Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Mozilla Downplays New Firefox Bug



 By: Brian Prince
2009-07-20
Article Rating:starstarstarstarstar / 3


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
Mozilla is downplaying a reported bug in its Firefox browser. According to Mozilla, initial reports that the vulnerability could be exploited to execute code are false.

Mozilla is pouring cold water on reports of a severe bug affecting its Firefox browser. 

Reports of a new stack overflow vulnerability affecting Firefox surfaced not long after the company released a new version to patch a critical bug in the TraceMonkey JavaScript engine's JIT (just-in-time) compiler. On Sunday, the SANS Internet Storm Center warned the vulnerability could be exploited by hackers to execute code. 

Mozilla, however, contends that is false

Resource Library:

In the last few days, there have been several reports (including one via SANS) of a bug in Firefox related to handling of certain very long Unicode strings, wrote Mike Shaver vice president of engineering at Mozilla. While these strings can result in crashes of some versions of Firefox, the reports by press and various security agencies have incorrectly indicated that this is an exploitable bug. Our analysis indicates that it is not, and we have seen no example of exploitability.

On Windows, Firefox 3.0.x and Firefox 3.5.x are terminated due to an uncaught exception during an attempt to allocate a very large string buffer; this termination is safe and immediate, and does not permit the execution of attacker code, he continued. 

On Mac, in Firefox 3.0.x and 3.5.x a crash occurs inside the ATSUI system library because of what appears to be a failure to check allocation results. Mozilla has reported the issue to Apple, but will look to implement mitigations in Mozilla code in case Apple does not provide a fix, Shaver said.

On Linux, the problem is similar to that on Mac: there is an abort in system libraries (pango, glib, libc), he wrote. Due to the wide variation of Linux libraries and versions deployed, and different compilation options chosen by Linux distributors for Firefox, the details of the crash report may vary between machines.  

Last week, Mozilla released Firefox 3.5.1 to fix the TraceMonkey vulnerability after attack code surfaced. The latest version of the browser is available here.
 





  Reader Comments: Mozilla Downplays New Firefox Bug
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Brian Prince
 


