Results 1 to 4 of 4

Thread: Firefox flaw found: remote exploit possible

  1. #1
    Head Honcho Administrator Reverend's Avatar
    Join Date
    Apr 2002
    Location
    England
    Posts
    14,040

    Firefox flaw found: remote exploit possible

    Computers running the Firefox browser could be open to remote attack as a result of a buffer overflow vulnerability reported Friday by security researcher Tom Ferris.

    Vulnerable versions of Firefox include all those up to 1.06, and even version 1.5 Beta 1 (Deer Park Alpha 2), released on Thursday, he wrote in a posting to his Web site, Security Protocols, and to the Full Disclosure security mailing list just after 6 a.m. GMT Friday.

    Ferris said he reported the bug to staff of the Mozilla Foundation, the organization behind the Firefox browsers, on Sept. 4, but had no idea whether they were working on a fix for the problem.

    The problem is caused by a bug in the code Firefox uses to process HTML (Hypertext Markup Language) links in Web pages, Ferris said. Links pointing to a host with a long name composed entirely of dashes can be crafted so that Firefox will execute arbitrary code of an attacker's choosing, he said. He also supplied a piece of code demonstrating the flaw.

    Last month, Ferris reported a critical flaw in fully patched versions of Microsoft's Internet Explorer 6 running on Windows XP Service Pack 2. The flaw was acknowledged by Microsoft, but in that instance, Ferris did not reveal any details of the flaw or how it could be exploited.

    source: InfoWorld

    =========== Please Read The Forum Rules ===========

  2. #2
    Head Honcho Administrator Reverend's Avatar
    Join Date
    Apr 2002
    Location
    England
    Posts
    14,040
    Update:

    On September 9, the Mozilla team released a configuration change which resolves this problem by explicitly disabling IDN in the browser. The fix is either a manual configuration change or a small download which will make this configuration change for the user. Instructions on administering these changes can be found below.

    How to update
    There are two methods for resolving this problem. The first method is to install a small download and the second method is to manually change the browser configuration.

    Installing the Patch
    To install the security patch for Firefox or the Mozilla Suite, follow these instructions:
    1. Firefox and Mozilla Suite users click Install Patch (coming soon, please see manual instructions).
    2. In the Software Installation window, click the "Install Now" button.
    3. Exit and restart your Mozilla or Firefox browser.

    To verify the fix in Firefox 1.0.x, be sure to restart the browser and then follow these steps:
    1. In Firefox Click Help -> About Mozilla Firefox and verify that the user agent string contains "(noIDN)"

    To verify the fix in your Firefox Beta or Mozilla Suite, be sure to restart the browser and then follow these steps:
    1. Type about:config into the address field and hit Enter.
    2. In the Filter toolbar, type network.enableIDN.
    3. Ensure that the the value for this item is set to false.

    Manually Configuring the Browser
    To manually change the browser configuration for Firefox or the Mozilla Suite, follow these instructions:
    1. Type about:config into the address field and hit Enter.
    2. In the Filter toolbar, type network.enableIDN.
    3. Double click on the network.enableIDN item to toggle the value to false.

    To verify the fix in your Firefox or Mozilla application, be sure to restart the browser and then follow these steps.
    1. Type about:config into the address field and hit Enter.
    2. In the Filter toolbar, type network.enableIDN.
    3. Ensure that the the value for this item is set to false.

    View: What Mozilla users should know about the IDN buffer overflow security issue

    =========== Please Read The Forum Rules ===========

  3. #3
    Near Life Experienced TZ Veteran zipp51's Avatar
    Join Date
    Oct 2002
    Location
    Massachusetts
    Posts
    1,101
    Good find Rev,thanks.
    The definition of insanity is doing the same thing over and over again and expecting different results.

  4. #4
    Precision Processor Super Moderator egghead's Avatar
    Join Date
    May 2002
    Location
    In Your Monitor
    Posts
    3,506
    all fixed and ready to go blind

    ------------------------------------------------------------



Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •