Unpatched Firefox 1.5 exploit made public

Cnet ^ | 12/08/2005 | Dawn Kawamoto

[zeugma]

Exploit code for the latest version of open-source browser Firefox was published Wednesday, potentially putting users at risk of a denial-of-service attack.

The exploit code takes advantage of a bug in the recently released Firefox 1.5, running on Windows XP with Service Pack 2. Firefox, which initially debuted over a year ago, has moved swiftly to capture 8 percent of the browser market.

The latest Firefox flaw exists in the history.dat file, which stores information from Web sites users have visited with the Firefox 1.5 browser, according to a posting on the Internet Storm Center, which monitors online threats.

"If the topic of a page is crafted to be long enough, it will crash the browser each time it is started after going to such a page," according to the Internet Storm Center posting. "Once this happens, Firefox will be unable to be started until you erase the history.dat file manually."

In testing Firefox 1.5 without a system running McAfee security software, the Firefox 1.5 browser would stall and not respond to a user's mouse, said Johannes Ullrich, chief research officer for the Sans Institute, which runs the Internet Storm Center.

"Users have to kill out of the browser and start over again. This stalled browser creates a DOS (denial of service) condition," Ullrich said.

Packet Storm, the security group that initially published the proof-of-concept exploit code, noted that in addition to the potential denial-of-service attack that could follow a buffer overflow, systems may also be subject to a malicious execution of code.

Ullrich, however, said while the potential may exist, it has not been proven either way that malicious code could be executed.

Mozilla Foundation, which released Firefox, said it was not able to confirm the browser would crash or be at risk of a DOS attack, after visiting certain Web sites. And Mozilla has not received any reports from users of such a problem, said Mike Schroepfer, vice president of engineering for Mozilla Corp.

He added that Firefox 1.5 can be slugglish on its next start-up, due to a bug in the history.dat, but it is not a security problem.

"We have gotten no independent verification that it crashes (Firefox), but there have been a lot of attempts to try," Schroepfer said.  

Correction: This story incorrectly stated the affiliation of Mike Schroepfer, Mozilla's results in verifying the Firefox 1.5 flaw, and the nature of the problem. Schroepfer is vice president of engineering with Mozilla Corp., and Mozilla has not been able to verify its browser can crash and lead to a denial-of-service condition. The problem itself was not a security vulnerability but actually a flaw in the browser.

[zeugma]

If you're using Firefox, turn off your history to keep evil sites from being able to crash your browser.

The actual likelihood of running into one of these unless you regularly browse through the shady side of the net, but it's always bettyer to be safe than sorry. Note: that this particular defect does not propagate. That is, it is not a virus or worm. Some nasty person can make your browser crash, which can be fairly traumatic I'll admit after your browser has been up for a week or so with 30 tabs - but still.

[FEARED MUTATION]

the shady side of the net

Does that include porn sites?

[Terpfen]

If you're using Firefox, turn off your history to keep evil sites from being able to crash your browser.

Proof of concept code does not equal an exploit in the wild.

You know, it's really nice of these security companies to wait until the final release before announcing these things. Mozilla puts out nightly builds, betas, and release candidates for a reason.

[don-o]

If you're using Firefox, turn off your history to keep evil sites from being able to crash your browser.

Is it turned off, if nothing drops down when you click on the address bar?

[dynachrome]

"Does that include porn sites?" Why, no, of course not. Go right ahead.:)

[ThinkDifferent]

The sample exploit doesn't crash Firefox on my system with OS X 10.4.2. It does seem to make Firefox take a long time to quit and launch though.

[raybbr]

Do you have any tips on running firefox from a removable drive? I haven't tried it yet but people here at work say they run it from their jump drives.

[tubebender]

How many users of Firefox 1.5 are out there?

[M_i_G]

Count one here. :)

[Malesherbes]

I'm one and I appreciate the posts about Firefox that appear on FR from time to time.

[zeugma]

Does that include porn sites?

Only in a technically true sense.

[MilspecRob]

Thats me, and I really like it.

[Ole Okie]

One here also.

[zeugma]

Do you have any tips on running firefox from a removable drive? I haven't tried it yet but people here at work say they run it from their jump drives.

