Forgot your password?
typodupeerror
Bug Mozilla The Internet

Unpatched Firefox Flaw May Expose Users 390

Posted by Zonk
from the again dept.
Corrado writes "CNET is reporting on a new Firefox flaw." From the article: "The problem lies in the way Firefox handles Web links that are overly long and contain dashes, security researcher Tom Ferris said in an interview via instant messaging late Thursday. He posted an advisory and a proof of concept to the Full Disclosure security mailing list and to his Security Protocols Web site...The public bug disclosure comes just as Mozilla released the first beta of Firefox 1.5. The final release of the next Firefox update, which includes security enhancements, is due by year's end, according to the Firefox road map."
This discussion has been archived. No new comments can be posted.

Unpatched Firefox Flaw May Expose Users

Comments Filter:
  • Firefox is open source... how can it have a bug in it? Lol, they must have meant Internet Explorer!

    Everybody knows that security flaws are only available in Microsoft products. I read it on Slashdot!!! It has to be true!!!
  • by jdray (645332) on Friday September 09, 2005 @11:20AM (#13519004) Homepage Journal
    Did anyone else have a sudden concern that using Firefox would cause you to be "pants'ed"?
  • by CyricZ (887944) on Friday September 09, 2005 @11:20AM (#13519012)
    If you have gotten your non-techie friends to switch to Firefox, be sure to tell them about this problem and the possible fixes. Indeed, it is very important that Firefox be kept up to date on as many computers as possible, even if it means a short trip to install it for somebody. Nothing will hurt Firefox's reputation more than unpatched installations being exploited.

    • by TargetBoy (322020) on Friday September 09, 2005 @11:28AM (#13519127)
      How about having the update checker stop working?

      I've seen several computers now where the red arrow icon is always displayed and the update wizard never successfully downloads anything.

      Reinstalling doesn't seem to help fix it.
    • by killproc (518431) on Friday September 09, 2005 @11:54AM (#13519389)

      "If you have gotten your non-techie friends to switch to Firefox, be sure to tell them about this problem and the possible fixes. Indeed, it is very important that Firefox be kept up to date on as many computers as possible"

      Not trying to troll here, but...

      Couldn't the same be said for IE or any other browser? If you have non-techie friends that could be vulnerable on any platform, wouldn't letting them know how to check for security updates be the right thing to do?

      Should you let them flounder and possibly become zombies for some nefarious spam network because they don't use your "preferred" browser?

      Personally, I use Mozilla at home because I like it much better, and encourage all my friends to do the same, but I'm not above recommending security updates to those who choose not to use Mozilla/Firefox.
      • Indeed. The main update/fix for Internet Explorer-related problems is Firefox. So that should always be the first solution proposed. That in turn directly leads to my proposal: always keep your non-technical friends' Firefox installations up to date.

        • by RzUpAnmsCwrds (262647) on Friday September 09, 2005 @01:13PM (#13520130)
          Well, after five security updates that patch numerous security holes (22 since 2004), I'm not sure that Firefox is the solution. It's certainly more secure than IE, but is it secure *enough*? No, it isn't.

          I deployed Firefox on the corporate network to improve security. Five updates later, I'm explaining to my manager that Firefox, just like IE, is full of security holes that need to be patched.

          Unlike IE, Firefox can't be updated through Windows Update and it doesn't have a patch release cycle. That makes it harder to plan for and harder to deploy Firefox patches.

          Having "fewer" vulnerabilities than IE isn't good enough - particularly when your patching system sucks. Open source can do better.
      • by Billly Gates (198444) on Friday September 09, 2005 @12:21PM (#13519615) Journal
        Telling them its insecure only encourages them to stick with IE. All the studies are showing this with clueless uers since Microsoft does not like to boast about holes in IE.
  • by guruevi (827432)
    For trolling sake, it is still better then IE.
    • by Doches (761288)
      Sure. Yea. But it makes us open-source religinuts look a bit silly, touting our "secure browser" when CNET (which has a very questionably technical readerbase) and others run stories like this. Argh. I'm just going to hit the first IE-phile who uses this little bug in an argument.
    • by ikkonoishi (674762) on Friday September 09, 2005 @11:54AM (#13519396) Journal
      Yeah because in IE you can't write a greasemonkey script that fixes it.
      var links = document.getElementsByTagName("a");
      for (var i = 0;i<links.length;i++) {
        if (/-{5,}$/.test(links[i].href)) {
            links[i].href = "";
            links[i].onclick = function () {
              alert("This link was trying to cause a buffer overflow. It has been appropriately punished. That bad ol' puddy link.");
            }
        }
      }
      The above was proof of concept and may not work, but I see no reason why it shouldn't
      • by Tezkah (771144)
        Actually, you might be able to, most people don't know of the Greasemonkey-ish add-on to IE called "Trixie" [bhelpuri.net], with many of the same scripts running unmodified between the two plugins.

