Another Denial of Service Bug Found in Firefox 2

An anonymous reader writes "A second security flaw that could cause the new Firefox 2 browser to crash has been publicly disclosed. The vulnerability lies in the way the open-source browser handles JavaScript code. Viewing a rigged Web page will cause the browser to exit, a representative for Mozilla, the publisher of the software, said Wednesday. Contrary to claims on security mailing lists, the bug cannot be exploited to run arbitrary code on a PC running Firefox 2, the representative said. This flaw in the JavaScript Range object is different than the denial-of-service vulnerability in Firefox 2 that was confirmed by Mozilla last week. That bug is related to a more serious security hole, which was fixed in earlier versions of Firefox, the organization has said. The two 'crashers' are the only publicly released vulnerabilities that have been confirmed by Mozilla in the week since Firefox 2 was launched. The issues are only minor, the organization has said."

Old times

It used to be that if one an application crashed and it was called just that: it crashed. Today its a DOS attack! Imagine how many DOS my old Windows 3.11 had... come to think of it, it only had one DOS.

We present "DOS reloaded"!

Re:Old times

It used to be that if one an application crashed and it was called just that: it crashed. Today its a DOS attack!

Not necessarily. Application-crashing bugs are Denial of Service bugs if they can be triggered remotely.

There's a fundamental difference between "I can make my copy of FireFox crash" and "I can make your copy of FireFox crash".

Re:Old times

More to the point, there's a fundamental difference between "I can make your copy of Firefox crash when you visit my site" and "I can make your copy of Apache crash".

Crash bugs in client software such as web browsers are "crashes", not "DoS vulnerabilities".

firefox 2

Is anyone else thinking that running firefox 2 with noscript installed means this vulnerability is no big deal?

It also has newbie's privacy bug

It also has a beginner's privacy bug: (full disclosure: my blog) http://tech-dissect.blogspot.com/2006/10/firefox-p rivacy-bug.html [blogspot.com].
In short: Ctrl-Shift-Del doesn't delete everything you expect it to delete, your browse history can still be recovered.

I want a refund!

Another bug?? I want a refund! It's free? I want double my money back!

Install

You could install NoScript addon... Great utility :)

And...

I remember reading about the memory leak. While others see this as a "failure" of the browser, I see it as increasing the odds that the browser exits and frees up your memory. I mean, how hard is it to re-open a browser?

Yahoo! mail

Yahoo! mail seems to use a less dangerous of these vulnerabilities - while stable versions earlier than 2.0 would crash, 2.0 only crashes when exiting Yahoo! Mail or when closing all the tabs of Yahoo Mail. Firebird 0.7 is not affected

Oo

Editors need to RTFA.

So funny

How slashdotters start pointing and laughing when there's a IE exploit, doesn't matter how big or small, and always the "workaround" is looked at as unacceptable.

When it's about Firefox, they immediatly relativate it and minimalize it. "Oh, just install noscript", "tis just a small exploit", "well, why not restart your browser? If it crashes, so what? Why don't you click the icon again? You lazy bastard!"...

I even read some comments, in reply that there's said IE 7 feels better then FF 2.0, that the faults in FF are acceptable. It's a complete double standard.

For me, Firefox 2.0 is worthless; bloathed, crashes constantly, and is just not workable anymore. I've been using Firefox from the very start, but Firefox 2.0 make me switch to Opera.

Denial of Service, my ASS!

What a load of utter crap, calling a bug that crashes an application a "Denial of Service'. Morons!

Bart

There's a browser safer than Firefox...

... it is Firefox with NoScript [noscript.net] :)

I wrote this Firefox add-on just after one of these disclosures, because the majority of the browser vulnerabilities was JavaScript related, and the suggested work-around was always "turn off JavaScript".

Disabling JavaScript as a whole seemed quite an impractical advice to me in this AJAXified Web 2.0: I thought that maintaining a white-list of trusted sites allowed to run JavaScript and keeping all the unknown web content "static" until I decided otherwise was a still safe but more convenient approach.

Since then I've been browsing the web with my shields up (NoScript can block also Java, Flash and other plugins [noscript.net]), but I allow on the fly with one click, either temporarily or permanently, those sites which I trust and which do need dynamic client side technologies to work properly. To my surprise in 1 year and half I found few sites belonging to this category, because most places I usually browse are well designed enough to work with plain XHTML/CSS and nothing else (like Slashdot itself).