x}kw89v2zڎ#rmy,%$)CR~wr[/=(v;Im @^( ?'I"nZΘ\̦dwꚃ>}K$oB}NUQR C7((bP<HwO7n[cQ0R?`᳙*,Q  tjGt0]2x6k:&o4veki cߨ_[&``1\|T@ۗC < tWӺ#AhFA|QCѺYQy$pm<$Q}# L Cw*Nul9 Q6RV2/Fӽ<t[h  #k|E=x:Q/M+l m׸ڮUX'[vRQ(0B.Ą/t#I%߼q@ؓ&thmu|'b#Q^]õ]&ZΡR͌eCwt=PzOMҳBCLH6}~8IZQO .m4GF^_1'@8:)|y[6'0l_k|uv3< 3~5 CoZe؄j%ozcnć!LjZ L|:j/EӝF3l˸-:4 PS+}(Z}`[BUzEÝ5Εiѻ]H C[wnZIۇ_w{>~lr  + o$&W ZDTQRp& Rc@GǏI^:GH5=(ǭ~oZ%MR?4,fϷ3+i*H,GQD~6/NM㳣N;lL,!V4*V].?#;ˠrqszr|qӹlꎓz>:AGAtišh4ϬP7&h`C:}ҍ;LZ ? 'pGbd.x: }C 04mLH"wM h&rkI7.[A0? ; O`r]ɝ5E0%ݻCi`y1yj =*~3`=w}   l߃5#~[-[Z6x O͙A }C|#s\.(Lw#2)%%E2G4.'H(AH 9[h ]99z|?#!bRN[ T6ݞH:w@T*esMX)gQY,p[/)Pf%5{~6 cbB|#'&Xr`Y \d+|i)lb 6؛ri:|:ioB{4 08Bdp=YIZLcpQY)hAwq=7cBCEs;JͰ"hZ5g{8.Ƈ5#wt<ͩqb;_A:\!4Lh,G7qGYlENUX!t3tT+yӏϞS ۀ}Q1R5i5) w$mrn)RЛv!s9n! xW.Y 2gxRUY(:[(,O,s1r@uOSjS͸T3Q2C+L)Eۋ)i SX-8E/4-{'ٲRd-YV+%fsP쉟 :Rj'~d7Bɶ/^¼xeP4VR$kϥ%2=6PcD6"C 7(=u  XTM._`}dҶF*zESZ25k-l!1ȁ2(M dgbbˡB2 OaNc}6xAz{fL18yRv&n \ ˀ9\G&fF- o+_ Š%1tJ]qY3:/ {ŅaWlIsWk4GuM8@oE"}A`N4S Ȳ`z`ُ׽IA̫U+P  ӸcsMD@ g2,rGmAuN֝G<Zj\X,>9WaR9> 5 T !őOT׃RUah(j^~TwV0\nSњa+;ЂqWm*IH b[(Qg&3QP7&8mw4dHܸ/|P"8 y@*&Oz  [ h [zqSE+n @&)G.q sWyGfYa0Ky:kR^KGVUJj5qv hw͂wQ)4G  j}q:M7Xfe^: ~w^Jd>t0|jVN8aE>yLLJ<>zg BZ_*'ϐMqѡ,uo亢#Ïn OQ g#lhCxR '`Q`*ܴf{B[DHo@YZDqU4d ӀY~W2ñ"9EYۏ6Wb=>` Dq8_Fn9.^٤Ĉ԰ϋhwyUMy0YhRYpg#Y9޺Vߪ}jz6eVA=~jv'oa*Z X GpSV3O>,Ǥ|U4,t0a 3Op(ܙĝkF@;3l} {P4dxP.bWAJ[6A/Kl䘇%b "K,8.zCdDZz+އ\\7@Aŷ-.T%"c^f.g|]~kLQXGTUe@5yģT1#y $6-.wEZЋҶ E5bbbϦ\N,Yfy0wjj_8aqVZUR U!T^>xc_7)~TC~km{~B&T˲T\^CU\+Ԋ3YXII#G.ɢ6A(™)dIH9gl)`R(S=T@]Z +ia/ dw]: PG" cZ,nAyr@ݎo3/4ڎu.j$2~*A?0TlʪVW%iZ]J֟'vپEm(GKeṚ+÷(yXuaEP5 ]Uj;_ s 4a!`\?