        A better argument is that "In firefox, the bugs are trivial enough to be fixed with a script until it gets fixed in the main program, a matter of weeks, instead of fixing it in a script in IE, and waiting years for it do get fixed."
  • It should be noted (Score:5, Interesting)

    by GweeDo (127172) on Friday September 09, 2005 @11:22AM (#13519032) Homepage
    That the posted exploit only causes Firefox to crash to stop responded (that is what it did to 1.5b1 on my Linux box). The person that found the exploit claims he has tweaked the code to actually run arbitrary code on the system, but I would like to se e proof of this since as of right now we only have a hanging browser.
    • Doesn't do a damn thing to me, 1.0.6 on linux.
      With a proxy I get squids error page, without I get a google search.

    • In many cases, a bug which causes a crash when triggered with inappropriately long data turns out to be a bug which can be exploited to execute arbitrary code if the data is carefully crafted to do so. Your test merely reconfirms the basics of this bug. In all likelyhood, the guy can run arbitrary code via this bug if he's claiming he's done it.
    • The only way he could prove it would be to release an exploit that gave a shell or similar, and we don't want that happening.
    • by Anonymous Coward on Friday September 09, 2005 @12:00PM (#13519438)
      There is an actual testcase on the bug in bugzilla, and the bug is private because of that (it would be highly irresponsible to provide a working exploit to the world).

      <mao|zZz> mscmurf, dveditz: bug 307259 has been slashdotted - maybe it would be politically good to disclose the bug, at least to counteract this statement at the end of the advisory: "Mozilla was notified, and im guessing they are working on a patch. Who knows though?"
      <mcsmurf_> well, if there is a comment in it which should not be public
      <mcsmurf_> then the bug remains private ;)
      <dveditz> mao|zZz: the potential issue is that his advisory is incorrect, and I'd rather not release the real crashing testcase (though people might discover it soon enough)
      <CTho> mao|zZz: it was nice of them to wait til we shipped to make sure the world hears ;)
      <biesi> it was public before we shipped
      <mcsmurf_> one day?
      <dveditz> CTho: that was probably our fault, I should have pushed the fix in
      <mao|zZz> biesi: but the slashdot sequence is pretty suspect...
      <CTho> dveditz: i heard the patch on teh bug doesnt work
      <dveditz> It was nominated, but after the point where triage was being done -- needed to be more actively pushed
      <mao|zZz> looks like an easy move to eclipse the beta release wow effect, or worse make it a boomerang
      ***Toba wonders if the bug is patched yet
      <Toba> anyone got the bug link?
      <biesi> it's not publically visible
      <dveditz> Toba: it's still a private bug
      <biesi> (https://bugzilla.mozilla.org/show_bug.cgi?id=3072 59)
      <dveditz> see scrollback a few lines
      <Toba> dveditz: eh, I guess it would be nice to know
      <Toba> but oh well
      <biesi> dveditz, it was your comment that said the patch didn't work?
      <dveditz> we have *a* patch, we're not convinced it's the right patch
      <mao|zZz> dveditz: would you cc me?
      <Toba> I guess it's better if the world doesn't know how to exploit yet
      <mcsmurf_> dveditz: do you know why or if SeaMonkey is not vulnerable? it doesn't crash when using the exploit
      <dveditz> mcsmurf_: that's part of why I'm not opening the bug... the released testcase is not the testcase from the bug
      <mcsmurf_> ah-hah
      <dveditz> seamonkey is vulnerable, this is core networking stuff
      <mcsmurf_> :)
      <mcsmurf_> well i assumed so
      <mcsmurf_> but i only have the public testcase
  • I know the Adblock Extension doesn't let you banish [a href="
    Anyone know of any stable extension(s) that would?
  • by confusion (14388) on Friday September 09, 2005 @11:23AM (#13519050) Homepage
    I thought MS had a patent on unpatched browser flaws?!?!?

