firefox 1.5. The update system downloads a patch, not the full installer, and installs it on the background. Then it just notifies the user that the new version will be installed when he restarts the browser. That way even the average Joe can stay updated.
Re:Brilliant header! (Score:1, Informative)
Re:Not too big a deal (Score:3, Informative)
Someone was saying that you could crash by calling a 1,000,000x1,000,000 table. There must be some safeguards in browsers to protect against that kind of thing aside from failed memory allocation from the OS, otherwise it would be simple to bring a system to its knees (not that it's really that hard already).
Re:How come... (Score:2, Informative)
Re:Brilliant header! (Score:3, Informative)
One of the approaches to finding buffer overflows in Closed Source software is to do pump loads of data into the inputs until the app crashes, then work backwards by constructing a payload to see if one can get it to jump somewhere known.
Re:Not too big a deal (Score:4, Informative)
Re:Exploit (Score:2, Informative)
i found and reported the browser specific elements "parsererror" and "sourcetext" in september 2004: see mozbug 210658.
bugzilla.mozilla.org/show_bug.cgi?id=210658
you can see the browser specific elements in a source diff:
bonsai.mozilla.org/cvsview2.cgi?diff_mode=context
sadly, i don't believe this fix has been backported to firefox 1.0x.
- p
--
ps. my previous
http://it.slashdot.org/comments.pl?sid=68828&cid=
Re:Brilliant header! (Score:3, Informative)
<pedantry>
Well, strictly speaking, unless 1.5 has been explicitly modified with the intention of fixing this exploit, it's just that it doesn't work on 1.5. It's entirely possible that a change in 1.5 has prevented the exploit from working but, as it wasn't done as a fix, a further change in 1.5.n (or 1.n where n > 5) will allow the exploit to work again. In other words, there may be no fix to back port.
</pedantry>
Re:Not too big a deal (Score:2, Informative)
Re:Not too big a deal (Score:4, Informative)
If you follow the README [steve.org.uk] URL, you'll notice that the bugs referenced were confirmed agianst 1.0.4 and older, but are all fixed in 1.0.7.
Try to keep the suppositions about Windows bugs to yourself unless you have even some inkling of understanding of the situation. It makes us all look bad.
Re:totally off guard (Score:5, Informative)
RTFA (Score:3, Informative)
This discussion is not any different than it would be if it was about IE. There are always those saying "no big deal" about IE security flaws, and plenty of people screaming blood on this conversation. Maybe the balance is slightly altered because so many of us have been burned by IE though....
Having said that.... This is no big deal. Even TFA says "This is not an advisory, just a comment" indicating that the authors don't think it is a big deal either.
Re:The operative word is "attack". (Score:2, Informative)
Re:Nomenclature... (Score:5, Informative)
ii) You can kill the browser and go to another web page. Hell, you can just start another instance of the web browser. Which must take all of three nanoseconds.
If you prevent login, or send a SYN flood that prevents http connections, you can't just restart the appropriate service. If you really can't see why causing a client to crash is different from preventing a server from functioning, I suggest you look in some elementary computer science textbooks.
I don't have time any more time to explain the basics to fools.
Whitedust and DoS (Score:3, Informative)
This hardly counts as a DoS [wikipedia.org] attack in its traditional meaning. However it is an annoying bug. I am glad to read that it has been addressed in the latest beta.
What follows is probably an ad hominem [wikipedia.org] attack. Moderate accordingly.
I decided to spend a little time on the Whitedust [whitedust.net] site. The site is advertised as "The Leading Independent Security News Portal".
The site is run by a group of former crackers. Of course one has to wonder about their cracking, security, and business skills when:
In short this web site has no redeeming value.