Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Mozilla Downplays Firefox 1.5 Exploit



 By: Ryan Naraine
2005-12-08
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
A proof-of-concept exploit for an unpatched Firefox security hole is published, but Mozilla officials disagree on the severity of the threat.

A private security outfit has released a proof-of-concept exploit for a security flaw in Firefox 1.5, warning that the code can be modified to launch code execution attacks.

However, officials at the Mozilla Foundation are downplaying the threat, insisting the bug is more of an "annoyance" than a serious security vulnerability.

The exploit, which was posted on the PacketStormSecurity.org Web site, targets a buffer overflow in Firefox 1.5, the newest browser release from Mozilla.

The exploit has been confirmed on Firefox 1.5 on Windows XP SP2 (Service Pack 2) and is caused by an error in the way the open-source browser handles large history information.

A successful attacker can fill the browsers "history.dat" file with large history information by tricking a user into visiting a malicious Web site with an overly large title.

Resource Library:

Mozilla updates Firefox to fix security gaps. Click here to read more.

According to the alert: "This proof of concept will only prevent someone from reopening their browser after being exploited. However, code execution is possible with some modifications."

Mike Schroepfer, vice president of engineering at the Mozilla Foundation, said initial investigations have been unable to reproduce a code execution attack vector.

"That [code execution] claim is unsubstantiated. Weve had no reports, internally or externally, that this goes beyond denial-of-service issue," Schroepfer said in an interview with Ziff Davis Internet News.

"Weve been able to reproduce a denial-of-service problem. Weve looked at the source code to analyze the risk and found that its not a very severe issue."

"At this point, we have no confirmed evidence that this is anything more than an annoying denial-of-service attack," he added.

Schroepfer said Mozilla engineers have analyzed data from the browsers built-in crash reporting tool and could not find anything beyond the browser consuming a large amount of CPU and memory resources when it starts up after an attack.

Security alerts aggregator Secunia Inc. backed up Schroepfers response in an advisory that rates the flaw as "not critical."

Secunia recommends that Firefox 1.5 users remove the "history.dat" or configure the browser to clear history information when closing the browser. This can be done via the Tools > Options > Privacy > Settings feature on the browser.

The publication of a zero-day exploit for Firefox puts Mozilla in a dicey situation as it attempts to evangelize the browser as a secure alternative to Microsoft Corp.s Internet Explorer.

Mozilla readies another Firefox security makeover. Click here to read more.

According to the latest statistics from Web measurement tools vendor Net Applications, Firefox continues to bite into IEs market dominance, reaching 8.84 percent usage in November 2005, driven mostly by dangerous—and unpatched—IE security holes.

Schroepfer dismissed a suggestion that the latest flaw warning is a black eye for Mozilla.

"Our mission is to continue to make the product the best and most secure browser available. The record over the last year speaks for itself in terms of how rarely there have been unpatched issues in the wild," he said.

"We spend our time improving the browser and addressing [security] issues as they come up. Id like to think that the users are smart and the understand that Firefox is a much more secure product than the alternatives," Schroepfer added.

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.



  Reader Comments: Mozilla Downplays Firefox 1.5 Exploit
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Ryan Naraine
 