Notice: Firefox is a very safe browser because its vulnerabilities gets patched very quickly, once they're found by developers. I'm a Firefox contributor myself, and I'm very proud of the quality of the Mozilla developers community. NoScript [noscript.net], though, provides some extra protection even against those JavaScript/Java related vulnerabilities which have not been found yet...

Who needs a DOS bug...

when Firefox 2.0 seems to quite happily lock up on its own with no need for help from the script-kiddies?

2.0 Good reasons to switch to Opera

I'm a Opera user and i keep wondering why do ppl adamently use a software which keeps crashing and yet they find a reason to either bash it (IE) or support it (FF fanboys) saying there is such and such workarounds. Why don't ppl switch to the browser with fewest bugs/security holes. Don't give me the crap by saying IE has lot of users so the attackers target IE. While it may be true, a common security analyser like Secunia.com has identified fewest bugs in Opera compared to FF and IE. .... and yet the slashdot crowd is so much in love with FF. and look at the comments above from FF fanboys, they just keep writing suggestions and saying how it is not a flaw. If the posting had IE instead of FF, we would've seen hundreds of posts scolding IE and Bill.

Talk about hypocrisy.

I'm confused...

The title reads " Another Denial of Service Bug Found in Firefox 2" but the summary says "... the bug cannot be exploited to run arbitrary code on a PC running Firefox 2, the representative said. This flaw in the JavaScript Range object is different from the denial-of-service vulnerability in Firefox 2 that was confirmed by Mozilla last week."

So which do I trust? There's no way in hell I'm gonna actually read the article!

Third d.o.s. attack affects ALL BROWSERS!

Immediately stop using Internet if you're using one of those browsers:

IE
Firefox
Safari
Konqueror .. ..

A new denial of service attack was discovered floating in the cyberspace, that can render any browser inoperable, and it has to be forcefully crashed and reopened. The signature of the exploit was reported to be:

while(true) alert('Hahaha, suckers!');

People are advised to immediately move to Lynx: the only browser known to be immune to this attack.

Issue shrinking (TM) technology

The two "crashers" are the only publicly released vulnerabilities that have been confirmed by Mozilla in the week since Firefox 2 was launched. The issues are only minor, the organization has said...

They also added, that the reason the issues are minor, is because Firefox 1.5x and later releases of the popular Mozilla browser feature a special "issue shrinking" technology, patent pending, where no matter what happens, the issue becomes small.

This is opposition to Microsoft, which appears to ship all their products with "issue expanding" FUD generator technology, now considered by many specialists as obsolete, where never mind what's the trouble, it's blown out of proportions, and brings chaos and despair among geeky web users.

Why is this news?

If you go search Firefox's bug database for bugs with the "crash" and "testcase" keywords at any time, you'll find dozens of known crash bugs. I imagine it's the same for any other major browser. Meanwhile, very few sites intentionally crash web browsers. It makes more sense for developers to focus on lowering the average time between crashes (by fixing the most common crashes), or on fixing actual security holes, than to focus on squashing the largest number of crash bugs.

Why are CNet and Slashdot so interested in these particular two crash bugs? They aren't crashes that can be exploited to run arbitrary code.

Its no surprise...

With a tremendous amount of code there is bound to be bugs. The difference between Firefox and IE will be what the Firefox team does about the bugs, and how serious they are. If the Firefox team doesn't handle the bugs well and the bugs are "serious", Firefox might be, *gasp*, put in the same bucket as IE! I'll still use it though..

Javascript, eh?

So, what, is it a link like <a href="javascript:window.close()">Click Here for Money!!!</a> that causes this "DOS"?

This is not new

This is not new because There isnt a browser out there with no flaw, no bug, Firefox is as vulnerable as any other software, you just need to keep prying at something until you found the desired problem, problems are starting to appear in firefox because it has become largely distributed and soon enough they will be viruses specially designed for it. The truth about internet browser is, if you dont want people to find flaws, dont be big. I have never seen a hacker trying to hack a technology or software that is not taking a large market share. Have you seen MAC viruses.....i think not

Optionsxpress

Anyone who uses Optionsxpress and their streaming quote java application should be well aware of the bugs with Firefox and Java. Crashes, lock-ups, and randomly moving your cursor to the left one character after typing. These bugs have been listed in bugzilla for quite some time but I haven't seen anybody tackle them.

How exactly is this is a security flaw?

Being able to cause something to crash consistently is neither a denial-of-service flaw nor any other kind of security flaw. Even ignoring that, the article incorrectly mentions denial-of-service as that, in terms of security, usually refers to taking over other machines to create huge amounts of network traffic - it's the taking-over of machines that is the security flaw - the use of the machines to cause a denial of service is just an attack. You would think that the staff of a technical publication would know what they are talking about.

