Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

Mozilla Says Firefox 1.5 Bug Not Serious
TechWeb News ^ | December 12, 2005 | Greg Keizer

Posted on 12/12/2005 10:15:30 AM PST by Eagle9

Mozilla Corp. has warned users of its newest browser, Firefox 1.5, that a bug in how the software handles extremely long names can make it seem that the computer has crashed. The flaw, however, does not expose users to attack, contrary to earlier reports by researchers.

Malicious pages with very long titles--the proof of concept for the pseudo denial-of-service (DoS) attack contained 2.5 million characters--make the browser appear to hang, said Mozilla in an online security advisory, although the software is actually busy processing the name. Once encountered, the very slow start can't be corrected until the site name is removed from Firefox's history file.

Last week, researchers of the PacketStorm security group claimed that the bug could result in not just a DoS, but a more serious buffer overflow, which could be used in turn by attackers to compromise the system.

Mozilla, however, said that additional investigations showed that there is no danger of a buffer overflow. "We can find no basis for claims that variants of this denial-of-service attack can cause an exploitable crash," stated the Mozilla advisory. "There does not appear to be any risk to users or their computers beyond the temporary unresponsiveness at startup."

The advisory also includes instructions on clearing the history file of the too-long site name.

Mozilla has not set a release date for a fix.


TOPICS: Technical
KEYWORDS: browser; firefox; mozilla
Mozilla.org

Long-title temporary startup unresponsiveness

Web pages with extremely long titles (the posted proof of concept used 2.5 million characters) can cause Mozilla Firefox and the Mozilla Suite to appear to "hang" on startup when reading the browsing history data. The browser will eventually continue normally although this can take up to several minutes on a slower computer. The unresponsive starts will continue until the item with the long title is removed from the history file or eventually expires.

We have investigated this issue and can find no basis for claims that variants of this denial-of-service attack can cause an exploitable crash, and no evidence for this claim has been offered. There does not appear to be any risk to users or their computers beyond the temporary unresponsiveness at startup.

Should the user encounter this problem the slow starts can be fixed by deleting the item from history.

Deleting the item from history

  1. Open History from the Go menu
  2. Select the item with the long title
  3. Press the delete button

Clearing all history data


1 posted on 12/12/2005 10:15:31 AM PST by Eagle9
[ Post Reply | Private Reply | View Replies]

My policy is not to open websites with names longer than one million characters.


2 posted on 12/12/2005 10:23:58 AM PST by D-fendr
[ Post Reply | Private Reply | To 1 | View Replies]

To: D-fendr

Is it the name or title, OR IS IT the url address that is of this length?


3 posted on 12/12/2005 10:25:51 AM PST by George from New England
[ Post Reply | Private Reply | To 2 | View Replies]

To: D-fendr

Yeah, mine too.


4 posted on 12/12/2005 10:26:58 AM PST by Eagle9
[ Post Reply | Private Reply | To 2 | View Replies]

To: George from New England

Does it matter?

What was the last URL you went to with over 2 million characters?

How about the last time you've been on pages with titles over 2 million characters either?


5 posted on 12/12/2005 10:35:25 AM PST by PissAndVinegar (Back in my day, URL's had over 3 million characters, which we had to type in by hand, in binary...)
[ Post Reply | Private Reply | To 3 | View Replies]

To: George from New England
Is it the name or title, OR IS IT the url address that is of this length?

I'm not a technical expert but I think it would be the title of the address sent out by a bot, trojan horse from a hacker.

6 posted on 12/12/2005 10:36:59 AM PST by Eagle9
[ Post Reply | Private Reply | To 3 | View Replies]

To: Eagle9

It's certainly not like the series of series bugs in that other product from Redmond in a blue state!


7 posted on 12/12/2005 10:38:57 AM PST by Revolting cat! ("In the end, nothing explains anything.")
[ Post Reply | Private Reply | To 1 | View Replies]

To: Revolting cat!
It's certainly not like the series of series bugs in that other product from Redmond in a blue state!

Nor is it as hugh.

8 posted on 12/12/2005 10:42:06 AM PST by Eagle9
[ Post Reply | Private Reply | To 7 | View Replies]

To: Eagle9

Sounds like it has problems with hugh URLs.


9 posted on 12/12/2005 10:45:03 AM PST by sam_paine (X .................................)
[ Post Reply | Private Reply | To 8 | View Replies]

To: Eagle9
I started having problems with Firefox last week on ALL my PC's. If I open another site using tabs the system comes to a near halt.

I've been trying out Opera since and it ain't bad, but I'd still like to use FireFox.

