Sponsor for PC Pals Forum

Author Topic: Firefox blighted by unpatched bug  (Read 1323 times)

Offline Clive

  • Administrator
  • *****
  • Posts: 75153
  • Won Quiz of the Year 2015,2016,2017, 2020, 2021
Firefox blighted by unpatched bug
« on: September 09, 2005, 18:22 »
The Register
By John Leyden
Published Friday 9th September 2005 15:43 GMT

Security researchers have discovered an unpatched vulnerability in Firefox that might be used to crash vulnarable systems. Hackers might also use the security bug to trick surfers into running malicious code by simply fooling them into visiting a maliciously constructed website.

This is a class of problem well known to IE users but it will come as a nasty shock to users of the alternative browser, which has been seen as something of a safe haven from hacker attack even though this assumption has come under question over recent months. The vulnerability, discovered by Tom Ferris of Security Protocols, applies to Firefox version 1.0.6. Previous versions may also be affected but this has yet to be confirmed. The security bug stems from an error in handling a URL that contains the 0xAD character in its domain name, giving rise to possible heap-based buffer overflow attacks. Security notification service Secunia describes the vulnerability as "highly critical". It advises users not to browse untrusted websites as a precaution. This isn't exactly the easiest precaution to stick to, though it's the only one on offer just now pending a more comprehensive workaround from the Mozilla Foundation. ®

http://www.theregister.co.uk/2005/09/09/firefox_security_flap/

Offline Clive

  • Administrator
  • *****
  • Posts: 75153
  • Won Quiz of the Year 2015,2016,2017, 2020, 2021
Firefox blighted by unpatched bug
« Reply #1 on: September 12, 2005, 14:35 »
Firefox flaw gets temporary fix
Joris Evers
ZDNet UK
September 12, 2005, 09:40 BST
 
Responding to the disclosure of a serious Web browser flaw, the Mozilla Foundation offered on Friday a temporary fix to protect Firefox and Mozilla users.
  
The downloadable fix protects against attacks that take advantage of a new, unpatched flaw that could let attackers secretly run malicious software on users' PCs. The flaw was disclosed late Thursday by security researcher Tom Ferris, sending Mozilla staff into damage-control mode.

The problem has to do with the way the Firefox and Mozilla browsers handle International Domain Names, or IDNs, said Mike Schroepfer, director of engineering at Mozilla. IDNs are domain names that use local language characters. The fix disables support for such Web addresses, he said.

"This is a temporary work-around just to deal with the immediate issue," Schroepfer said. "We're working on a future release in which we will actually fix the problem and re-enable the IDN feature." Switching off IDN support impacts a subset of Firefox and Mozilla users who actually use such special domain names, he said.

Though there is no known attack that takes advantage of the flaw, Mozilla advises Firefox and Mozilla users to disable IDN. "Luckily we do not have any known use of this exploit, but it is fairly critical if there were to be (an attack), so this is a recommended download," Schroepfer said.

Mozilla expects to fix the vulnerability in beta 2 of Firefox 1.5, the next release of the open-source Web browser. Beta 2 is due Oct. 5 and the final release of 1.5 is expected by year's end, Schroepfer said.

In addition to the downloadable fix, Mozilla on its Web site also offers instructions to manually disable IDN: Type "about:config" in the address bar, hit Enter; type "network.enableIDN" in the filter toolbar, hit Enter; right-click the "network.enableIDN" item and select Toggle to change value to false.

IDNs have caused trouble for Mozilla in the past. A Firefox security update in February fixed a flaw that would allow domain spoofing using the special domain names. A spoofed link would seem to be a legitimate address, but instead of taking the victim to the trusted site, the link would lead to a phony Web site.

Though vulnerabilities in Microsoft's Internet Explorer have been the focus of much of the concern, other browsers also have had their fair share of flaws. Security has been a main selling point for Firefox over IE, which has begun to see its market share dip slightly--for the first time in years.

However, Firefox has had its own security woes. Several serious holes in the browser have been plugged since its official release, and experts have said that safe Web browsers don't exist.
 
LINK

Offline Simon

  • Administrator
  • *****
  • Posts: 77923
  • First to score 7/7 in Quiz of The Week's News 2017
Firefox blighted by unpatched bug
« Reply #2 on: September 12, 2005, 17:47 »
Quote
...experts have said that safe Web browsers don't exist.

I am of the opinion that web browsers are perfectly safe, until people start using them for dubious purposes.  If you go looking for 'dodgy' websites, then you have to expect the consequences.
Many thanks to all our members, who have made PC Pals such an outstanding success!   :thumb:

Offline Lona

  • Ultimate Member
  • *******
  • Posts: 11979
Firefox blighted by unpatched bug
« Reply #3 on: September 13, 2005, 20:17 »
:lol: Clive being the authority on dodgy sites will have to get the security download.  :heehee:  :bad:
http://dinah.www.idnet.com/chrisisaac.swf


If one took the Scots out of the world, it would fall apart
Dr. Louis B Wright, Washington DC, National Geographic (1964), from Donald MacDonald, Edinburgh :thumb:


Show unread posts since last visit.
Sponsor for PC Pals Forum