Mozilla Firefox 1.0.7 DoS Exploit 438
An anonymous reader writes "Whitedust Security are reporting on a new exploit for Firefox which apparently affects all versions of the browser from 1.0.7 down. From the article: "If this exploit has made it out into, or indeed been retrieved from the wild is unknown at this time. However it is clear that this exploit will indeed need patching as soon as possible.""
Brilliant header! (Score:2, Funny)
Re:Brilliant header! (Score:5, Informative)
milw0rm.com have released proof of concept code for a denial of service exploit which apparently affects all versions of the Mozilla Foundations popular Firefox browser from version 1.0.7 downward.
Remember, on Slashdot always read the article, it is generally only a coincidence if the summary has any bearing on the actual linked text.
Re:Brilliant header! (Score:2, Informative)
Regards,
Steve
Re:Brilliant header! (Score:3, Informative)
<pedantry>
Well, strictly speaking, unless 1.5 has been explicitly modified with the intention of fixing this exploit, it's just that it doesn't work on 1.5. It's entirely possible that a change in 1.5 has prevented the exploit from working but, as it wasn't done as a fix, a further change in 1.5.n (or 1.n where n > 5) will allow the exploit to work again. In other words, there may be no fix to back port.
</pedantry>
Re:Brilliant header! (Score:2, Informative)
Re:Brilliant header! (Score:3, Informative)
The patch seems to have been in the full article since conception , but apparently it hadn't passed down the line .
these exploits are dangerous as many Slashdoters refuse to update their knowledge by reading the full article and not just the summary
Re:Brilliant header! (Score:3, Insightful)
Re:Brilliant header! (Score:3, Informative)
One of the approaches to finding buffer overflows in Closed Source software is to do pump loads of data into the inputs until the app crashes, then work backwards by constructing a payload to see if one can get it to jump somewhere known.
totally off guard (Score:5, Informative)
Re:totally off guard (Score:5, Informative)
Re:totally off guard (Score:5, Funny)
Don't worry about it guys. I sent Microsoft an Error Report so I'm sure they'll get right on the problem as well.
Re:totally off guard (Score:3, Interesting)
Fortunately it didn't. Though I suppose if you set firefox.exe's priority to Realtime first...
Nah. This is one of those exercises I'm leaving to the reader
Not too big a deal (Score:5, Insightful)
There isn't much incentive for malicious people to crash people's browsers.
The wording from the security company has me thinking they're just trying to make a name for themselves.
Re:Not too big a deal (Score:3, Interesting)
Suppose you have vested interests in Firefox not succeeding as a Web Browser and you hacked/setup some major site to lockup firefox and dramaticaly decrease tbe userbase over the course of a few hours...
Re:Not too big a deal (Score:5, Informative)
Re:Not too big a deal (Score:5, Insightful)
Not necessarily.
I reported some DOS bugs against firefox which will kill a browser by essentially saying:
The browser dies. Probably because it attempts to either a) allocate all the system's memory and the kernel kills it, or b) at some point memory allocation fails and the program terminates.
Not all crashes are buffer overflows, or exploitable.
Re:Not too big a deal (Score:5, Informative)
Re:Not too big a deal (Score:3, Informative)
Someone was saying that you could crash by calling a 1,000,000x1,000,000 table. There must be some safeguards in browsers to protect against that kind of thing aside from failed memory allocation from the OS, otherwise it would be simple to bring a system to its knees (not that it's really that hard already).
Re:Not too big a deal (Score:4, Informative)
Re:Not too big a deal (Score:4, Informative)
If you follow the README [steve.org.uk] URL, you'll notice that the bugs referenced were confirmed agianst 1.0.4 and older, but are all fixed in 1.0.7.
Try to keep the suppositions about Windows bugs to yourself unless you have even some inkling of understanding of the situation. It makes us all look bad.
Re:Not too big a deal (Score:2)
I reported some DOS bugs against firefox . . .
None of those pages crashed my browser (Windows XP, Firefox 1.0.6). Were those for older versions of Firefox?
Re:Not too big a deal (Score:3, Funny)
I didn't know there's a DOS port of Firefox.
RTFA (Score:3, Informative)
This discussion is not any different than it would be if it was about IE. There are always those saying "no big deal" about IE security flaws, and plenty of people screaming blood on this conversation. Maybe the balance is slightly altered because so many of us have been burned by IE though....
Having said that.... This is no big deal. Even TFA says "This is not an advisory, just a comment" indicating that the authors don't think it is
Re: (Score:2)
Re:totally off guard (Score:5, Informative)
But... (Score:2, Informative)
Re:But... (Score:3, Informative)
Although I agree that it's pretty trivial to update Firefox, some users don't notice the icon, or don't recognize what it does. If they RTFM or just hovered over it they would, but many don't. Another con is the fact that you have to download the full Firefox installer and run it all over again. That is not very friendly.