x}v6쌻3ŋrdKnkb[Kݞ$!);[7]hɗNlKX uCP?H9wur5g6%SE]"IC(pR/IzA)v@{iFu;ApTwd>J`OS;S  Ɠ5>X1 |+[S}LF6\3b ^Qk$Ё_Mܦ%CxGu)tC(DHږyD6EGJQTwnWgxGdY (ƻfՉziZgC2]pj:TN`UFfn=KQzr[B&lw"QcO$ӡp̢JK^tf>D>8z v v}JJ73ҧ }KH;R@}ky>5I i1E 94cT$ie8DrH n>, шy`VpA'ס,jO`U[۾xwgyHfnrt9bM ͻ ҇P2zhN4,2^ʲnMwͰ-P6#M-eIr_ӽl˙=X\hӟnz_zJE4E9]vή $Qw;ܖӃuT\tNi\v?? 9NA77 jDTV+Rh& Rc@G${/@B oV7B-%MюR;2,fϷ3+i*H,ǝq%?Zڗu&u}'lL,!Z4 _]FHwAբu|qӹluoz{MZϝvI; i OgfɷV?~'^=v?=LmrG,.iT$IULBxy$Y)r"<_CJ ݖeL_*X_KŗG)LY4C! ,mdʱ(rNf9A}E'ԃ6kiBuV!`JC̺NR$9V/ȟ4R\ 9jbsvf;M? fzCCZ9nVĨ9USAeEI7CD r23yB(PHQ>Ly%Ku}7p@WMcrlNTW꒬2Wb{gH\zfuEzW^?]{68^%glh|X.B2iK1QW5MGZ9HLG_)C>ѯ+ r%(NLf[ԑplòDŽIGz=4 aOW})5ٴ>'4b}t>'჎(>h&ƋCriYnL,rӇtw4Aο 'pGbdx: }C 04LH"AЂMtT;n]`2Zw9ܻ-(; hk = `Dy+wCPb(=զA{Tgg,zC k 6G~[>l03QA\Q? z[ dSJJds4.'H(AH 9[h ]99 Ŋ #!be'"P.o=!đt݁Z.?M4ay?cb -x[b}ILgF2+ɨɬaX91yMf#T`"[OKᙖ&Z1oiAhڛ,Â%Gn]ּ36I`آwB?a! q WQeNAsǾ{,7,kQ2G6Êi֜ᄂ"s2:٢ͩqb;_A:\!4Lh,G7q9yE"* ,q[ryd:*FZzI۶ۿh |(&]\qαqB&k*H(Y3b-t<(:[(Or1r@eOSSɸVTV3Q2C+L)Eۋ)i SX-8E/4-{'ٲJd-Yֽ(Vv/K\?uriO,"ohm_EڠueLGy K-C IHf(XK+ezlxyD62C 7(=u  XTM.r_`}dҶahDej-[`B^eܠQѿ,lVCax5Z'Awm<_D.ng p6X2ĂM ATt ˀQ55QkaAa ĵAb==Vškϧ;°w^^v˦?~F|4^ۄ#V!҇FD+ه0`,E=_Mb^-#zB~*+e iԏ5@&^`Ge d^ `M`R#׶|Ġ:L#ΜD(MCZ&3 O5uH8_̈́OAU &89qӠ8TQƮҐ!ak"A4b> \RXt> J+$X8:T:4ަ6W݂RI?I BL!B3ݧ==1g 2~`BG@dUkR`ZEUգ}Z~W@yϸoGM ݙY$w&J y.AA/UrߦI39旉Q䑫VNf28ʇF18՞uu ٔ\=wr 52_=h=JV:Ɲcݸyr"w>sԳлMslޣ0)6@yz"#haG8fz%~g~V5sr>nz*eR)Yi$ {2 t9t=d}Oԫ7O?pY/UU^SG;:& GTѶU0Hz.q,wQŤX2N*,E%R (NY Xٌj{[S?Bւ%V02ADB +}ƾnRyQ|Z#:j|$>rSOiDj4JRU-+)CoJ9 ^M L%Kf?ͥZ5?c D~sBx@erIMYI {QK CnK-%.