Skip to comments.Mozilla Says Firefox 1.5 Bug Not Serious
Posted on 12/12/2005 10:15:30 AM PST by Eagle9
Mozilla Corp. has warned users of its newest browser, Firefox 1.5, that a bug in how the software handles extremely long names can make it seem that the computer has crashed. The flaw, however, does not expose users to attack, contrary to earlier reports by researchers.
Malicious pages with very long titles--the proof of concept for the pseudo denial-of-service (DoS) attack contained 2.5 million characters--make the browser appear to hang, said Mozilla in an online security advisory, although the software is actually busy processing the name. Once encountered, the very slow start can't be corrected until the site name is removed from Firefox's history file.
Last week, researchers of the PacketStorm security group claimed that the bug could result in not just a DoS, but a more serious buffer overflow, which could be used in turn by attackers to compromise the system.
Mozilla, however, said that additional investigations showed that there is no danger of a buffer overflow. "We can find no basis for claims that variants of this denial-of-service attack can cause an exploitable crash," stated the Mozilla advisory. "There does not appear to be any risk to users or their computers beyond the temporary unresponsiveness at startup."
The advisory also includes instructions on clearing the history file of the too-long site name.
Mozilla has not set a release date for a fix.
Web pages with extremely long titles (the posted proof of concept used 2.5 million characters) can cause Mozilla Firefox and the Mozilla Suite to appear to "hang" on startup when reading the browsing history data. The browser will eventually continue normally although this can take up to several minutes on a slower computer. The unresponsive starts will continue until the item with the long title is removed from the history file or eventually expires.
We have investigated this issue and can find no basis for claims that variants of this denial-of-service attack can cause an exploitable crash, and no evidence for this claim has been offered. There does not appear to be any risk to users or their computers beyond the temporary unresponsiveness at startup.
Should the user encounter this problem the slow starts can be fixed by deleting the item from history.
My policy is not to open websites with names longer than one million characters.
Is it the name or title, OR IS IT the url address that is of this length?
Yeah, mine too.
Does it matter?
What was the last URL you went to with over 2 million characters?
How about the last time you've been on pages with titles over 2 million characters either?
I'm not a technical expert but I think it would be the title of the address sent out by a bot, trojan horse from a hacker.
It's certainly not like the series of series bugs in that other product from Redmond in a blue state!
Nor is it as hugh.
Sounds like it has problems with hugh URLs.
Well that seemed to work great. Later, I'll try my laptop and see what happens before I clear it. On this one I just cleared it as soon as I opened it up.
If it works as well on your other computers using Firefox, you'll know that this was the problem. That would be good news and a simple solution to the problem.
When I use Control-B to bring up the Bookmarks sidebar, it takes maybe 2-3 seconds to appear.
Yet, if I click on the "Bookmarks" Menu title at the top of the Firefox window, it freezes Firefox for about 20 seconds while it works to open the drop-down window.
What's the deal there? I do have a lot of Bookmarks saved over the years; I'm just thinking the two routines load the file differently.
Is it only Firefox, or are you having troubles with all your programs? Have you defragged your drive lately? Run any "fixit" type of utilities (ie, Norton) to fix your links and all? Is your ram sufficient and do you ever get messages that you need to increase your pagefiles?
All those are things that can slow a Windoze box down.
Firefox bug ping.
This is exactly why I let my husband be the guinea pig with new releases. LOL!
Im experiencing really random bugs in ff 1.5
The address bar dropdown won't work, disappears, or locks in the down position, the quicktime plug in won't install, there are random resets to default configurations(this is from 2 extensions fighting over some resource or something).
Overall, it's a great improvement, but some serious UI flaws still exist.
I have both Firefox and Opera.I got Firefox 1.5 on the evening of it's release and it's really fast. It won't let me do some things, like http://www.homestarrunner.com/sbemail.html . It simply won't run. It's probably user error, or a setting in my firewall maybe. The site runs in Opera, however, but Opera won't let me log into my Hotmail account.
The 1.01 version of Firefox on my laptop still works great, but is a little bit slower.
I'm still messing around with both, trying to make them both work everywhere.