=bP?n ]^*~ t9CT`|"@`'d8֎oa mԄ2xtLaV*79oA!RDC#I _UIn0DR*LpGssb~j.A+S$/I4\C2:;Aldzg]ItMv@Jۋ=^Ec1Aqsѹnt/;YA^vи6@MC~:'!w'RE8o9P K1NCbw}WszV^NN:km}ڏ.odٞhQ^8wK%y7;$˶u߽o=rH.;.X" GB9>oS|OM1+&03h"⑩!g`&V P8I s:TzF_j,6ψAT p0Z)ΒGa֭ Bb-3Bt LVC (ʡ=`=` ɈN)>vcϻȖBL0B_XH!)$je*K<;iw[(6[;F_E'k; R-g[M7S+dI;GD_q-'=?.[i't>!94tY݇$K 2c.A-6ؾJ9 4SJd"8%;?m[=RvGP2)V9IZ[ŰB ݖ:`<5s2)Mz.?|Li+'iZVӼ6X(4%44ґOCYB*dÅ7' һj]npVPto6_xvImK$gQ= fKEҊPk qbG-g+y--E#]}+ iǢa|x=Na9$cLi9 gEuX.TkۦN+ttOYȍbN~ڑq eީӊFq>P]9Yz$AC~g}\0@;z{w_7|Of0W)l8ninmơ8  J~Vj'Mt:DjE[c{wC9Ȫ̙S.{R؉7'2^q+:&n_%3ތ<4/LZ2gP:9G׍[rf#F0[vƹE u?h2n~J]ݹicVD)]s<ǵ"v9KJIɇymzSDm֗Fݽ]޿vȿLĬxBw{4Sˁ5mq.wF3"# me(r9h! CFܴCK]:RӉXU LY fatrZCc8UGX1~l@s o ;yrfw^J)S0!&n% vvwR>] _cp2V1r7i9s .*c&V8YeJ_'[RS WLKZytutd{/ׄ @%- t[6|p,vYDfD{oǁP?mɉnj5WR1f}t.R`l+<e*O$J]yg Rw@⪒^كXK&4@e?4~s'W^/!/Ӈ GHt@=YӇI,O1zjbO# !B6)AsIReiҽ9jHԣURm Kxeġ1ۢI~#=ljJ'b{O@m/4*ʾwqR[;"z^sIlM&P WSŽVKF>  uWԟXyRQj&tN:KJB6xVtGRi՚,p~"ETlFkDbhEc`K!q3sIaYy5%y)E{,5_˂w0@RUINˡailٶ.]ٳ1`\LZ; rT @LjQB n:haŭh*))0l,Q41ـF+u'mȺAϓȚ167PM R9(-[R5 .KjDop^Wj0%eea & 7AE/)OED/n@> KrYĴԦz@-UQVT U#eUUP&h\ynnPi[)KƆOŕڥ;;gJ̕2>c2&PA@8Hk;lnZsKM tB7s81[l)Qc`J~4TVӇї'x^r,U3t+@%)H%pϕW[i(\^Toz-i|k">_BU]Svc('/r>x٣G3 {E$>cwޮR>{[ yQλBW,7e @Ԋj#rUjpPz;b|tFuOV*jm㺅3Ox ?:2}OEX 6$s}" Ma+^SBU`XbvT”`CZWK+h2#H@v` $$ADd~9T-8߷NImHh/-;@&-}i^uoO)e*)B,fsE}wyjB%d 09lF{.SߊkiS+舽Mۈ7?lh AU.>\݉݉݉݉݉/֜+&U>Q>(Z)mScD*jDw -Tsï`h8ؚgd08)컦zodMA"^N2H>{s74F XұH`j:=>Rs+4 <`rl_RG 9L԰1o1u3syD0Fkke{^NdJ͈g ? Aҋi_,h-Ԕ1}\4gw KwIoOo2h%JHWtx?\;gbMnQ76k\[kV9S7}N|w6Hn8 }ěVNu*!H}0$AԢLDo>Wˢ&3aN ͝oioDsqvnU2cWS-!_g Ykʹ9k + tCo6!;XϤZǃ20H|9Wf ?E3h~wLd6Vfl<^$I-ڦ/hׇ `|F0 c l 3R83X#y=&UV忍#+tхlJY2VC}__)']D6b^%hjV_fX+j%"Q0M_)#5cqXͯXx["L )z5.j7εW 5G|-3/Em/< rS}yߒ`G2a˶뿑$}7mv`'~$LAYlPӬf0n!