Unpatched Firefox 1.5 Exploit Made Public

ThatGuyGreg writes "C|Net is reporting that an unpatched exploit in Firefox 1.5 has been made public, making it very easy for ne'er-do-well-sites to cause your browser to crash on startup with a single visit. Until a patch is released, it is recommended that you disable your history.dat file."

FC4, 1.5

[(1+-sqrt(5))*(2**-1)]

I can report that the exploit doesn't work on FC4, with the latest 1.5 built from source.

Re:FC4, 1.5

[Anonymous Coward]

The Mozilla people are also reporting that the exploit doesn't seem to work on any version of 1.5:

Mozilla Foundation, which released Firefox, said it was not able to confirm the browser would crash or be at risk of a DOS attack, after visiting certain Web sites.

"We have gotten no independent verification that it crashes (Firefox), but there have been a lot of attempts to try," Schroepfer said.

Apparently they're having a hard time duplicating this particular bug. Has anyone here on /. seen it actually happen?

Re:FC4, 1.5

[FoXDie]

Go to http://www.apple.com/ipod/features.html [apple.com] and tell me if I'm the only one that has Firefox crash from that page without fail, since the upgrade to 1.5

Re:FC4, 1.5

[mebob]

I'm pretty sure that it is the new QuickTime 7 plugin causing that.
As other have posted, it crashes IE as well. And every firefox crash I've had since I've installed 1.5 appears to have been QuickTime related!!!
All happening after installing 7 except for one.

Re:FC4, 1.5

[ParnBR]

Yes, you're probably right. It seems to be a problem with the Windows version of the Quicktime plug-in. I tried it with IE and it crashed, too, but this time I noticed it was trying to load ipodfeatures.mov (or something like that). Mine is 7.0.2. I bet Opera would crash too, but I'm tired of crashing my browsers. =P

Posting from an "Exploited" FF 1.5

[tyler_larson]

False alarm. No security-related concerns, just overenthusiastic reporting.

If you run the script below, it will create a page with a title that's quite huge. Close your browser and open it again. The browser will spin for about 2 minutes what it tries to make sense the contents of your history file. Once it's finished, you'll be back up and running, with no degradation in performance or visible side-effects. You'll be able to even view your browsing history (including the offending page). In fact, I'm posting this response after following the process described above (on WinXP), and I have a history entry entitled "AAAAAAAAAAAAAAAAA..."

A bit of an annoyance, but hardly a security issue.

Here's the official exploit code:

function ex() {
var buffer = "";
for (var i = 0; i < 5000; i++) {
buffer += "A";
}
var buffer2 = buffer;
for (i = 0; i < 500; i++) {
buffer2 += buffer;
}
document.title = buffer2;
}

Re:Posting from an "Exploited" FF 1.5

[tyler_larson]

You'll be able to even view your browsing history (including the offending page).

Addendum:
As you might expect, if you delete the offending entry from your history, everything returns back to normal: you don't actually have to do anything drastic like delete your history.dat file, or even clear your browsing history.

Re:Posting from an "Exploited" FF 1.5

[Viper Daimao]

even better, you firefox has a setting to clear your history automatically.

Tools > Options > Privacy > Settings > Check Cache and Browsing History and Clear when closing firefox

Re:Posting from an "Exploited" FF 1.5

[AeroIllini]

Well, that code may make your browser sit and spin for about 120 seconds before working, but one could conceivably make that time a whole lot longer with some exponential magic:

function ex() {
var buffer = "A";
for (var i = 0; i 5000; i++) {
buffer += buffer;
}
document.title = buffer;
}

And that would truly be a pain in the ass.

But it occurs to me: would it be practical to add an option to Firefox which limits the physical size of your history file, which the user c

Re:Posting from an "Exploited" FF 1.5

[bnenning]

I get identical results running the "exploit" on OS X 10.4.2. Taking a sample of Firefox when it relaunches confirms that it's spending a lot of time in nsGlobalHistory::OpenDB(), and ultimately in memory allocations and frees as it reads the huge entry. It does eventually finish and then behaves normally. This isn't a security hole, and it's only a DOS in the sense that Javascript of "while (1) {}" is.

