New Firefox vulnerability confirmed
The flaw in Firefox 3.5 - and the newly-released 3.5.1 - can lead to remote code execution due to a flaw in the Unicode text handler.
Despite being recently updated to version 3.5.1, SecurityFocus is reporting on a stack buffer overflow vulnerability which affects both the original 3.5 release of Firefox as well as the latest 3.5.1 release.
The vulnerability, which comes about from the software's Unicode text handling system, allows a remote attacker to execute arbitrary code simply by embedding it into a web site: as soon as the visitor hits the affected page, the software crashes – leading to a denial of service attack – and under certain conditions the code will be executed by Windows.
With a simple exploit already available, it's fair to say that if the ne'er-do-wells aren't already using this as an attack vector it won't take them long to wise up.
The vulnerability is the second in the last week to target the latest release branch of the popular open-source browser, and again there is no patch yet available from the Mozilla Foundation. Worse still, there appears to be no easy workaround for the issue this time – although once again something like the NoScript plugin would protect you from attack by untrusted pages, as the exploit relies on Javascript in order to execute.
Are you starting to question just how much work was done checking the security of this latest Firefox branch or is the Mozilla Foundation just having a bad week? Share your thoughts over in the forums.
Previous Article
14 Comments
Discuss in the forums Reply"In the last few days, there have been several reports (including one via SANS) of a bug in Firefox related to handling of certain very long Unicode strings. While these strings can result in crashes of some versions of Firefox, the reports by press and various security agencies have incorrectly indicated that this is an exploitable bug."
ie there is a bug, but it's not exploitable - apparently it can just crash Firefox
Also, the article at Bit-tech lacks the link to this thread.
PS: Tyrmot was faster.
Andy
As for andy..
http://en.wikipedia.org/wiki/Full_disclosure
Andy
This is absolutely false. This is not a security vulnerability. it does not allow for any code execution.
"With a simple exploit already available, it's fair to say that if the ne'er-do-wells aren't already using this as an attack vector it won't take them long to wise up."
There is no exploit available. That's just a simple browser crash and there's no evidence that it's exploitable. None. All evidence points to just the opposite, that it's not exploitable.
http://blog.mozilla.com/security/2009/07/19/milw0rm-9158-stack-overflow-crash-not-exploitable-cve-2009-2479/
This article has personal assumptions that falsely imply that this is harmful to users. It's a bug not a vulnerability. Programs crash when they cannot complete a process. I don't like scaring people over nothing, This is for the most part the wrong comunity to shove PC fears down are throats. These articles are for a different audience.
People are stupid. They will believe a lie because they want to believe its true, or because they are afraid it might be true.
-Wizards First Rule By Terry Goodkind
You know what Bit-Tech members would really think was cool??? If your found articles like the one you just wrote and then called it BS, and then counteracted to it with the words similar to the comments that we have. I'm not being sarcastic, I would seriously love to see that.
That's what this community is all about learning and knowing what others don't. Because of that by our nature we will always question what is being said.
Gareth, I'm a big fan, this is just a little criticism, nothing else.
The Google cached copy - which still shows the original version - is available http://209.85.229.132/search?q=cache:ZaODIeala_AJ:www.securityfocus.com/bid/35707/discuss+http://www.securityfocus.com/bid/35707/discuss&cd=1&hl=en&ct=clnk&gl=uk&client=firefox-a" target="_blank">here. For when that gets updated, here's a picture:
[url=http://www.mobypicture.com/user/ghalfacree/view/364722
Without the time to test to see if the exploit did what the SecurityFocus posting claimed, I could only go on the evidence presented: at the time of writing, Mozilla - as far as I'm aware - had not repudiated the claims.
Criticism noted, however - and taken on board.
You think they would be more hesitant to put up the word "vulnerability", "execute code", "attack", until they had solid evidence.
To each his own......... browser. :)
I've played around with other browsers but I find FF better suits me because of how far you can customize it's security. You can really get underneath the hood and make it your own, plus their are also some good add-ons. I believe no browser is good to use if it is left to default untouched.
To me Firefox gives you back the Linux feel in windows.
It's a difficult balance. On the one hand, you risk increasing the potential for exploitation by exposing the flaw to the world + dog, but on the other hand you risk malicious parties discovering it and also keeping quiet, whilst silently infecting millions of machines.