No. I haven't tried that either, but I've seriously considered checking out how well it works. Personally, I prefer Knoppix for that kind of thing. It doesn't work if you want to save bookmarks and cookies though.

[zeugma]

Is it turned off, if nothing drops down when you click on the address bar?

No. That's actually two different things, I believe. I could be wrong though. I'll have to check it out. Does anyone else know?

[ThinkDifferent]

Update: Slashdot posters are reporting similar behavior. The exploit doesn't crash Firefox, but it can make it take a long time to read the history file and thus appear to have hung. It's unlikely that this is an actual security threat, although it could be annoying.

[zeugma]

I'm not sure how many users there are. When version 1.5 was released, there were a million downloads during the first 24 hours, so apparently, there are a few of us out here. That doesn't count people like me who download one copy and load onto 4 computers here at home, and about 10 at work.

[Golden Eagle]

I prefer Knoppix for that kind of thing.

Is that from Germany, or where? Don't you have to burn a new CD every time there's a security patch? Such as if your firefox on your bootable knoppix needed this patch, you'd have to make a whole new cd wouldn't you?

[zeugma]

Update: Slashdot posters are reporting similar behavior. The exploit doesn't crash Firefox, but it can make it take a long time to read the history file and thus appear to have hung. It's unlikely that this is an actual security threat, although it could be annoying.

Good to know. I would imagine in that case, that a quick fix if you got bitten by this would be to simply clear your history.

I figure it's better safe than sorry with this type of thing. Better to post, then clarify as more information is forthcoming.

[steveo]

me three

[Golden Eagle]

Slashdot posters are reporting similar behavior.

Isn't that a mostly leftist site? Has always seemed like it to me.

[antaresequity]

This is not possible. Firefox and Linux are bullet proof and only Microsoft makes crappy software.

Move along...

[PilloryHillary]

bump for later

[zeugma]

Due to the extremely large number of inaccurate and idiotic posts you've presented to this point, and your tendancy to encompass the very definition of the word "troll" on this forum, you are no longer relevant. Thanks and have a nice day.

[Golden Eagle]

Well when you start throwing terms like "knoppix" around on a political site, better be prepared to explain what it is.

[zeugma]

Well when you start throwing terms like "knoppix" around on a political site, better be prepared to explain what it is.

I included a link.

Due to the extremely large number of inaccurate and idiotic posts you've presented to this point, and your tendancy to encompass the very definition of the word "troll" on this forum, you are no longer relevant. Thanks and have a nice day

[Golden Eagle]

Looks like just another flavor of U.N.ix, what's supposedly so great about it?

[tubebender]

The reason I asked is because there are posters on Fr that claim Mac OSX is virus free because there are not enough machines to make it attractive to the the hackers.

I have been using FireFox on my Mac for at least 7 months...

[printhead]

My version says 1.0.7. What is 1.5?

[zeugma]

The reason I asked is because there are posters on Fr that claim Mac OSX is virus free because there are not enough machines to make it attractive to the the hackers.

That's a common claim, but doesn't really hold water. I wrote the following some time back...

---

Why bother writing a virus for 3% of the US computer market?

Oh, I don't know. Perhaps as someone else already said on this thread, it might be done for the bragging rights of having created the first successful virus/worm to attack Macs.

I've seen this charge that the small market share that Mac and Linux have is what keeps them safe. It is repeated often enough and seems reasonable enough until you actually look at the history of some other worms/viruses.

Consider: the spread of the Witty Worm.

Quoth the poster:

Witty infected only about a tenth as many hosts than the next smallest widespread Internet worm. Where SQL Slammer infected between 75,000 and 100,000 computers, the vulnerable population of the Witty worm was only about 12,000 computers. Although researchers have long predicted that a fast-probing worm could infect a small population very quickly, Witty is the first worm to demonstrate this capability. While Witty took 30 minutes longer than SQL Slammer to infect its vulnerable population, both worms spread far faster than human intervention could stop them. In the past, users of software that is not ubiquitously deployed have considered themselves relatively safe from most network-based pathogens. Witty demonstrates that a remotely accessible bug in any minimally popular piece of software can be successfully exploited by an automated attack.

I suspect there are more than 12,000 Linux and/or Mac hosts out there on the internet.