۟`n2yK9u2{ga0D%_C~OwwkeOAr副]cL" B~55Vq9I.zd7'|o㎈0Uňk(G>?w-F5>ZoS TJY#!kjj`+O4#zȮ@]o~4,d|D?SM}1w;> ,8Et :+=6i[ M]ELa!-(-ȮqaIzŽQ&{ψ$9Q}IMm& 0kQ`h(&lZO'q/%+cۏAE&Lj[9^R,ob{aQɨ1gfSYh9-`cj9Fwj5e_]ιO?P.sZXuV%d{'VH=ܚ&>"rR O=#TZ|pU% & ̵B5-5נw_67V3#6j=!v ѕVy ֵn&-k]қb8jYՉJ&\ mݹ]檏ݸ!5&Q|qX# r cՒn4XWK+ۏMN.y(>s҇5o$=W mHX#NgNJNH WIkm2J%33\mDΝz?qbS~fb +KN,.d3+nVTm}yV9FKx< @ə莥#rzU7XLBLU\3ZMqheu !𞖹kS0 ɘC@# PSKC7<6K$AeЇ5T?0 )U0kКZG*t J ݲYA! !17m߄QT1E# :᫒WZ5*Gw/tX3/b3-Ѩ#ީ>I12K= o 9pb X`Oi$}b 飊we~t:Ìféb\]:vN5j' P=P,`A~vBj@̔0(cusBG4_ Dy+a]M,#?0(.ŌCZS*ѓȤ+t+R0cU+_cPw^7Dk+z+YT(sI+;}^hh t0 c3B's;˱l]]"k"6}8_w%9jwopoW[u{{sپ\YJ.|iKy/m25^ Q9l]28SΘKs!Yx9Kxu< /ELyx&0y|L*a^e9DM@+}qL[񏩣up :Okj|q3_Z9v&65B^Z[+!(8jz67a\nq4ħyOB32[E9yN{(S+S~ ׫ˏ[@.wsʑO'c(?^]~ 9;Vu ͳI9)ureN9B}/Z]~sk^"g">"\/ryC@9%{#sg#q$]a芫-5n+ ǤZu36 0xs/-Cyio2;AQFgG6+.ȭ-'Hl]=g%%x=0?Mu{.2پWߕ\~Sny+tq2<#s"qGX%[n3'rOB[P#|.y |8SNtOYkwV/si˘'ԎlOAprmv3}icax&}>} om;yx#V2d;w6 S췡\<)NAf>ţu.TlP`24UF` Ԋz!J1 =4`֭tKb(p E Чc +w̆N˘z͛ˌ)æʗᄽJ/$` f@2b'`{z58 [Y0`Yh6VI2hؐCs؂9N-#E1N>@L™ZCwJX&5$W"Zf 6@ C!ϖC1<:,ed` NuOEH$pgB͛Klޜ@eD˪U\:~ sf:aKƘS DMKIn_!x@GErby{sdg]"X)43G}@ӟF}q!bny: ҹV/ix\%Ͷ ;1̸>IϐR1ns3v,=GIkg_6 B3q< Ù8c鱽¤$Vr.U =@UZVAoL3SY,> V_dvO~5B+*π 8H2Gd!᳤c9"=>(.X&">m<'6}Fu;H"@@/7A{} r@c8Eߟ2"L)ԦLSw)+],by Y3M` p#Q#*^g ͜5%S+~`[wt)(5x2;v͆Le(\v /-GyJ~Q.t 7tli @J^> D\K)hPK ei$i%k5-E6<]܈XCx?ƽnb@R^H3LN*s=*)ve6r!*l XGڦJ-Qa[Ajb=x_g¶,yX\ F\XۙF ya1 g'{yW=?5jl3G]g4^n,eLװ,,L[˙Z']XD!hXbE"O q~ mNjY1+ RGQf7}OA 'Ɣ ϰ"- sWmxDx^]"P߯JVlw6++Ѐ7HY;PE"1uHaHbV\3|7ZО3q7C'M{ar8Lt4QS|oe1}0-X+0V_kAkDeU|tCG_ÎB3ىZIpR!-#79=CBiF"5cP!X]-nB@: εx C,$ˋ} cyx Uf}#)VS/̀.?q&g\ƕEyXqө8Yo?.)ZwByڽKRI>R}v,:~vڎ.3Jbq')iwޝwϻ X7u㖗߿~<6#EKB^ T>Vurҹ| uM+_0dF-<#DYfCժZ-Nj~ӷۊ#iQf8&rYOrѥ;o7 D^R꧰a9TUd%r R{+4>S!aa؄;66BJ:6L]_X P~)