I will try this fix and see what happens.
Be Back later.
10 posted on 12/12/2005 11:29:54 AM PST by BallyBill (U.S. Armed Forces.. In It ..To Win It!!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: BallyBill

Well that seemed to work great. Later, I'll try my laptop and see what happens before I clear it. On this one I just cleared it as soon as I opened it up.


11 posted on 12/12/2005 11:36:44 AM PST by BallyBill (U.S. Armed Forces.. In It ..To Win It!!)
[ Post Reply | Private Reply | To 10 | View Replies]

To: BallyBill
Well that seemed to work great.

If it works as well on your other computers using Firefox, you'll know that this was the problem. That would be good news and a simple solution to the problem.

12 posted on 12/12/2005 12:33:54 PM PST by Eagle9
[ Post Reply | Private Reply | To 11 | View Replies]

To: rdb3; chance33_98; Calvinist_Dark_Lord; Bush2000; PenguinWry; GodGunsandGuts; CyberCowboy777; ...

13 posted on 12/12/2005 3:07:31 PM PST by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Eagle9
Hi there..
Thanks for the post..
I am NOT a techno person here..so forgive my "less-than-educated" question...
But...has anyone else noticed Firefox slowing WAY DOWN..or not loading recently?
And..IS THIS what this article is talking about?

Sorry if this is a STUPID question..
I try not to be stupid very often!
14 posted on 12/12/2005 3:10:57 PM PST by M0sby (((PROUD WIFE of MSgt Edwards USMC)))
[ Post Reply | Private Reply | To 1 | View Replies]

To: Eagle9
Any experts out there have an explanation for this one?

When I use Control-B to bring up the Bookmarks sidebar, it takes maybe 2-3 seconds to appear.

Yet, if I click on the "Bookmarks" Menu title at the top of the Firefox window, it freezes Firefox for about 20 seconds while it works to open the drop-down window.

What's the deal there? I do have a lot of Bookmarks saved over the years; I'm just thinking the two routines load the file differently.

15 posted on 12/12/2005 3:15:09 PM PST by Hank Rearden (Never allow anyone who could only get a government job attempt to tell you how to run your life.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: M0sby
It is not stupid..., it is just hard to answer given how little data we have. This article is talking about extremely long "internet addresses" and should not be a problem for you if you don't have some ridiculously long address of a website for a home page (not likely).

Is it only Firefox, or are you having troubles with all your programs? Have you defragged your drive lately? Run any "fixit" type of utilities (ie, Norton) to fix your links and all? Is your ram sufficient and do you ever get messages that you need to increase your pagefiles?

All those are things that can slow a Windoze box down.

16 posted on 12/12/2005 3:31:11 PM PST by chronic_loser ((Handle provided free of charge as flame bait for the neurally vacant.))
[ Post Reply | Private Reply | To 14 | View Replies]

To: BallyBill; Big Giant Head

Firefox bug ping.

This is exactly why I let my husband be the guinea pig with new releases. LOL!


17 posted on 12/12/2005 3:41:44 PM PST by Marie Antoinette (Welcome to my little Rosemary Anne, born 10/24)
[ Post Reply | Private Reply | To 10 | View Replies]

To: Eagle9; Swordmaker
I have a similar experience in Fire Fox 1.0.6 but it still beats IE and I always have Safari to fall back on...
18 posted on 12/12/2005 4:03:34 PM PST by tubebender (You can't make Chicken Salad from Chicken Bleep...)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Eagle9

Im experiencing really random bugs in ff 1.5
The address bar dropdown won't work, disappears, or locks in the down position, the quicktime plug in won't install, there are random resets to default configurations(this is from 2 extensions fighting over some resource or something).

Overall, it's a great improvement, but some serious UI flaws still exist.


19 posted on 12/12/2005 4:44:19 PM PST by JerseyHighlander
[ Post Reply | Private Reply | To 1 | View Replies]

To: BallyBill

I have both Firefox and Opera.I got Firefox 1.5 on the evening of it's release and it's really fast. It won't let me do some things, like http://www.homestarrunner.com/sbemail.html . It simply won't run. It's probably user error, or a setting in my firewall maybe. The site runs in Opera, however, but Opera won't let me log into my Hotmail account.

The 1.01 version of Firefox on my laptop still works great, but is a little bit slower.

I'm still messing around with both, trying to make them both work everywhere.