Thankfully, the Mozilla folks have recognized this a
Thunderbird also vunerable (Score:4, Informative)
How come there are so many nice hackers? (Score:5, Funny)
Where are the evil hackers, or have they all converted, scared about stiff http://news.bbc.co.uk/1/hi/technology/4249780.stm [bbc.co.uk] penalties?
Re:How come there are so many nice hackers? (Score:5, Insightful)
People who don't want their friends/family affected, people who actually care about the world they live in. I'm surprised that you seem to believe that everyone would be malicious if they could.
Re:How come there are so many nice hackers? (Score:4, Interesting)
Re:How come there are so many nice hackers? (Score:2)
Maybe some, but I suspect it has more to do with ego, pride, and vanity; the same reason virus authors do it. Hackers, good and bad, love showing and/or proving to the world how smart they are.
I suspect a fair number of "white hats" also do it to try and get noticed, like high school athletes. Posting to a security mail
Very vague (Score:2, Funny)
Re:Very vague (Score:2, Funny)
Re:Very vague (Score:2)
yeah, WTF? (Score:5, Insightful)
I think the poll at the top of the page should ask, "Do you trust WhiteDust security?"
Oh, wait - that's what the 'Test the exploit' link is for.
Re:Very vague (Score:3, Interesting)
Re:Very vague (Score:2, Interesting)
A good hosts [wikipedia.org] file can fix that, no matter what browser or OS you're running.
(I'm in the mood to be helpful today instead of giving my usual serving of sarcastic remarks. God knows why.)
Nomenclature... (Score:5, Insightful)
A browser that can be crashed is a very bad thing, but suggesting this is some sort of "Denial Of Service" attack, is just semantics. It doesn't crash the box, and it doesn't flood/break the network. Every other service on your machine runs as normal. That's not a Denial Of Service by the usual definition of the term.
Re:Nomenclature... (Score:2, Informative)
The operative word is "attack". (Score:5, Insightful)
If you crash your car into a tree, did that tree "attack" you?
If you crash your car when driving over ice, did that ice "attack" you?
If you drive your car off a bridge and into a lake, did that lake "attack" you?
Since you cannot use your car immediately after a crashes, are trees considered a DoS exploit?
Re:The operative word is "attack". (Score:3, Funny)
If you crash your car when driving over ice, did that ice "attack" you?
If you drive your car off a bridge and into a lake, did that lake "attack" you?
Yes, yes and yes. At least that's what I'm telling my insurance company.
Re:Nomenclature... (Score:2)
"A denial-of-service attack (also, DoS attack) is an attack on a computer system or network that causes a loss of service to users"
Well, this seems to be an attack that cause a loss of the Firefox service to the user using it. Anything else?
Re:Nomenclature... (Score:2)
Re:Nomenclature... (Score:2)
Re:Nomenclature... (Score:2, Troll)
Oddly enough, about the same length of time as has passed since Microsoft realised their stranglehold on web browsers was slipping.
One day Redmond reformed the IE development team to try and stem the tide. The next, stories like this one started cropping up with penny-ante firefox exploits being made into front page news. Just as though crushing your browser was comparable in scale to rooting your network...
Re:Nomenclature... (Score:4, Informative)
Yes it is. If you did exactly the same thing to, say, apache or proftpd or mysql - don't crash the box, don't break the network, every other service runs normal - it would be a DoS. Calling this attack a DoS provides some very important information - it doesn't allow execution of arbitrary code, just locks up the browser. The only thing that's possibly unusual here is applying the term to a client rather than a server program, but a DoS is absolutely the correct term.
Re:Nomenclature... (Score:5, Insightful)
Servers <=> Service <=> Denial Of Service.
See how that works?
Re:Nomenclature... (Score:5, Informative)
ii) You can kill the browser and go to another web page. Hell, you can just start another instance of the web browser. Which must take all of three nanoseconds.
If you prevent login, or send a SYN flood that prevents http connections, you can't just restart the appropriate service. If you really can't see why causing a client to crash is different from preventing a server from functioning, I suggest you look in some elementary computer science textbooks.
I don't have time any more time to explain the basics to fools.
Re:Nomenclature... (Score:2)
Re:Nomenclature... (Score:2)
Re:Nomenclature... (Score:5, Insightful)
Re:Nomenclature... (Score:2)
Worm Code (Score:4, Funny)
Mozilla
# milw0rm.com [2005-10-16]
I have 1.0.7 and it caused me to crash
So... (Score:5, Insightful)
Wheres the vulnerability? when does the spyware attack? Do I need to reinstall Windows?
Should I buy a virus checker?
Anyone stupid enough to host this "exploit" on their site are just dumb,
"oooooh it makes your firefox freeze" BFD - stay away from dodgy parts of the net
(goatse is a bigger "exploit" and generally leads to complete machine shutdown/restart as you attempt to hide it from your colleagues)
Re:So... (Score:2)
Not on their own site of course. But just imagine some Windows luser's wet dream comes true, and he finds a hole in some high profile Apache site. Just hax0r it, and put that sploit on every page of it, and then bam!
Re:So... (Score:2)
It's as bad as Google Maps with far too many location tags and polygons.
Re:So... (Score:2)
But this really isn't an exploit since it didn't really allow me to take any information or control of the PC. At worst
Tested the exploit (Score:4, Informative)
Apparently firfox 1.0.7 on linux is not affected. So not all versions of firefox are affected.
Advisory: Install linux, then restart your browser and have fun.
Re:Tested the exploit (Score:4, Informative)
Re:Tested the exploit (Score:2)
Re:Tested the exploit (Score:3, Interesting)
hmm
Exploit (Score:5, Informative)
<html><body><strong>Mozilla<sourcetext></body></h
and it also makes Mozilla suite 1.7.12 hang.
The sourcetext tag is used when a parser error occurs; the Mozilla DOMParser will accept any string and always returns a valid XML DOM object, but in the case that the string was malformed, it returns something like this:
<parsererror xmlns="http://www.w3.org/1999/xhtml">XML Parsing Error: mismatched tag. Expected: </strong>. Location: file:///1253.html Line Number 3, Column 37:<sourcetext> (text here) </sourcetext></parsererror>
which you may have seen formatted before in a nice red-on-yellow page.
OMG, this is bad! (Score:5, Insightful)
I guess I'll just stick with Konqueror.
PoC Code *is* in the wild (Score:5, Informative)
Danger Will Robinson test your firefox [thedarkcitadel.com] Danger Will Robinson
Re:PoC Code *is* in the wild (Score:2)
http://www.thedarkcitadel.com/~ovrlrdq/firefox.ht
teach me to use preview to check the bold but not the url.
Mozilla too.. (Score:3, Interesting)
There's not much to it though:
Ah well, not much harm done. Of course, there's nothing to stop Microsoft putting it into MSN deliberately to break the browser, in much the same way they tried to nobble Opera [slashdot.org] some months back.
Oooh, evil idea! (Score:2)
Who cares? (Score:5, Informative)
So clicking on a link can lock up the browser. So what?
How is this any different from this, which effectively locks up *all* current browsers?
<script>
while(true){
alert('Haha!');
}
<script>
This is hardly important. I don't see any way this can crash my machine or infect me with a trojan.
PS if you want a fix for the above vote for bug 61098] at bugzilla [mozilla.org].
Re:Who cares? (Score:3, Informative)
It doesn't lock up links (which has a lovely "kill script" button on any javascript dialog) and I'm told opera will let you simply close the tab.
Here is the exploit (the text of the html) (Score:5, Interesting)
Any ideas as to what is going wrong?
Re:Here is the exploit (the text of the html) (Score:2)
Re:Here is the exploit (the text of the html) (Score:3, Interesting)
You can also use italic in place of strong (and probably some other things too, but I haven't ehaustively tested them...)
You can also encrypt the whole thing as a JavaScript and have it dynamically decrypted by a JavaScript and printed out to the Web Browser as mentioned here: http://justfriends4n0w.blogspot.com/ [blogspot.com]
A browser DoS? (Score:4, Funny)
<html>
<body onmousemove="while(1) alert('ooooh');">
</body>
</html>
Watch out before you run it! You wouldn't want to lose that Xanga post you've been working on.
crasher bug != news (Score:5, Insightful)
how's this possible (Score:5, Insightful)
And let's suppose it is in the wild and to get infected I don't have to go to some Russian site selling stolen credit cards. Can anyone see how that could be possible? You'd have to go to a site knowingly and maliciously designed to exploit this, right?
Security Bug (Score:5, Insightful)
IMHO "security" bugs are for ones that have an impact on "security". If it doesn't fit that criteria, it's not a security issue.
A JS permissions exploit would be a security bug. So would the IDN issues, and buffer overflows...
but a crasher? I think that's pushing the benchmark. It's not really a DoS... it's a crash/hang.
It would be a security issue if say, it caused 911 to become unavailable, or killed US Radar systems... but not for crashing a web browser.
I think people have been pushing for a while in hopes of getting new security bugs. And that's all products, not just Moz. There are legitimate security bugs, but I don't think this qualifies. IMHO you need to be able to do something that violates security to be a security issue.