Re:Posting from an "Exploited" FF 1.5

[PlusFiveTroll]

No, sounds like a Usability issue. Security != Usability.

DDOS Attacks generally dont affect the security of a site, normally data is not compromised. Unfortunalty the site is unreachable at the time.

Re:Posting from an "Exploited" FF 1.5

[sholden]

Very dangerous. It should just dump that raw HTML to the screen, along with the HTTP headers rather than trying to process the text from an outside user who wrote whatever web page you happen to be looking at.

Re:FC4, 1.5

[swtaarrs]

Yeah....the article says it affects XP SP 2

Non-Story

[Midnight Thunder]

C|Net has added the following correction at the end of the story:

"Correction: This story incorrectly stated the affiliation of Mike Schroepfer, Mozilla's results in verifying the Firefox 1.5 flaw, and the nature of the problem. Schroepfer is vice president of engineering with Mozilla Corp., and Mozilla has not been able to verify its browser can crash and lead to a denial-of-service condition. The problem itself was not a security vulnerability but actually a flaw in the browser."

So Firefox crashes, but no security vunerabilty.

Good Thing

[Anonymous Coward]

I'm still using Internet Explorer!

Re:Good Thing

[sloths]

Did it come with a free dinosaur?

Re:Good Thing

[AgentScummy]

Mine came with Windows 3.1

Re:Good Thing

[aussie_a]

No but it does come with free spyware.

i feel so unsaf on teh intarweb!!

[Anonymous Coward]

Rendered using Microsoft's *NEW* CSS/Teenager parsing utility:

THA'TS WHY I SWETCHED TO IEXPOLRE TOOO.!

ITS MUCH BETTAR CSs COPMP1ANDCE I meEN WHy COmply WHEN You cna PWN THERE NUB ASSES??? harharAR

EVEN IT PROTECKS YOU

The fix

[rnelsonee]

If it's already happened to you, just delete your history.dat file in your profile folder, and FireFox will create a new (empty) one on startup.

Re:The fix

[d34thm0nk3y]

Heh, thats funny. There are 3 highly modded posts saying to just delete the history file. Hmmm.... why would Slashdotters be so familiar with a procedure such as that?

slashdot article title too terse

[x0n]

"Unpatched firefox 1.5 exploit made public recently by an unknown source who refused to name himself or other..." *crash*

Obligatory Jamaican Response

[dotslashdot]

Dat file will be history, man.

Re:Obligatory Jamaican Response

[uberjoe]

You mean: "Dat file will be history Mon.

Re:Obligatory Jamaican Response

[Anonymous Coward]

But the exploit was published on Wed.

Digimon?

[tepples]

Is "Historymon" one of the new Digimon or something?

Informative :)

[kentyman]

I love how this is considered Informative.

What? Oh, Jamaicans say "mon" instead of "man". I should write that important information down. Maybe it should be added to http://en.wikipedia.org/wiki/Jamaican_English [wikipedia.org].

Keep that information flowin', mon! Irie!

Shabba!

Re:Obligatory Jamaican Response

[conteXXt]

One word.

"Orange"

Jah forgive me for dis one.

Only crashes?

[ruiner13]

If this only crashes Firefox, how is it an "exploit"? I tend to use "exploit" as something that an attacker can use to their advantage to do something malicious. This is just an annoyance to have to move my poor cursor back to the icon and issue an oh-so-painful double-click.

Re:Only crashes?

[courtarro]

There are plenty of browser denial-of-service bugs, but few of them can actually render your browser useless upon every execution. This one has a lasting effect that's more significant that the old "do while(true) alert;"-style DoS attacks. A single double-click won't fix this one; you have to delete your old history.dat file.

Re:Only crashes?

[ruiner13]

Ok, so a right click, click, then double-click :) Still easier than having to reformat and reinstall windows because my computer has become a zombie. If this were IE, being tied into the OS as it is, a crash of your browser is far more likely to have other effects on other running processes.

Re:Only crashes?

[Anonymous Coward]

If it causes a crash, it's entirely likely that some malicious code could be injected into memory when that happens! If so, you're potentially up shit creek.