This brings a question to mind...

Being that any security flaw will make headlines these days, what prevents a "mole" from a competitor (say, for example, a borg developer) from joining an open source project and injecting difficult to detect security flaws? The process seems simple: join the team, create a stupid DOS flaw, wait for the build to go live, AC post to Bugtraq, profit from the carnage.

Forgive me if this is a stupid question...I don't know much about the Mozilla org, or for that matter, how open source collaboration works in real life.

Some points

A non-exploitable bug is not a security flaw , it is a bug.

If there were pages with the intention to crash firefox other than those proof of concept ones. I would worry

It is not only a rule for firefox: When the initial Opera 9 had DoS exploits, nobody really abused them

It Is mostly because a good hacker would like to have the biggest odds so they target IE

In fact, no matter how vulnerable the alternatives are they are simply not targetted

I will just stick to Firefox+NoScript , I consider executing code in my computer a privilege that I would only give to certain webpages, it also saves me from the new kind of annoying popups, those that use pure html and no windows.

I would say that if opera had a noscript plugin I would switch, but that's not true, I simply don't like opera mostly for interface reasons (for example the mouse doesn't become a I when you are over text, hoo) And it doesn't even allow plugins.

Crashing Browsers

Just crashing browsers is easy enough. Even just with HTML. Remember this story? [slashdot.org]

(A bit of self promotion.) I took his idea and incorporated it into a genetic programming system that manages to crash most browsers. It also finds HTML source that causes browsers to work for a looooonnnggg time to render a single page (in one case 19 hours for a page). The HTML is not particularly legal, but then there is no guarantee that any web page you load into a browser will follow any particular standard. Source (Java) is available at sourceforge [sourceforge.net] - unpack and look for subdirectory "html". (Warning: As this is an evolving program subject to random hackery to "enhance" things, it is commented sketchily, way underdocumented and far from pretty in most places.)

Service Denial

Shocking, so I'm denied service to a website which denies service. Hmmm, perhaps I'll try another site.

This news is for Digg not Slashdot

Making Firefox crash is no big deal. You can find descriptions of how to do this in Bugzilla, there's no secret about it.

Here [mozilla.org] is an easy example, a segmentation violation by not specifying the namespace in xbl.

This is simple way to make people keep away from your site. OTOH I think I just had an idea for browser based minesweeper.

Denial of Cervix

Woman are denying me cervix all the time, why should firefox be any different.

Oh wait... denial of service! I need a better screen reader.

Toyota

The Toyota site did crashed my firefox 2 while trying to build a truck. Very Frustrating.

DoS with JavaScript is obvious

JavaScript is a programming language. It is turing complete [wikipedia.org]. The halting problem for it, then, is undecidable [wikipedia.org], making it impossible for any browser to detect all infinite loops / large amounts of memory/cpu consumption.

If theory makes you gag, check out this thread [ckers.org] on JavaScript Denial of Service for a list of concrete examples. All of the samples are extremely effective at taking out all browsers (IE, Firefox and Opera alike).

I am more concerned about pages that can crash browsers without the intervention of JavaScript. This includes imagecrash (may crash you!) [ckers.org], mailto crash [ckers.org], and an huge XML file crash. [coredump.cx] They should be preventable.

Anyway, the reason why DoS's aren't actively pursued by the black-hat community is that it's very difficult to put them to good use. Sure, it will annoy someone, but it's hard to monetize, etc.

Re:LOL IE Users!

Except let's see how long it takes for the Firefox team to patch up these flaws as opposed to IE.

Re:See?

I suggest you rethink the ways of your project and have a look at IE to see what quality looks like. Because 80+% of a net-citizens can't be wrong.

79%...78%...77%...76%...

Re:LOL IE Users, if you're stupid

Since when has a crashing browser been a security problem?
Back when mozilla was young, certain sites would make it regularly crash. I just didn't go back to those sites. The browser was still far superior to IE, which drives me nuts if I have to use it.

Re:LOL IE Users!

I'll take a nice, safe browser crash with over an ActiveX control or buffer overflow executing arbitrary code on my local machine any time.

Nobody sane ever said Firefox has no bugs and no security holes.

However, those said holes tend to be fewer than IE, less severe and patched faster.

I've got to say, that was a truly terrible troll.

Re:Ah, browsers...

Feature := Bug as described by the marketing department.[1]

[1] From the glossary of an Apple ][ manual.