Um, DOS is not that serious (Score:3, Insightful)
It's easy to do that to almost any browser. Loading a lot of really big images will crash Firefox when it runs out of memory, and has the side-effect of slowing the rest of the system (or probably crashing it if it's based on windows 9x).
The "exploit's" entire HTML source reads like this:
<html><body><strong>Mozilla<sourcetext></body></h
It's clearly a silly bug, but I feel that saying "it is clear that this exploit will indeed need patching as soon as possible" is excessive hype. This is not a security issue. This is part of the known problem that Firefox is not very tolerant of buggy code, which is a general serious issue that does need fixing.
I wonder if this is a Gecko bug? An email version of this for Thunderbird would be very annoying.
Mo$illa is evil... (Score:5, Funny)
I will not have any of their software on my computer. I ONLY use Microsoft products.
Hmmm.. security? (Score:5, Interesting)
ctrl+alt+del kill process is a good workaround for this "extremely dangerous" exploit. Again if this is a security vulnerability, then flash is the greatest hacking tool against firefox. Java is probably the greatest hacking tool against IE.
People are just really desparate for Firefox to have more bugs than IE. Thanks for finding some code that should probably be cleaned up, but crashing the browser is not in any way violating the security of the system on which the browser is running.
Whitedust and DoS (Score:3, Informative)
This hardly counts as a DoS [wikipedia.org] attack in its traditional meaning. However it is an annoying bug. I am glad to read that it has been addressed in the latest beta.
What follows is probably an ad hominem [wikipedia.org] attack. Moderate accordingly.
I decided to spend a little time on the Whitedust [whitedust.net] site. The site is advertised as "The Leading Independent Security News Portal".
The site is run by a group of former crackers. Of course one has to wonder about their cracking, security, and business skills when:
In short this web site has no redeeming value.
Re:is this NOT an OLD version (Score:3, Informative)
1.5 is beta (Score:2)
Re:is this NOT an OLD version (Score:2)
Re:Blame the hacker culture (-1, opposes groupthin (Score:3, Insightful)
I think you meant "less than," rather than "greater than".
Re: (Score:3, Insightful)
Re:Topic title is confusing (Score:2)
Nah, parent just made the stupid mistake of assuming the submitter would actually RTFA before writing his summary, or the even stupider mistake of thinking the editor might actually check the facts before posting the story.
Re:How come... (Score:3, Funny)
You got it all wrong. That particular problem has more to do with Athlon processors than with Internet Exploder.
Re:How come... (Score:2, Insightful)
Also, FF is being developed by people who aren't getting paid (well, most aren't) for their service compared to Microsoft, a multi-billion dollar corporation which has had 10 years to try and get the bugs out of their product.
Re:How come... (Score:2, Insightful)
We cannot use this as an excuse in the open-source community; it's very dangerous. When you are trying to convince the general population that FF is superior to IE and can be successful in an enterprise environment, which is generally the goal, you can't consider the two to be on equ
Re:How come... (Score:3, Insightful)
That does not matter in the least. As a user deciding which software to use I don't care how it was developed in the least. What I care about is what I get for my money. FOSS software has no more of an excuse for bugs and exploits then propriatry.
And I say that as one of the mentioned
Re:How come... (Score:2)
Why not offer equal critiques, and understanding, for any product regardless
Because IE has more exploits. At least, that's what they told me the last
100 times, Mozilla/Firefox exploits were reported.
Re:How come... (Score:2)
Re:How come... (Score:3, Funny)
[about slashdot's 'failure' to treat MS and FOSS screw-ups with equal equanimity] Why not offer equal critiques, and understanding, for any product regardless.
It has taken more than a decade of loathsome business practices, corrupt corporate ethics, and abusively bad coding practices for Microsoft to earn the unique status it holds on Slashdot and other fora where people who've been in the business for a while congregate. Would you deny Microsoft the community recognition it has strived so hard for so lo
Re: (Score:2)
Re:Whoop-d-doo (Score:2)
Re:Whoop-d-doo (Score:2)
If it wasn't for AdBlock, I'd switch to Opera in an instant.
Fix (Score:3, Insightful)
If you didn't know this I guess the joke is on you. Welcome to russia.
Re:Run this through the /. filter... (Score:3, Insightful)
2. Story is posted on Slashdot.
3. People rightly comment on it.
Show me the stories of bugs that simply crash IE. Really. I'm curious. Because there are literally hundreds of ways to crash IE with a malformed webpage. These don't make it as Slashdot stories. Pretty much the only vulnerabilities in MS software posted here are ones that allow an attacker to actually DO SOMETHING NASTY.
Contras
Re:FUD, Proof of concept (Score:3, Insightful)