Re:Only crashes?

[Da_Weasel]

lets say that some malicious code gets "injected" into memory when Firefox crashes. What are the dangers? If Firefox crashes then its not going to attempt to use that memory for anything...because...ummm....it's not running! If it's not running then it can't be tricked into doing something with this malicious chunk of memory. The only other thing that is going to be looking at that memory space is the OS, and that would likely only be concerned with reclaiming those blocks of memory for use by other pro

Re:Only crashes?

[m50d]

Most usual reason for a crash is when a program tries to access a random(ish) memory location - it has no right to, so it segfaults. But if it's doing that it's often only one more step to making it access a particular memory location - in particular, to jump into the data you've just given it.

Re:Only crashes?

[alienw]

This is only true in some special cases. In general, simply accessing a random memory location will cause the OS to shut the program down due to an access violation. The only time you can exploit this is if you can _make_ the program access a _particular_ memory location.

Re:Only crashes?

[sbrown123]

Doesn't work that way. Overflow is to write into a memory space that is somehow executed upon. You have to have a "jump" from some executing thread in order to get the exploit code to execute. But it doesnt have to be the program it was injected in to to run the code. Thats when it gets scary.

Re:Only crashes?

[alienw]

If an idiot like you actually knew anything, you would realize that this flaw does not let you execute random code. In general, any bug which does not crash the program is very unlikely to be vulnerable to buffer overflows and such. In this case, the only thing that happens is that the browser starts slowly because it has to read a long file.

A crash can often lead to an overflow exploit

[MushMouth]

When an app crashes (firefox does quite often for me) it means that it is doing something that the programmer didn't expect. That could be all sorts of things, from taking all the cpu, to writing to memory that it shouldn't be. Most overflow exploits started as mere crashes.

Re:A crash can often lead to an overflow exploit

[pclminion]

Most overflow exploits started as mere crashes.

While that is true, this could also be a simple null pointer dereference, caused by incomplete error handling in the code somewhere. Those sorts of failures are typically not exploitable.

Just because A implies B, does not necessarily mean that B implies A. All overflows are crashable bugs, but not all crashable bugs are overflowable.

It's easy enough to find out -- load the core file into gdb and look at the instruction that crashed. If it's a null refere

Re:A crash can often lead to an overflow exploit

[killjoe]

You seem to be confusing "could be" with "is". Yes this "could be" all sorts of things but it's not a security hole. It doesn't even crash the browser, it just slows it down for a while.

Re:A crash can often lead to an overflow exploit

[MushMouth]

I guess you guys failed to read the words "CAN OFTEN" in my comment title. Not that it is known that this particular one does, but anytime you have an app crash from an outside influence it is what else that is possible to do with it isn't always known and can lead to much more than just a DOS. While you can delude yourself into thinking that this is nothing. Remember that the IE "critical" bug from last week was just a DOS for six months.

Re:Only crashes?

[Jugalator]

Crashes may be signs of buffer overruns and access violations, which is a bad thing not only from the app's and user's perspective, but also from a security perspective, e.g. if the memory space was prepared earlier with malicious code.

Re:Only crashes?

[Thundersnatch]

The vulnerability is incorrect handling of input. In this case, the only *exploit* published so far is a DoS. But obviously there's something very wrong with the input validation in the code, and remote execution may be possible with a more clever exploit.

Witness the recent IE vulnerability, which MS didn't patch quickly because it was "only a DoS vulnerability". Of course, it turned out it was possible to execute code with the vulnerability, it just took a while for a better (worse?) exploit to be crafted.

Re:Only crashes?

[alienw]

There is nothing wrong with the input code. It works just like intended. The only problem is, it's possible to create a long title and slow down the browser startup (that is, until you clear the history file). Not to mention, who the hell uses the history feature, anyway? It's the first thing I turn off.

Incremental updates

[moonbender]

Sounds like a great opportunity to show off the snazzy automatic incremental update feature Firefox 1.5 has. Pushing a fix quickly to users who've got it enabled would be great.

