Highly Critical Vulnerability Reported by Secunia

User Help for Mozilla Firefox
User avatar
Posts: 14455
Joined: November 27th, 2003, 4:50 am
Location: Warwickshire, UK

Highly Critical Vulnerability Reported by Secunia

Post by Vectorspace »

This vulnerability has been fixed with the release of 1.0.7. All users of 1.0.x are advised to upgrade.

Original post:

From: http://forums.mozillazine.org/viewtopic.php?t=315499
TechMason wrote:<a href="http://secunia.com/advisories/16764/">SA16764 - Firefox URL Domain Name Buffer Overflow</a> was just reported today by Secunia and is rated highly critical.

(For) Now Fx is rated as vulrnerable as IE.

Tom Ferris has discovered a vulnerability in Firefox, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially to compromise a user's system.

The vulnerability is caused due to an error in the handling of an URL that contains the 0xAD character in its domain name. This can be exploited to cause a heap-based buffer overflow.

Successful exploitation crashes Firefox and may potentially allow code execution but requires that the user is tricked into visiting a malicious web site or open a specially crafted HTML file.

The vulnerability has been confirmed in version 1.0.6, and is reported to affect versions prior to 1.0.6, and version 1.5 Beta 1.
Secunia report: http://secunia.com/advisories/16764/
Mozilla Security report (including temporary work-around): https://addons.mozilla.org/messages/307259.html

Patches to fix the bug have been completed and the bug is now marked as resolved: https://bugzilla.mozilla.org/show_bug.cgi?id=307259
The problem will be fully fixed in the forthcoming Firefox 1.0.7 and Mozilla Suite 1.7.12 releases.
The second set of candidate builds of Firefox 1.0.7 and Mozilla 1.7.12 are currently being tested.

Temporary Work-Around
In the mean time, you can protect yourself from this bug by disabling Firefox's Internationalized Domain Names function.

An xpi (for all Firefox versions and Seamonkey/Mozilla Suite) has been made to apply this workaround for you: http://ftp.mozilla.org/pub/mozilla.org/ ... 307259.xpi
If for whatever reason the patch does not work you should make the manual change as described below.
Right-click the link to download the file to your desktop, then drag it into an open Firefox window to install it. All users should do this.
Should you ever want to uninstall this temporary fix, go to the folder Firefox is installed to, go into the defauts/pref subfolder, and delete the file 'bug307259.js'. Uninstalling it is not recommended.

You can also do this manually by changing the network.enableIDN peference to false in about:config - this will work in all Firefox verisons.

A similar issue, unique to 1.5 Beta 1 has been reported, although it would appear that this one can only cause Firefox to crash cand has no security implications beyond that. Applying the above workaround will not solve this problem.

There is a discussion thread on this bug here: http://forums.mozillazine.org/viewtopic.php?t=315499
Please do not start new threads on the subject.
"All things being equal, the simplest answer is usually the correct one" - Occam's Razor
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20100101 Firefox/5.0
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20110624 Thunderbird/5.0