    Jerry
    http://www.cyvin.org/ [cyvin.org]
    • They do. Everyone else's flaws are automagically patched the instant they're found. Since 12 hours have gone by, you can be sure that not only has this been patched already, but your version of firefox updated itself and you're now safe.

      </sarcasm>Actually, if you're using a nightly, that probably will happen in a few hours. The new patching system is awesome. Binary diffs, so no downloading huge files, it downloads in the background so it doesn't disturb you, and installs when you restart firefox. It

      • by SonicBurst (546373) on Friday September 09, 2005 @11:52AM (#13519375) Homepage
        The new patching system is awesome. Binary diffs, so no downloading huge files, it downloads in the background so it doesn't disturb you, and installs when you restart firefox. It's amazingly convienient.

        Yes, but would you have said the same thing if you had replaced the word firefox with the word windows in that sentence? I say that only because that's what WAU does these days, though I forget for how long it has been doing the binary diffs. I think that came along with the latest BITS update sometime in early summer this year, but can't be sure. Just FYI.
  • IT all comes down to how quickly a patch can be made and distributed. IIRC, the next version of FireFox will have support for incremental updates which will make this kind of thing easier to deal with on updates. I'm curious if it affects the Mozilla suite in any way; I had thought they shared a lot of code.

    Derek
  • Doesn't work on Firefox for Mac OS X, 1.0.6

    Anyone got an experiences on other platforms?
    Anyone know if this can do anything other than crash the browser?
    • I made an HTML file (with editplus 2), and pasted <A HREF=https:---------- > into the body.

      I opened the local html file in firefox, and... nothing happened.

      ?

      Also, I wonder what happened between him and the firefox developers that made him go public so soon after reporting it to them.
  • by jbeaupre (752124)
    more information on the bug at: www.youissostupid.ru/scriptyuiopuioqwhjklfashuiopy uiopuiopuiopuouihjklasd-2789789-hfsjadkhuiof
  • exploits? (Score:5, Interesting)

    by samjam (256347) on Friday September 09, 2005 @11:27AM (#13519101) Homepage Journal
    The bug depended on the host name being all ---

    It will be hard to craft some exploit code using only the - character.

    It may DOS and cause instability; as for those "but, open source should be proof against this" nay-sayers, I'm pretty certain from the advisory [security-protocols.com] that this could only be properly discovered because the source was available.

    hmmmm, maybe if you can trick users to click on bad links a few times it might cause heap corruption and crashing; maybe if you get them to download the right page a few times to pre-load the heap, and then a few ----- might cause the browser to execute from the heap,

    A look at the soucre will show the consequences of this and show what sort of pathway there is to arbitrary code execution. I guess it could be exploitable...

    Sam
    • if you can convince users to click a link why not just send them to goatse?
    • Re:exploits? (Score:3, Interesting)

      by sbrown123 (229895)
      Tom Ferris has a history of reporting so-called exploits. This history includes not only Firefox but also Internet Explorer. In every case he usually makes a feeble attempt at contacting the right sources to inform them of the problem and then, all of a sudden, claims that they are not responding to him and he feels he has to post all security postings public to save our lives (and he contacts CNet too to get the word out).