Re:Incremental updates

[saskboy]

Is the notice pushed, or the actual update?

If you leave Firefox open 24/7 does it ever check for updates automatically?

Stopping the stupidity

[tjwhaynes]

For anyone out there who wants a safer experience out on the web, you owe it to yourself to install the NoScript extension and only allow whitelisted sites to run Javascript. The exploit published this morning (more a DoS and only seems to affect some but not all installations of firefox 1.5 according to SANS [sans.org]) uses a Javascript loop to build up an enormous topic that ends up being written into your history.dat file causing buffer overflow issues. Without Javascript, this sort of exploit is much tougher.

Cheers,
Toby Haynes

Re:Stopping the stupidity

[Psykus]

The NoScript extension [mozilla.org] itself.

Re:Stopping the stupidity

[CosmeticLobotamy]

The guy who drew the logo for that forgot the wingalings and the beefy arm.

Stop the stupidity

[NineNine]

Another tip for you: if you remove the gas pedal from your car, you won't have any crashes! Really!

DOWNLOADING MORE SOFTWARE to intentionally disable part of a program that is supposed to work is 150% unacceptable.

Jesus, how bad does software have to get before people finally start to not use it? Luckily, I didn't pay anything for my Firefox installations, so I can't really bitch. But I CAN look at other, less buggy alternatives (like IE) that also offer useful features that Firefox doesn't, like Activ

Re:Stop the stupidity

[hardaker]

DOWNLOADING MORE SOFTWARE to intentionally disable part of a program that is supposed to work is 150% unacceptable.

I've always wondered why more browsers don't have JS enable/disable widgets by default. Konqueror has had this for eons and I love it dearly. My whitelist is small and is a trusted set of hosts. (now, the only problem with Konuqueror's JS implementation is that it fails on more sites than I'd like... Though 3.5 is supposed to be much better with JS.

Re:Stop the stupidity

[javaxman]

I CAN look at other, less buggy alternatives (like IE) that also offer useful features that Firefox doesn't, like Active X.

Is that humor, or flamebait? It can be so difficult to tell...

how bad does software have to get before people finally start to not use it?

Yea, why DO people use JavaScript anyway ? But seriously, people are still using Windows, so... I guess the answer is "really, really bad".
;-)

Humor, people, humor!

Re:Stop the stupidity

[b00m3rang]

Enjoy your stay in spyware hell.

Re:Stop the stupidity

[fredrik70]

you can't seriously argue that activex ever was a good idea for a browser on the internet, even ms acknowledge that, hence their move towards asp.net 2.0, zery-deployment stuff etc.

Re:Stopping the stupidity

[dankelley]

The poster is right. Back when I used linux, I liked this feature.

Today I browse with Safari on OSX, and I have javascript turned off by default. This is seldom problematic, since it's easy to turn javascript on for a moment once a week when it provides more than annoying eye candy.

Why focus on JavaScript?

[Kelson]

Sure, the proof of concept uses JavaScript. But the problem itself has nothing to do with scripting. One could easily generate a 2.5MB HTML file with a really long title. 2 million "A"s in a row will probably compress pretty well, so if you serve it with on-the-fly compression, it doesn't have to take much extra time or bandwidth to retrieve.

Bingo: exploited with no scripting involved at all.

Re:Stopping the stupidity

[ZachPruckowski]

NoScript does a whitelist. So if I wanted javascript at ______.google.com, I'd add that to the whitelist, and all would be well. Takes 10 seconds, if that.

Re:Stopping the stupidity

[crazyphilman]

You've got it wrong. It's not a permanent javascript block. It just means that when you go to a site, you do two clicks with your mouse. You can either temporarily turn on javascript for that site, or permanently turn it on (if it's a site you trust).

The really, really nice feature of this tool is that when you go to enable javascript, you can see all of the several domains that are trying to run javascript on your machine, and only enable the one for the site itself. It's a very nifty tool. It even lets yo

DOS

[kihjin]

The 'exploit' seems only capable of a Denial of Service. There's no proof to indicate that malicious code could be executed.

Plus, read this (from the article):

"We have gotten no independent verification that it crashes (Firefox), but there have been a lot of attempts to try," Schroepfer said.

So, this is all very hypothetical then?

ummmm

[Prince Vegeta SSJ4]

thats what thet get for making an extension that runs explorer within firefox https://addons.mozilla.org/extensions/moreinfo.php ?application=firefox&id=1419 [mozilla.org] *ducks*

Not an "exploit"

[joetainment]

This isn't even related to security. Its just a bug.... lots of apps crash when something happens. Doesn't mean its ok, but it doesn't represent a security issue does it? (Unless I'm missing something...)

Re:Not an "exploit"

[tyler_larson]

Yea, it's no big deal. It just causes the browser to crash. Move along.

No, the browser does not crash. It just takes longer to start up because it has 10 megs of history to parse instead of a few K.

It really is no big deal.

Tin Hats Need Not Fear

[courtarro]

Those of us with sturdy tin hats already have our histories disabled. Take that, evil!

Re:Tin Hats Need Not Fear

[TubeSteak]

With your histories disabled, how will you know when history is repeating itself?

Re:Tin Hats Need Not Fear

[Penguin]

I considered that too, but my Firefox deletes my history on random intervals even when not asked to. Might as well disable it alltogether.

Re:Tin Hats Need Not Fear

[raehl]

Those of us with sturdy tin hats already have our histories disabled.

Those of us with wedding rings do that too.

Really

[jupiter_ganymede]

Is it just me or is this a pretty worthless report? I can't really see this as being an exploit anyone would care about unless you happen be work for a certain company in Redmond.

Um... Did you RTFA? It's not an exploit

[Schrade]

Quote from the bottom of the article:

Correction: This story incorrectly stated the affiliation of Mike Schroepfer, Mozilla's results in verifying the Firefox 1.5 flaw, and the nature of the problem. Schroepfer is vice president of engineering with Mozilla Corp., and Mozilla has not been able to verify its browser can crash and lead to a denial-of-service condition. The problem itself was a not security vulnerability but actually a flaw in the browser.

Read the article before you consider posting it with a sensational title!

IE's execution of arbitrary code

[Dreadlord]

Before someone starts saying Firefox is vulnerable to exploits just as IE, this exploits crashes the browser and only that, now compare this to IE's execution of arbitrary code [slashdot.org].

No software is perfect, but still, Firefox is clearly ahead.

Re:IE's execution of arbitrary code

[ClamIAm]

And a while back firefox had a bug (in Windows) that allowed access to a shell. Knowing the number of people that run with admin access, this is just as bad. I'm not saying FF is as bad as IE, just that bugs can be brutal. (and undescriminating)

Re:IE's execution of arbitrary code

[Dreadlord]

The origin of the bug is Windows and its shell: protocol, Mozilla simply handled those links back to the OS ad it does with protocols it doesn't know how to handle, other programs like MS Word were vulnerable to the very same exploit.

It was fixed 24 hours after full disclosure, and only Win32 versions of Mozilla were vulnerable, doesn't this ring a bell?

Anyway, read this link [newsforge.com] for more info.

Re:

[account_deleted]

Comment removed based on user account deletion

Good test for the new Update System

[brandonp]

This will be a good test for the new Update System that was implemented in Firefox 1.5. Too bad it will need to be utilized so soon.

With the speed that the Firefox developers release their fixes and the ease of getting those fixes with the new system, I hope this will develop as proof of how well Firefox can handle these situations.

--
Brandon Petersen
http://www.brandonpetersen.com/ [brandonpetersen.com]

Re:Good test for the new Update System

[Ronald Dumsfeld]

Updates you say? Can I have 1.5 first please?

Yes, the British English version isn't available yet. Is this a clever ploy to get everyone using American English?

Re:Good test for the new Update System

[mlefevre]

No. There was an issue with some links to things in the British version. That issue has now been resolved, and it's just waiting for the build to get through the rest of the release process - should be out in the next day or two.

It's completely retarded...

[ninja_assault_kitten]

The guy who reported it called it a 'buffer overflow' and clearly had no understanding of what it actually meant.

which
most users won't figure out.

this proof of concept will only prevent someone from reopening
their browser after being exploited. DoS if you will. however, code
execution is possible with some modifcations.

