Mozilla is pouring cold water on reports of a severe bug affecting its Firefox browser.
Reports of a new stack overflow vulnerability affecting Firefox surfaced not long after the company released a new version to patch a critical bug in the TraceMonkey JavaScript engine’s JIT (just-in-time) compiler. On Sunday, the SANS Internet Storm Center warned the vulnerability could be exploited by hackers to execute code.
Mozilla, however, contends that is false.
“In the last few days, there have been several reports (including one via SANS) of a bug in Firefox related to handling of certain very long Unicode strings,” wrote Mike Shaver vice president of engineering at Mozilla. “While these strings can result in crashes of some versions of Firefox, the reports by press and various security agencies have incorrectly indicated that this is an exploitable bug. Our analysis indicates that it is not, and we have seen no example of exploitability.”
“On Windows, Firefox 3.0.x and Firefox 3.5.x are terminated due to an uncaught exception during an attempt to allocate a very large string buffer; this termination is safe and immediate, and does not permit the execution of attacker code,” he continued.
On Mac, in Firefox 3.0.x and 3.5.x a crash occurs inside the ATSUI system library because of what appears to be a failure to check allocation results. Mozilla has reported the issue to Apple, but will look to implement mitigations in Mozilla code in case Apple does not provide a fix, Shaver said.
“On Linux, the problem is similar to that on Mac: there is an abort in system libraries (pango, glib, libc),” he wrote. “Due to the wide variation of Linux libraries and versions deployed, and different compilation options chosen by Linux distributors for Firefox, the details of the crash report may vary between machines.”
Last week, Mozilla released Firefox 3.5.1 to fix the TraceMonkey vulnerability after attack code surfaced. The latest version of the browser is available here.