      Oddly, I have yet to see one of his found exploits actually work. At most, I have
      • by sbrown123 (229895)
        I take that back. I did find one of his recent exploits (actually its a DoS) that Microsoft actually made a patch for:

        http://www.microsoft.com/technet/security/bulletin /MS05-041.mspx [microsoft.com]

        The funny thing is his note: "As I previously reported, there is a remote kernel denial of serivce vulnerability with the Remote Desktop Services protocol which affects every verison of Microsoft Windows. "

        Last time I check, RDP is not on older versions of Windows. Again, blown out of porportion for such a minor bug.
  • buffer overflows (Score:4, Interesting)

    by diegocgteleline.es (653730) on Friday September 09, 2005 @11:27AM (#13519106)
    The security vulnerability is a buffer overflow flaw that "allows for an attacker to remotely execute arbitrary code" on a vulnerable PC,

    Just for curiosity, can be Firefox compiled with the compiler parameter which adds code to detect a wide variety of such bugs? It's what Microsoft did at IE in the XP SP2; does it have "sense" to do the same for firefox?
    • Re:buffer overflows (Score:3, Interesting)

      by CTho9305 (264265)
      Releases are built with Microsoft Visual C++ 6, because there are concerns that the license of newer versions would not allow the builds to be distributed.
  • Unacceptable (Score:3, Insightful)

    by goldspider (445116) <ardrake79NO@SPAMgmail.com> on Friday September 09, 2005 @11:28AM (#13519109) Homepage
    "The final release of the next Firefox update, which includes security enhancements, is due by year's end, according to the Firefox road map."

    We rightly criticize Microsoft for not responding to security concerns in a timely manner. I hope the Mozilla Foundation will be held to the same standard.
    • Re:Unacceptable (Score:3, Informative)

      by CTho9305 (264265)
      If you followed the discussions on IRC, you'd see that people are working on the bug.

        mconnor: we're in security firedrill mode. probably not meeting on beta2 today.

      They're all busy dealing with this issue... everything else is on hold.
  • by WillAffleckUW (858324) on Friday September 09, 2005 @11:28AM (#13519119) Homepage Journal
    would you rather find about about a bug and fix it:

    A. before you release a version (Firefox);

    or

    B. years after you release a version (IE).

    Well? Which is better? If you choose option B, you can deny there's a problem for 1-2 years, start working on a fix in 2-3 years, nay-say press rumors about the bug in 3-4 years, and fix it and release the bug fix in 4-5 years.

    I choose option A.
  • Uhm, your point? (Score:2, Interesting)

    by Alien Venom (634222)
    Well, unlike Microsoft (and IE) which doesn't really care about the bad press its browser gets; I know for a fact that Mozilla and the people that work on Firefox, do.

    Does CNET really think that Mozilla group is going to ignore it? I don't really see the point of the article. It seems like they were more interested in saying, "Oh, hey. Look, we're cool too because we found a flaw in Firefox."

    I'm sure it'll be fixed in a couple day in the nightly builds. The new auto-update mechanism in 1.5 wasn't impleme

    • Does CNET really think that Mozilla group is going to ignore it?

      Maybe the Mozilla group already knows about it for many many months but because the bug is tagged as "Security-Sensitive", nobody else knows about it. Didn't that happen with a few security bugs in Mozilla?
  • by 93 Escort Wagon (326346) on Friday September 09, 2005 @11:32AM (#13519176)
    I can see why some folks will publicize exploits if they feel the software maker isn't responding in a timely manner. But c'mon - he just reported this to the Mozilla folks on Sunday!

  • Buffer overflow (Score:3, Interesting)

    by Spy der Mann (805235) <spydermann DOT slashdot AT gmail DOT com> on Friday September 09, 2005 @11:33AM (#13519191) Homepage Journal
    From TFA:

    "The security vulnerability is a buffer overflow"

    Buffer overflows aren't very easy to catch, but I thank the guy who discovered it. This way we can make Firefox a more secure browser everytime.

    But frankly, I don't know how to feel. Embarrassed because buffer overflows are the result of sloppy buffer programming, or proud because Firefox has much fewer buffer overflows than windows products?
    • Re:Buffer overflow (Score:3, Insightful)

      by SimplexO (537908)
      Say it with me now.

      "Security is a process."

      Being open source programmers doesn't make them perfect programmers. Not working at Microsoft doesn't make them perfect programmers.

      The phrase never never said, "given enough eyes, there are no bugs." It said "given enough eyes, all bugs are shallow." That phrase even admits there will be bugs. Security is a process, not an accumulated number of crash bugs.