@^ذ:zfSnioΛkZx\sXҌh;yX^5IdH$f~`MٸUvJ봚j%I= OM=1h+Q.ˤܓG﹮ BDSwgtsć)uRfCi 5`jZ)}#0LƈkSH+G }O&lU*JtP(]PX9H(P Yz>Gɷwnj‰SXx|{ kPHc$ $"zдr#)=2fV*UXŵ?~hxqNL^\}ۅ^?h5eQjE6vkKV~ZgZq t(+vg}e_:m^tο?Nٿ:N0yYkeaKKx4sj󐔏Z~xtْ:͏m~61|ˁNIM $(XqCOճ}U\~;lѳi?`y Bz+~{!\4?v.ŗlOk~w.R ~JdFyxyȒU8*Dyyp|ly\3amF '%L=X=80<4+H[3 BX׭5' ^t}Xq q6a4'l귝/ؿ+[Z\f·߄B!bFG<؇AP#{ z P)'$ N%>cϻ;$VBL0B_XH!)$ze*KBlb%hղoeW!؉lj9l0 !tQ^CrVTt#AUbݩc3cD1uwR;2x;yZ1 ݞpne9r0jw{t=z;Ojw]!S}NXnLxqZ9} HK{,i;;䝠P.zSgOɍ2 Xw= Zt Ud_Rx~tHK.}<﷯IK 09n~%H@2ot#k7yEO>O4wX]{gNE VwN{},da}?H+FisP/!OK4vdLc!I )VԺUw7`ʜ9%'+wr62Ӣ(oP2tIK JG3`ȾqKwbRc8wA'g껌wUGGpww6{ZeeQJW=qM@jjyJR=35"i @.mvx1t` AAXŀ0!hwg\#9S1<OFeuw#c³D`HI@R缩g6A j(l8ntpU0p1-78\}5߈:6"Y1!IfM1XP|;ߌ9s{C4h Z*2kp1)%ŷ`PBH|o4y˭(L J ‡/Vxe[bw[8| vtj9J;~vːuӗ:19PȻb۷\"̓8$-vB ,i9MIvۘKb>d[~l“e-X( {EQ' t@mUQiteII:Kw05X(Cg ;V &WYs!EP!d৮LG箩!1߂ᲔCG(qn!"b G;ykwQؽS0$߮J vwvR l‚ו(f7zas ~,MPT @,sA=)O䤔,&N JyuYaS# Bb5=exs:q󄣓WE,H=CmFP 6C1Mv2»kc\gr|PbӇ3Hw@ЕS[JRE61 ax'1x'xGg@ ,-=qOSV{k<4rU|w5&ާX % ^B/ܯmҕ=ҩZNQ@ VۢMG xA66T$E7ҋHRE:.!7@Υi|J;NܩK.Lz-R~IwLm8@, ' c@\3mr@:ao@ + n06$ҫ Tԛ&Ubb|.a[GcmlTmI1O;Τ)"|iSsK瀃 l)])t3l*;jތRY>t *UU054<$qD4[(SF kʸǮ#w)i;8Kc7k|zָS,’z;b}`^KgTJV8b>7n ϖCO'޲k<ĆYy)LaTjۮ!2:M N@ / :BnW]V쮧 7iNl[08OT@\M, wt@5SH aAdVY!6$kJszn`܂_eؠ:wi8ke}j6蝑=׺ i9 ]S/Pφ&<$]WF  q7n [o?*<0֓Vgdo=h|X9H:ތ0:ؘO\*W;Nt, {\_S uIx嚆,ޢ M-׏c a3rn1h[ yo8H`a2W)a RY^.^Izo1XPo0^#V0 =FJZW-Ɇ E *`0ad=IՖ Dq)Zbp6]}rEctbrK\6]X ~lz ;*8:b ߉ҬgR--:_) 2y(&$' <5:=V1{ \|2'9b0әm0ۉpd&-3ý<HHY#߯m.9dF.F{s+Tf\d3+nіUm}yV]F bdə莥a%=jg~Rn:,N70A2FԞkx^NU5btbDJGh5hdti2*5<{>Lj"xxb bFa?