Mozilla Downplays Firefox 1.5 Exploit

A proof-of-concept exploit for an unpatched Firefox security hole is published, but Mozilla officials disagree on the severity of the threat.

A private security outfit has released a proof-of-concept exploit for a security flaw in Firefox 1.5, warning that the code can be modified to launch code execution attacks.

However, officials at the Mozilla Foundation are downplaying the threat, insisting the bug is more of an "annoyance" than a serious security vulnerability.

The exploit, which was posted on the Web site, targets a buffer overflow in Firefox 1.5, the newest browser release from Mozilla.

The exploit has been confirmed on Firefox 1.5 on Windows XP SP2 (Service Pack 2) and is caused by an error in the way the open-source browser handles large history information.

A successful attacker can fill the browsers "history.dat" file with large history information by tricking a user into visiting a malicious Web site with an overly large title.

/zimages/1/28571.gifMozilla updates Firefox to fix security gaps. Click here to read more.

According to the alert: "This proof of concept will only prevent someone from reopening their browser after being exploited. However, code execution is possible with some modifications."

Mike Schroepfer, vice president of engineering at the Mozilla Foundation, said initial investigations have been unable to reproduce a code execution attack vector.

"That [code execution] claim is unsubstantiated. Weve had no reports, internally or externally, that this goes beyond denial-of-service issue," Schroepfer said in an interview with Ziff Davis Internet News.

"Weve been able to reproduce a denial-of-service problem. Weve looked at the source code to analyze the risk and found that its not a very severe issue."

"At this point, we have no confirmed evidence that this is anything more than an annoying denial-of-service attack," he added.

Schroepfer said Mozilla engineers have analyzed data from the browsers built-in crash reporting tool and could not find anything beyond the browser consuming a large amount of CPU and memory resources when it starts up after an attack.

Security alerts aggregator Secunia Inc. backed up Schroepfers response in an advisory that rates the flaw as "not critical."

Secunia recommends that Firefox 1.5 users remove the "history.dat" or configure the browser to clear history information when closing the browser. This can be done via the Tools > Options > Privacy > Settings feature on the browser.

The publication of a zero-day exploit for Firefox puts Mozilla in a dicey situation as it attempts to evangelize the browser as a secure alternative to Microsoft Corp.s Internet Explorer.

/zimages/1/28571.gifMozilla readies another Firefox security makeover. Click here to read more.

According to the latest statistics from Web measurement tools vendor Net Applications, Firefox continues to bite into IEs market dominance, reaching 8.84 percent usage in November 2005, driven mostly by dangerous—and unpatched—IE security holes.

Schroepfer dismissed a suggestion that the latest flaw warning is a black eye for Mozilla.

"Our mission is to continue to make the product the best and most secure browser available. The record over the last year speaks for itself in terms of how rarely there have been unpatched issues in the wild," he said.

"We spend our time improving the browser and addressing [security] issues as they come up. Id like to think that the users are smart and the understand that Firefox is a much more secure product than the alternatives," Schroepfer added.

/zimages/1/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.