      I would hope Firefox has fewer overflows than IE, only because that would mean less headaches for me, and
  • Year's end? (Score:3, Funny)

    by Swamii (594522) on Friday September 09, 2005 @11:36AM (#13519214) Homepage
    This is why open source is better! M$ expects me to wait until year's end for a patch?! What am I supposed to do until then, hide in a cave?

    What's that you say? This isn't an article about Microsoft?

    Oh, nevermind then.
  • workaround (Score:3, Informative)

    by Anonymous Coward on Friday September 09, 2005 @11:37AM (#13519228)
    about:config -> network.enableIDN -> false

    be happy!
  • by HermanAB (661181) on Friday September 09, 2005 @11:37AM (#13519234)
    I made a page with the supposed bad link full of dashes and all that happens, is that FF tries to do a Google lookup on "keyword:---lots of dashes here---"

    This seems to be a dud exploit...
    • Same exact thing happened to me. You figure someone would try this before reporting it. What crap. Although I can't say CNET has ever been a good source for news.
      • Ok, here is the deal. in about:config search for idn. If you have network.enableIDN set to false this wont work. I'm not sure if I disabled that myself or if that's a firefox default. Either way you might want to make sure IDN is turned off if you dont use it.
    • The advisory isn't talking about "0+002D HYPHEN-MINUS". Try the sample exploit [security-protocols.com]. Freezes Firefox and Epiphany cold here.

      $ GET www.security-protocols.com/firefox-death.html | xxd
      0000000: 3c41 2048 5245 463d 6874 7470 733a adad <A HREF=https:..
      0000010: adad adad adad adad adad adad adad adad ................
      0000020: adad adad adad adad adad adad adad adad ................
      0000030: adad adad adad adad adad 203e 0a .......... >.


      Assuming the document is UTF-8 (no way of telling for sure), we can look up 0xa
  • by roman_mir (125474) on Friday September 09, 2005 @11:42AM (#13519283) Homepage Journal
    under winxp I can't get this to crash. Crap! I thought windows should help with things like this! (Clippy: -So, it looks like you are trying to crash your browser. Need help?)
  • I guess this Bogus FUD Bug will be another "Won't Fix" item in the Firefox Todo list, since you can't really fix a bug that isn't there...

    Oh well, what the hell - Yosarian, Catch 22.
  • Similar Bug (Score:3, Funny)

    by MobileMrX (855797) on Friday September 09, 2005 @11:58AM (#13519423)
    I saw a similar bug IRL.

    This guy was driving and navigated to a bunch of yellow dashes in succession.

    This method of action caused his car to crash.

    I've only been able to replicate this bug on roads with > 2 cars.

    Anyone experience this?

    /waiting for roads v1.5

  • by Frankie70 (803801) on Friday September 09, 2005 @12:04PM (#13519474)
    You can download a fix here [microsoft.com]
  • by molo (94384) on Friday September 09, 2005 @12:07PM (#13519501) Journal
    Between 2005-09-03 and 2005-09-06, there were several bugs reported to Mozilla that are now marked hidden. Expect one of them to become visible now that this is announced. (note: bugzilla blocks slashdot referer, so cut&paste is needed, watch out for the extra space)

    https://bugzilla.mozilla.org/show_bug.cgi?id=30693 9 [mozilla.org]
    https://bugzilla.mozilla.org/show_bug.cgi?id=30694 0 [mozilla.org]
    https://bugzilla.mozilla.org/show_bug.cgi?id=30703 1 [mozilla.org]
    https://bugzilla.mozilla.org/show_bug.cgi?id=30704 0 [mozilla.org]
    https://bugzilla.mozilla.org/show_bug.cgi?id=30708 4 [mozilla.org]
    https://bugzilla.mozilla.org/show_bug.cgi?id=30708 7 [mozilla.org]

    BTW, why is it necessary that so many bug reports be hidden? They can't all be valid security bugs, can they? Besides, full disclosure and an open development model go hand-in-hand.

    -molo
  • by mccalli (323026) on Friday September 09, 2005 @12:10PM (#13519528) Homepage
    I'm reading a depressingly large number of predicatble off-pat responses - "So? IE is far worse. Microsoft sucks!".

    Honestly, who cares? Why does this have to be compared to a Microsoft response? Why can't this just be viewed as an event in its own right and not constantly looked at as some insult which might be handing Microsoft an edge?

