Highly Critical Vulnerability Reported by Secunia

[TechMason]

<a href="http://secunia.com/advisories/16764/">SA16764 - Firefox URL Domain Name Buffer Overflow</a> was just reported today by Secunia and is rated highly critical.

(For) Now Fx is rated as vulrnerable as IE.

Description:
Tom Ferris has discovered a vulnerability in Firefox, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially to compromise a user's system.

The vulnerability is caused due to an error in the handling of an URL that contains the 0xAD character in its domain name. This can be exploited to cause a heap-based buffer overflow.

Successful exploitation crashes Firefox and may potentially allow code execution but requires that the user is tricked into visiting a malicious web site or open a specially crafted HTML file.

The vulnerability has been confirmed in version 1.0.6, and is reported to affect versions prior to 1.0.6, and version 1.5 Beta 1.

[Unarmed]

Temporary workaround: Disable IDN support (toggle <strong>network.enableIDN</strong> in <a href="http://www.mozillazine.org/misc/about:config/">about:config</a>).

[sysKin]

1.5beta1 looks safe (doesn't crash)

[n0ym]

Did Secunia report this bug to Mozilla first? If not, how nice of them to publish the bug without giving the Firefox developers the chance to fix it (standard practice when they discover bugs in IE, for example).

[TechMason]

Did Secunia report this bug to Mozilla first? If not, how nice of them to publish the bug without giving the Firefox developers the chance to fix it (standard practice when they discover bugs in IE, for example).

If you follow the Originally Reported link, http://security-protocols.com/advisory/ ... visory.txt
you will see in there:

Mozilla was notified, and im guessing they are working on a patch. Who knows though?

[n0ym]

So, in other words, they notified Mozilla, but then didn't wait for a patch to be issued. I've noticed that Secunia frequently witholds information about bugs in IE until Microsoft has a "patch day" and makes fixes available. So, I guess I'm wondering what happened here.

[makaiguy]

Temporary workaround: Disable IDN support (toggle <strong>network.enableIDN</strong> in <a href="http://www.mozillazine.org/misc/about:config/">about:config</a>).

Okay, I've done this. But what is it I've disabled and what am I giving up by doing so?

[Unarmed]

http://en.wikipedia.org/wiki/Internatio ... main_names

[TechMason]

So, in other words, they notified Mozilla, but then didn't wait for a patch to be issued. I've noticed that Secunia frequently witholds information about bugs in IE until Microsoft has a "patch day" and makes fixes available. So, I guess I'm wondering what happened here.

I don't think that there is any favoritism going on with Secunia. This particular vulnerability was posted on http://security-protocols.com on Sept 5th so, it was public knowledge. I think the situations that you speak of with Secunia not posting an advisory until after the patch are different because those vulns were not publicly known.

[TechMason]

Temporary workaround: Disable IDN support (toggle <strong>network.enableIDN</strong> in <a href="http://www.mozillazine.org/misc/about:config/">about:config</a>).

Thanks Unarmed. I have notified Secunia of this workaround. Hopefully they will add it to the Solution section of the advisory.

[old np]

Can't find anything in Bugzilla.

[TechMason]

np,
There probably is one that has the security flag set and is not accessable to mere peons like us
I will open one anyways just to be sure.

[TechMason]

...and there is a bug for it already.

[billyvnilly]

The flaw was first reported to Mozilla developers by Tom Ferris earlier this week, but he opted to publicly disclose the problem following a disagreement.

http://www.betanews.com/article/Securit ... 1126279570

whats that all about?

[old np]

...and there is a bug for it already.

Link?