Tested with Firefox 1.5 on Windows XP SP2.

ZIPLOCK

-->

heh
function ex() {
            var buffer = "";
              for (var i = 0; i ZIPLOCK says CLICK ME

Re:It's completely retarded...

[Trillan]

Um. A buffer overflow is whenever the code attempts to store a large data element in a small buffer without adequate protection. This is what Firefox does when you attempt to start up and it hits the too-large history entry.

I haven't looked at Mozilla's parser code, so it isn't clear exactly effect the buffer overflow will have. But it is a buffer overflow by definition.

Heh

[aftk2]

cause your browser to crash on startup with a single visit.

I've seen this exploit in the wild: it's called the MySpace Profile Page [myspace.com].

Re:Heh

[Geoffreyerffoeg]

Speaking of MySpace, is there a way (short of filling Firefox with FlashBlock, AdBlock, NoScript, KillTheWabbit, or whatever other anti-active-content extensions they have) to view MySpace profiles/information without loading any of the simultaneous nonsense my friends seem to want loading by default? E.g., if I log in, is there an option to disable this? Or is there a relatively complete RSS feed for profiles?

To clarify

[tool462]

So are you trying to say it's a feature?

Someone needed to create a scoop.

[Godeke]

Correction: This story incorrectly stated the affiliation of Mike Schroepfer, Mozilla's results in verifying the Firefox 1.5 flaw, and the nature of the problem. Schroepfer is vice president of engineering with Mozilla Corp., and Mozilla has not been able to verify its browser can crash and lead to a denial-of-service condition. The problem itself was a not security vulnerability but actually a flaw in the browser.

Wow, that is accurate reporting, which was then amplified in the summary to the point of absurdity.

Re:Someone needed to create a scoop.

[NickFortune]

Well quite.

C|Net, by their own admission, got almost every pertinent detail of the story wrong. The only way they could have have been further off target would be if they assigned the flaw to Internet Explorer. Personally, I'm not going to hold my breath waiting for that mistake to see print.

As a side note: I'm not normally one to slag off Slashdot's editors, but might I ask for a little more investigation before parrotting the lastest MS anti-Firefox propaganda? This is the third story this quarter por

1.0.7 Also vulnerable

[sheepoo]

I ran the proof of concept on my installation of 1.0.7 (WinXP SP2) and it crashed the next time I opened FF. Task Manager showed that FF was eating up the memory like crazy. I deleted the history.dat file (which was 10 MB in size!!!!!!!) and sanity returned instantly :)

Older versions and Mozilla?

[antdude]

Do older versions of Firefox and Mozilla have this problem?

Firefox history code is horrible

[Anonymous Coward]

In other news: Water is wet. Seriously, whoever wrote the history code needs to be shot. Once your history gets to any significant size, all operations on it start getting annoyingly slow. For me, it takes 15 seconds for firefox to open the Go menu for the first time in a session, and once you've done that, even more annoyingly there's a delay of a few seconds on every new page you visit for the rest of that session. The history sidebar is so excruciatingly slow it's practically unusable.

Re:Firefox history code is horrible

[WWWWolf]

Once you have the idea on how sucky Mozilla's history stuff is in practice, take a look at how the stuff is actually stored in history.dat. People have been rendered insane by just a single look at that stuff. Want to make sense of this format for some obscure reason? Read this [livejournal.com] and weep [jwz.org]. This stuff is just about the most insane thing I've ever seen.

I sure hope Mozilla folks get the unified storage plans together for Firefox 2.0, and use something like sqlite to store most of the user data. MorkDB format used by Mozilla is... just not elegant.

so...

[SharpFang]

Preferences > privacy > history > [0] days; ok.
Patched. I use the history feature about twice a year, won't miss it till the right fix is found.
Not quite like disabling all the javascript in MSIE, is it?

thats the exploit?

[SQLz]

The browser crashes when I go to a site? OMG! If its not arbitrary code execution, don't bother me. IE has had a similar exploit since it came out. Basically, it crashes randomly when visiting a website.

Re:thats the exploit?

[Nintendork]

"IE has had a similar exploit since it came out."

You're confusing the terms "exploit" and "vulnerability". All products have vulnerabilities. The ones that the vendor are aware of are called "known vulnerabilities". When code is written that takes advantage of a vulnerability, it's referred to as an exploit. When an exploit is written for a vulnerability that is not known by a vendor, that's called a Zero Day exploit. Some will argue that a Zero Day is when an exploit is written for a vulnerability that

Some exploit.

[bradbeattie]

I recognize that it can cause inconvenience, but come on. Exploits in IE typically result in executing arbitrary code on the user's computer. I guess this is just another argument as to why system diversity is important. If no browser had more than 20% of the market it'd be difficult to target a large portion of internet users.

Re:Some exploit.

[TubeSteak]

If no browser had more than 20% of the market it'd be difficult to target a large portion of internet users.

Ummm.... 20% is still a really big slice of the pie.

And yea, I've never heard a DoS refered to as an exploit.

Must be joking

[Charles Dodgeson]

The effect makes restarting Firefox very very slow (several minutes). I've just tested on OS X and on SuSE 9.3. Once that is done you can clear history through Prefences. If you don't want to wait, you can remove or manually edit history.dat.

The claim of a buffer overflow is nonsense. I suspect that that claim is a joke. The only thing that makes this mild borking work is a very long document title. In setting that up, the author uses a variable called "buffer" and "buffer2". Just because a JS variable gets named "buffer2" and gets set to something very long doesn't make this a buffer overflow. I like to think that the guy must be joking, instead of actually being that stupid.

But in the end, there is a bug to be fixed in Firefox

Re:Must be joking

[Breakfast Pants]

Is this the same thing as this (this link is safe to click but read carefully before clicking the links within)? It is a buffer overflow on IE but on Firefox it just completely freezes up the browser/potentially opens tons of windows.

Conversation with girlfriend/wife

[PoprocksCk]

"No, the history hasn't been cleared because I've been looking at porn! It's the exploit, I tells ya! The exploit!"

doesn't crash FF 1.0.7 on Kubuntu Linux

[jayloden]

I'm running Firefox 1.0.7 on Kubuntu (Breezy Badger) and it doesn't crash here. It definitely hung for a good long while on the next startup while it tried to parse the history file, but it did eventually start up normally.

Could Potentially Be Nasty With User Content

[patio11]

Obviously, any website that lets users specify javascript in, e.g, a forum or blog post is going to be a cross-site-scripting nightmare. However, and while I'm not entirely sure of this, it would seem that an overly long HTML title would cause this bug itself, correct? A lot of the bulletin board software I've seen uses the thread title as the page title. Assuming that somewhere out there there is some similar blog/forum software which doesn't impose a size limit on the title ("Duh, people wouldn't be ab

Re:From the better-than-the-alternative dept

[Spy der Mann]

Heh, the same was said about IE6's window() bug.

Remember: If it segfaults your program, it might as well make it execute code!

Re:Is that a Product plug I see?

[Anonymous Coward]

No, just a badly worded summary of the original storm center diary entry [sans.org] in which the ISC handler attributes the possible FAILURE of this bug to crash firefox to the McAfee software, which, in his mind, has some mystical power to optimise firefox's inefficient string parsing algorithm even when it's deactivated!

This bug is slightly lame, even as DOS -- There are no confirmed reports from half-or-more-brain-having people that it even crashes the browser in the first place. All it does is make the subseque

Re:Is that a Product plug I see?

[spitzak]

Good question. Another one is people saying that it requires Windows SP2 and does not work on other versions of Windows or on Linux. But the description of the bug is that reading in the history.dat file causes a buffer overflow that crashes it on startup. It would seem likely that this bug would exist on all operating systems, or at least be the same on all Windows systems.

Though not a security issue, a "DOS" that permanently crashes Firefox even when you run it again is pretty bad.

Re:lol no

[TubeSteak]

Just tell all your buddies on AIM: lol no its not its an exploit

Fixed that for ya

News.com.com story [com.com]