    Objectively, if I use Firefox I have no interest in how Microsoft might have responded to a similar situation. I am purely interested in the Mozilla response (which I'm explicitly not passing judgement on in this post). Can people give it a rest with the constant defensiveness against Microsoft?

    Cheers,
    Ian

  • what a whiny runt. (Score:3, Insightful)

    by kinglink (195330) on Friday September 09, 2005 @12:11PM (#13519536)
    I mean I looked at the official disclosure from him (http://www.security-protocols.com/advisory/sp-x17 -advisory.txt [security-protocols.com])
    and basically he acts like 4 days is all he needs to wait.. and apparently Mozilla isn't doing enough for this?

    Mozilla isn't Microsoft or Cisco in two catagories.
    A. They arn't ultra large coporatitions that can fix stuff in an instant.
    B. They don't ignore problems, especially like this. They're likely working as fast as they can and they are willing to admit fuckups, but they want to have a fix for the fuck up first.

    We don't need everyone running around thinking that EVERY company conducts business the same way that Cisco does... How all of them are part of a conspiracy. Firefox is getting known in the industry to be basically good at avoiding problems other browsers have and fixing major bugs.

    By having a guy run around like this only 4 days (notice the dates in that link) it can only cause a higher likelyhood that someone will use that find maliciously and Firefox will get blamed for it when it's really the disclosure that's the problem.

    The fact is those of us who find these bugs need to give the company time to react, we don't need to act like they don't care. 4 days is hardly enough unless he got back a letter that said screw you, which it doesn't sound like he did. Giving Full Disclosure the first time you hear about a problem, just creates a bigger problem because now more people will learn of the problem.

    And there's a definate difference between waiting a couple monthes like the Cisco incident where the company was being forced into an uncomfortable positions and waiting less then a full week with apparently no provacation.

  • by revelation0 (164235) on Friday September 09, 2005 @12:11PM (#13519538)
    Take 2 seconds to check out his proof of concept:

    http://www.security-protocols.com/firefox-death.ht ml [security-protocols.com]

    WARNING: Clicking the above link will crash firefox. It will do nothing else. The hyphens are not normal minus hyphen (the - symbol on your american keyboard will translate to 0x2d) but a soft hyphen (0xad).
  • by TheNetAvenger (624455) on Friday September 09, 2005 @12:33PM (#13519708)
    Wow, I thought only MS products and Internet Explorer were capable of having bugs or exploits.

    Were the people championing these other browser lying to me, or just ignorant in the fact that all software when given mass distribution will exhibit growing pains and exploits will be found no matter how good the programmers think they are.

    Hm... (Ok, mark this as Flamebait - even though what I say is factually correct.)
  • by Transcendent (204992) on Friday September 09, 2005 @12:59PM (#13519985)

    For those testing on their own, *please realize* that it is not simply a dash (0x2D), but the character 0xAD.

  • by asa (33102) <asa@mozilla.com> on Friday September 09, 2005 @04:38PM (#13521937) Homepage

    The bug report is now open and you can see that he reported it to Mozilla on the afternoon of the 6th. There was quite a bit of activity from top Mozilla developers and then the reporter posted the exploit publicly on the 8th.

    We've determined that disabling IDN is a safe workaround and are working on supplying a small download that will take care of that configuration for the user.

    - A
    • by dbaron (463913) on Friday September 09, 2005 @05:56PM (#13522559) Homepage

      I'd also note that Ferris's bug report (bug 307259) originally claimed that the vulnerability was a format string vulnerability, not a buffer overrun, and that the testcase he showed us was a huge testcase probably generated by a tool for generating mangled HTML (like MangleMe). What he published in his advisory wasn't analysis he gave to us when he reported the bug, but looks like it was copied from:

      • the analysis that I did and posted in comment 2 on the bug (which was accessible to him, since he reported it), excluding the correction I made in comment 9 (when I realized the characters I was looking at were not dashes, but soft hyphens), and
      • the testcase that Jesse Ruderman wrote and attached to the bug.

"It is easier to fight for principles than to live up to them." -- Alfred Adler

Working...