Also, consider that the folks who were hit with this were also among the more security-concious users:

The vulnerable host population pool for the Witty worm was quite different from that of previous virulent worms. Previous worms have lagged several weeks behind publication of details about the remote-exploit bug, and large portions of the victim populations appeared to not know what software was running on their machines, let alone take steps to make sure that software was up to date with security patches. In contrast, the Witty worm infected a population of hosts that were proactive about security -- they were running firewall software. The Witty worm also started to spread the day after information about the exploit and the software upgrades to fix the bug were available.

Show me a successful worm/virus against Macs and I'll listen. Until then, your talking point is FUD.

35 posted on 04/08/2005 10:35:22 PM CDT by zeugma (Come to the Dark Side...... We have cookies! (Made from the finest girlscouts!))

[zeugma]

My version says 1.0.7. What is 1.5?

1.5 is the latest version. It was released a few days ago. This thread has some useful information in it before it was trolled into oblivion.

[evilC]

You can download a portable version of Firefox and Thunderbird (e-mail) at http://johnhaller.com/jh/mozilla/

I have used both programs from a USB drive and they work well. You *should* be able to copy your existing profile into the portable version (I am not sure if all extensions and themes are compatible). I have an extension for Thunderbird that minimizes it to the system tray that will not work on portable Thunderbird, it needs a particular .dll on {win dir}/system but besides that I have had no problem.

[arjay]

Count me in.

[Golden Eagle]

it might be done for the bragging rights

Bragging rights? For destroying someone's computer? Isn't that against the law? Don't people go to jail for that in the U.S.? If they don't, they should.

[zeugma]

How was your loading speed on a USB device? I would imagine that if you wanted to run a large application from it, you'd need one of the higher speed devices. Also, do you let it write cache to the device? I figure that if you did, you'd see a significant decrease in the device's lifetime, as they can generally only be written to so many times before sectors start failing.

[zeugma]

For the 3^rd time on this thread...

Due to the extremely large number of inaccurate and idiotic posts you've presented to this point, and your tendancy to encompass the very definition of the word "troll" on this forum, you are no longer relevant. Thanks and have a nice day.

Are you completely incapable of taking a hint?

[Golden Eagle]

If you're going to literally call me "idiotic" you better come up with some proof. Right now all we know is you're continually proved wrong on basically every point you try to make, and constantly push this foreign freeware like this 'knoppix' on us. Why can't you answer the question, if it's so simple? You'd have to make a whole new bootable cd of knoppix every time there was a firefox patch like this, right? Is that a desirable situation, to you?

[raybbr]

You can download a portable version of Firefox and Thunderbird (e-mail) at http://johnhaller.com/jh/mozilla/

Thanks a great bunch!

Ray

[zeugma]

Seconded! Great link for windows folks. Thanks.

[raybbr]

No. I haven't tried that either, but I've seriously considered checking out how well it works. Personally, I prefer Knoppix for that kind of thing.

Dass war sehr komisch. Wann Ich habe nach dem site gegeht, alles war auf Deutsch und koennte nichts gelesen.

[zeugma]

Sorry about that. If you click on the link of the us/gb flag towards the upper left corner, it will give you the site in english.

To get there directly, try this.

[raybbr]

Sorry about that. If you click on the link of the us/gb flag towards the upper left corner, it will give you the site in english.

I know. I was just kidding around. Wenn ich auf Deutsch schreiben kann, dann kann ich auch Deutsch lesen. :)

[zeugma]

If I can write on German, then I can read also German.

Not necesarily :-)

Ich kann nicht Deutschen lesen oder schreiben, aber es gibt Plätze, die für mich übersetzen.

piping things from english to german to french, then back to english using Google Translate can be really amusing. Throw in some ebonics, and it can get really interesting.

We the people, in order to form a more perfect union, establish justice, insure domestic tranquility, provide for the common defense, promote the general welfare and secure the blessings of liberty to ourselves and our posterity do ordain and establish this constitution for the United States of America.

English to German
Wir die Leute, zwecks einen vollkommeneren Anschluß zu bilden, stellen Gerechtigkeit her, versichern inländischen Tranquility, stellen für die allgemeine Verteidigung zur Verfügung, fördern die allgemeine Wohlfahrt und befestigen die Blessings der Freiheit an uns selbst und unser Posterity tun ordain und stellen diese Beschaffenheit für die Staaten von Amerika.