Ϫ͒;IoP~z*ޟOd~nn*ZM}5 U@~8AnKetH6 C2C:co;I cǽ :ỒWZ}.9@`m̼DGRS}o ;\cd2z\[׀#gbِT"a=X@*>nde27 G P56# p7,9'yo_*4>wg(-$=agR B}NztsNρOI=Rd7Ǻ0wCE–cbH!̆\nX\x:L$!iʂnz˞r0#sC~b C:΀ ZY҂F$ЄGc~׽nrnR-i`IkB\AAcs}kC6"))ĴF#1CLD:5,ǰgL#|M PB kgPR?w;WXj !1gOiX$߀ =%2@@JOC1,( o$H)??­!KHB}s ^X31?Ŕ,0 uAp?45ypW %ѧQX_:@#(pjAKlRt=:rtT*ʞ |{C@u9,2us x\fJԎ!@<P4'<(%ʅhgFg"'&B &Ȉ@`bJM*IdR|:PJ\ggtUtYUu x#w͊{2q򥅞JV J`xzA dez߃;)pHIPʵ?ѝXF 9^&9nIqst/xZѷh+lԭsm}9^}9\;}41F;f6MƋBrY:2 ͋6Sfr?si.$ "cɃwg;飱8/޿;'a?)Qe3̋ qW~4Ac7[vc+t_?gg:^X9q!65B^Z[+!P/T9jz67a\nq4ħyOB#2[E9yNPsN/PKN5_/?i6sʻP)GJ/oZ(?Y_~ 9Gǜ֗u NrʡsS^s/ Y_~sk\"g">"\/ryC@9sxvY^]YX;Yo!P.Y \sٝx|G]xZLܸLpoQ^"#"@>u_#)^V+f>taOCvHy>j~llZ/O>*8z:RMw ߽,RKtCc,>x'w!45EL=#>}38]7nޣ97p]w n :)xT״} J\ߑF0mFGDd1| ̈ɪ"+579 8]V(*D`I9CTx|Feiګ,91C=b{h8[b(wp E Чc /t̺I 5U|y3 "`TS;I~I Y8P&`!؞.F^͆$w -YǤK4l"Klɜ]k'b"'mg?&L͡; O,O~f+g Mě$nSUrߡQWˡB~22VH'Ճo"{53!Mť{6ﰊ|<%(u5 5t0@2nu–1*FB;Ndqf`ȼ!gP,#V}> 8lu^0H' rmX<apb2 BLɹ}f`$->X v;n;{0M̸r=_b''4WB)*3Up& ɰ\T`'}ס)a4pm_ v:쭨F|m+\1S0L7A  >%Ͷ  ̸>IϐR(K9#.fY{6Dπj gyyU (p6d+("Ntx9=|>^[zQؗG@1agG;Q5R^V|WXr%sDJrE)ߠ(b/<% * >#.X&">m<'6}Fu;H'"@"xraOe]XaYѶy SO~n^O(#o珸6x}4^pkUvy*s*>`HA1Y<[z~v{c*1ee|nHJUƧf2{{:з 57d8[|yQ?Fq:h/Asl2q1Z<3@WD0;"6]F xWa!*e;6K)(Xp^'Ali;\r,c<[^Eҵ<oc3)?;<v; fC &+_2uE>v/-ǬJ~Q.u 7tle @ëh D\M)hPTyX^c 0,*0L8u vKѪ v7"!a^o1n%/$&@Ss=V*)ve6r!*l XGڦZMQa[Anb=x辉=e-{B70* <Ǹ9m@>{zw1G[0rczz묞ƫR6ȴ{ ePCik5ZK (Dq] XâȖWITR6!;/D?8-x:K#fY1[Rj8gn~ӧ4pRaL $b[иODNű<<*ID~y)V f@sOg |>":xqeQ Vt*Nz/vV?Pv/is吇T7uG?;%o:ˌRh\*.Ioڝg'u mݸ͓?^w?]4hI:V; AHcVc"^ֳo 6A|>Ðy6xL ,2VѪwVVtƦI21qzrJ]jq[OE(~ )CU:M\"Zi/!k+4>S!Vrlǝlr n!%c]&ŮMvbec-q!