20 posted on 12/12/2005 4:52:04 PM PST by Big Giant Head (I should change my tagline to "Big Giant Pancake on my Head")
[ Post Reply | Private Reply | To 10 | View Replies]

To: Hank Rearden; All

I don't have an answer, but the fact you say you have a lot of bookmarks leads me to ask if you do or how you back your stuff up. If you don't have this, get it, since it's free:

http://mozbackup.jasnapaka.com/

It works with FF and the Mozilla suite and T-bird.

One of my biggest gripes is how FF has had a bookmark problem for who knows how long, and they've yet to address it.


21 posted on 12/12/2005 5:24:04 PM PST by JoJo Gunn (Help control the Leftist population. Have them spayed or neutered. )
[ Post Reply | Private Reply | To 15 | View Replies]

To: George from New England; M0sby; Hank Rearden; tubebender; JerseyHighlander; Big Giant Head; All
I've been using Firefox since the 0.7 version when it was named Firebird. I have no technical training or background other than what little I've been able to learn from others when they were using terms that I understood. This 1.5 version of Firefox has some major changes, which the developers tried to test and have most of the wrinkles ironed out before releasing it out of beta. The real acid test is to release it to the average Internet user and then resolve the remaining issues that are reported by way of complaints, either with a work around or a patch. Those of you here who haven't visited the Mozilla Firefox Forum might want to consider doing so and maybe you'll see a topic that fits your particular problem. You can read without registering, or register and ask specific questions. It's no different than posting here at FR. I would help if I could but those who worked on the developement of this version of Firefox are who I would post my questions to if I were having problems. Fortunately for me, 1.5 is running fast with no major problems. Below is the link to the Mozilla Firefox Forum.

http://forums.mozillazine.org/viewforum.php?f=38

I'm not saying don't post questions here, just giving those who don't know another place to look for answers if none are found here at FR.

22 posted on 12/12/2005 6:18:08 PM PST by Eagle9
[ Post Reply | Private Reply | To 1 | View Replies]

To: Big Giant Head
That web site loads for me in FF 1.5. I have Flash blocked but allowed it to load and it played as it should.The solution to your particular problem is explained at the following linked web page. It depends on what version of Windows you're running.

http://forums.mozillazine.org/viewtopic.php?t=320838

23 posted on 12/12/2005 11:05:23 PM PST by Eagle9
[ Post Reply | Private Reply | To 20 | View Replies]

To: M0sby

See #16 by chronic_loser. Need more info to help.


24 posted on 12/12/2005 11:08:38 PM PST by Eagle9
[ Post Reply | Private Reply | To 14 | View Replies]

To: chronic_loser
Thank you CL...
We defrag every Wed and Virus "stuff" (norton corporate is updated weekly too.)
I don't know if this is the "fixit" utility that you mentioned?
I don't know about the RAM part..

I will ask my husband.
He is a HUGE computer GEEK..but isn't running Firefox which is why I thought I would ask you guys instead of him! LOL!
(It is possible that I may have offended his computer geek manly-hood though ;-)

Anyway...the other thing I run into is a HUGE lag-time when I open the program (by double clicking on the desktop icon)

AND...if I leave the program "open" and minimized for a long period (like overnight) sometimes it "sort of" hangs...is very slow and I might have to "force quit" to get out and reopen..

Just wondering if other people are having these "issues"...

THANKS for your FAST reply last time!
Sorry mine WASN'T!
25 posted on 12/13/2005 6:37:32 AM PST by M0sby (((PROUD WIFE of MSgt Edwards USMC)))
[ Post Reply | Private Reply | To 16 | View Replies]

To: rdb3; chance33_98; Calvinist_Dark_Lord; Bush2000; PenguinWry; GodGunsandGuts; CyberCowboy777; ...
Here's more information on the flaw.

It appears that the flaw is actually concerned with the history.dat file as opposed to the actual long website name.

26 posted on 12/13/2005 9:31:34 AM PST by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 13 | View Replies]

To: Eagle9

It worked for a few hours.


27 posted on 12/13/2005 11:01:09 AM PST by BallyBill (U.S. Armed Forces.. In It ..To Win It!!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Eagle9

Hey thanks Eagle9! That worked.


28 posted on 12/13/2005 7:32:16 PM PST by Big Giant Head (I should change my tagline to "Big Giant Pancake on my Head")
[ Post Reply | Private Reply | To 23 | View Replies]

To: chronic_loser
The problem is the markup's TITLE attribute (in html, the stuff between the <TITLE></TITLE> tags) not the URL.
29 posted on 12/18/2005 6:42:34 AM PST by dwollmann
[ Post Reply | Private Reply | To 16 | View Replies]

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson