FireFox 1.5 Buffer overflow exploit
- name already taken
- Posts: 3124
- Joined: February 27th, 2004, 9:54 am
- Location: Utah
-
- Posts: 13808
- Joined: November 7th, 2005, 11:26 am
diilbert wrote:I am unable to find the user.js file.... I tried adding to the prefs.js w/o success... Any direction?
Yes. Don't bother. You will probably never experience this problem, and even if you do, it doesn't do any damage. Just trust in the Web Police. There are many ways to cause denial of service attacks on browsers by coding infinite loops on the Web page, and it's pointless as an individual to try to defend against them.
-
- Posts: 14
- Joined: January 19th, 2005, 2:43 pm
- Location: Cleveland, OH
- Contact:
Will this eventually get fixed?
Tom
Darkscribes, Home of Anime and SciFi Fanfiction and Original works of Fiction.
Darkscribes, Home of Anime and SciFi Fanfiction and Original works of Fiction.
- Nanobot
- Posts: 578
- Joined: April 28th, 2004, 7:25 pm
- Location: California
- Contact:
I blogged about this: Firefox history information DoS vulnerability
Web browser standards support tables
Internet Explorer is dangerous
Web Devout - Promote standards and the health of the Web
Internet Explorer is dangerous
Web Devout - Promote standards and the health of the Web
-
- Posts: 309
- Joined: June 27th, 2005, 5:56 pm
- Contact:
So far what we know is:
- Even with some people claiming this can crash the browser, we have no direct evidence of that and no one has been able to show it can crash the browser. What it does is slow down how fast Firefox will start.
- There is no way to exploit this so it's not a 'security' vulnerability.
- There are several workarounds for this, the easiest one is to set the Sanitize function to clear history when Firefox exits.
The official Mozilla statement is at: http://www.mozilla.org/security/history-title.html
- Even with some people claiming this can crash the browser, we have no direct evidence of that and no one has been able to show it can crash the browser. What it does is slow down how fast Firefox will start.
- There is no way to exploit this so it's not a 'security' vulnerability.
- There are several workarounds for this, the easiest one is to set the Sanitize function to clear history when Firefox exits.
The official Mozilla statement is at: http://www.mozilla.org/security/history-title.html
-
- Posts: 74
- Joined: September 7th, 2005, 9:50 pm
We also know that it's a mork bug, so there shouldn't be any "crash" unless you actually run out of memory. Nor is any buffer being overrun, at least not generally. Several patches are being considered; I suspect that we will end up fixing the bad mork file reading algorithm, as it might cause other issues in the future and it's a better general solution.
Anyway, the thread title is disingenious, considering that it's not an exploit, not a buffer overflow, and doesn't just happen in Firefox 1.5. P'raps someone should change it?
Anyway, the thread title is disingenious, considering that it's not an exploit, not a buffer overflow, and doesn't just happen in Firefox 1.5. P'raps someone should change it?
-
- Posts: 13808
- Joined: November 7th, 2005, 11:26 am
-
- Posts: 3
- Joined: December 9th, 2005, 10:32 am
- Location: Sopef.org
- Contact:
-
- Posts: 778
- Joined: November 9th, 2004, 2:31 pm
- Location: Central Florida
- Contact:
-
- Posts: 3
- Joined: December 9th, 2005, 10:32 am
- Location: Sopef.org
- Contact:
-
- Posts: 778
- Joined: November 9th, 2004, 2:31 pm
- Location: Central Florida
- Contact:
Jonathan Quince wrote:We all know that Mork is a "feature". ;-pPeng wrote:Jweb_Guru wrote:We also know that it's a mork bug ...
It's not a bug, per se, it's just some inefficient code.
Exactly.
No other software has such an innovative database design. (Because they all figured out something better 15 years ago.)
- Nitin
- Moderator
- Posts: 3483
- Joined: February 27th, 2003, 9:38 pm
- Location: San Jose, CA
- Contact:
Its not a buffer overflow
Its not a DoS
Security Advisory:
http://www.mozilla.org/security/history-title.html
A firefox update is unlikely
Its not a DoS
Security Advisory:
http://www.mozilla.org/security/history-title.html
A firefox update is unlikely
If you're not using Firefox, you're not surfing the web, you're suffering it.
Join the MZ folding@home team.
Join the MZ folding@home team.
-
- Moderator
- Posts: 0
- Joined: December 31st, 1969, 5:00 pm
As Nitin shares the official response from the Mozilla foundation better documents this new flaw. It's more of a bug than a serious security risk. It's not in-the-wild and only proof-of-concept code has been developed so far.
Mozilla Foundation Response
http://www.mozilla.org/security/history-title.html
The Internet Storm Center
http://isc.sans.org/diary.php?storyid=920
Secunia information - rates as a non-critical security risk
http://secunia.com/advisories/17934/
P.S. A more serious web based security risk is the unpatched 911302 IE vulnerability where 3 new JS based worms just popped out of the woodwork
Mozilla Foundation Response
http://www.mozilla.org/security/history-title.html
The Internet Storm Center
http://isc.sans.org/diary.php?storyid=920
Secunia information - rates as a non-critical security risk
http://secunia.com/advisories/17934/
P.S. A more serious web based security risk is the unpatched 911302 IE vulnerability where 3 new JS based worms just popped out of the woodwork
- non-linear
- Posts: 167
- Joined: March 29th, 2005, 8:14 pm
Has anyone else had problems with this workaround? I had a problem that I was trying to pinpoint for a couple weeks now, where I couldn't load articles from tv.com (the header loads, but the article beneath wouldn't). After many hours of fixing and trying things, I was able to figure out that this caused the problem. Removing the entry from the user.js file didn't work; the only way I was able to get it to work properly again was to create a new profile and leave it out
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0
Thunderbird version 1.5 (20051025)
Thunderbird version 1.5 (20051025)