German to French
nous le les personne, pour un parfait un raccordement former, fabriquer la justice, assurer national Tranquility, mettre à la disposition pour le général défendre ordonner, encourager le général prospérité et attacher le Blessings le liberté nous-mêmes lui-même et notre Posterity faire ordain et mettre ce constitution à la disposition pour le État Amérique

French to English
us it them nobody, for perfect a connection to form, manufacture justice, to ensure national Tranquility, to place at the disposal for the General to defend to order, encourage the General prosperity and to attach Blessings freedom ourselves itself and our Posterity to make ordain and place this constitution at the disposal for the State America

I must be bored :-) Time for bed. HAND!

[evilC]

>>>
How was your loading speed on a USB device?
<<<

It is slower than running from the HD but still perfectly useable. The portable versions of FF and TB are set to be disk light (cache turned off etc.). However, if you were going to run applications frequently then a non solid-state portable drive might be the way to go.

In any case I just use the two Mozilla apps to get e-mail and web access when traveling. They have worked very well for that. The only problem is that USB drives will not work as a guest on Windows 98, because 98 needs drivers to mount new USB drives (newer versions of Windows will automatically mount attached USB drives).

For those interested here are two more links to truly portable and "portable" (applications that may not be designed as portable but do not require access to the local drive - in some cases that means copying an existing install to the portable drive).
http://www.tinyapps.org/
http://www.kikizas.net/en/usbapps.html

[evilC]

As a PS, the two portable Mozilla apps need to be started from their own directory. To save me navigating down, I just created two batch files that run them from the top level of my portable drive.
e.g.
Portable Drive
--PortableFirefox
----Firefox progs etc.
--PortableThunderbird
----Thunderbird progs etc.
PortableFirefox.bat <<<Click this to start FF
PortableThunderbird.bat <<<Click this to start TB

So instead of navigating to the correct directory I just click on the batch file to start each program.

The batch files are simple.
Open a new text file.

Type one line in:
.\PortableFirefox\PortableFirefox.exe

Save as PortableFirefox.bat

Repeat for Thunderbird using the line
.\PortableThunderbird\PortableThunderbird.exe
and saving as PortableThunderbird.bat

You can call the .bat files whatever you want and \PortableFirefox\ is the directory that you stored the program files in.

[FLAMING DEATH]

"If you're going to literally call me "idiotic" you better come up with some proof."

Proof.

Due to the extremely large number of inaccurate and idiotic posts you've presented to this point, you are no longer relevant. Thanks and have a nice day.

[FLAMING DEATH]

It'd be fascinating to know why...

1) Knoppix security patches seem so critical to GE, in light of the fact that Knoppix runs with a read-only OS on a live CD, and THAT runs by default with all writeable drives mounted read-only, and

2) downloading an iso and burning a new CD seems like a prohibitively difficult task for GE (along with cut and paste and simple command line work), especially considering that the iso is available free of charge, CD's are cheap, and CD burning software is so simple even he could use it, and

3) why, if he doesn't like Knoppix, he doesn't just use the Microsoft Windows XP live CD?

[ShadowAce]

It'd be fascinating to know why...
1) Knoppix security patches seem so critical to GE,

The simple answer is--they aren't critical to him--he's using the format of a question to "point out" that patches aren't automatic or "easy" to install. He's playing stupid to try to make a stupid point.

2) downloading an iso and burning a new CD seems like a prohibitively difficult task for GE

He thinks that anything other that clicking on a single icon is much too difficult for anyone to do all the time. His notion of the "average" computer user is someone clicking on a desktop like the sterotype guy on a couch clicking the remote:

3) why, if he doesn't like Knoppix, he doesn't just use the Microsoft Windows XP live CD?

Because that would give users more choice.

[Golden Eagle]

Proof.

Thanks for showing that, so everyone can see allthe bs I've recently shot down, including you not even knowing what the actual GPL looks like.

[FLAMING DEATH]

Due to the extremely large number of inaccurate and idiotic posts you've presented to this point, you are no longer relevant. Thanks and have a nice day.