Posted on 09/09/2005 9:43:47 AM PDT by Bush2000
Unpatched Firefox flaw may expose users
By Joris Evers, CNET News.com
Published on ZDNet News: September 9, 2005, 3:53 AM PT
A new, unpatched flaw in that affects all versions of Firefox could let attackers surreptitiously run malicious code on users' PCs, a security researcher has warned.
The problem lies in the way Firefox handles Web links that are overly long and contain dashes, security researcher Tom Ferris said in an interview via instant messaging late Thursday.
He posted an advisory and a proof of concept to the Full Disclosure security mailing list and to his Security Protocols Web site.
The security vulnerability is a buffer overflow flaw that "allows for an attacker to remotely execute arbitrary code" on a vulnerable PC, Ferris said. An attacker could host a Web site containing the malicious code to exploit the flaw, he said. Though his proof of concept only crashes Firefox, Ferris claims he has been able to tweak it to run code.
Buffer overflows are a commonly exploited security problem. They occur when a program allows data to be written beyond the allocated end of a buffer in memory. A computer can be made to execute potentially malicious code by feeding in extra data that is designed to flood the buffer.
Ferris reported the bug to the Mozilla Foundation on Sunday, intending to go through the organization's bug-reporting process, he said. However, in an example of the uneasy alliance between security researchers and software makers, he decided to publicly disclose the flaw after a run-in with Mozilla staff, he said.
Mozilla, which coordinates development of Firefox and distributes the software, could not immediately comment on the flaw disclosure. However, a source close to the organization confirmed that Ferris had filed several bug reports, including this specific one.
Since the debut of Firefox 1.0 in November, usage of the open-source browser has grown. Security has been a main selling point for Firefox over Microsoft's Internet Explorer, which has begun to see its market share dip slightly--for the first time in years.
However, Firefox has had its own security woes. Several serious holes in the browser have been plugged since its official release, and experts have said that safe Web browsers don't exist.
The public bug disclosure comes just as Mozilla released the first beta of Firefox 1.5. The final release of the next Firefox update, which includes security enhancements, is due by year's end, according to the Firefox road map.
Ferris has found bugs in Microsoft software before, including a yet-unpatched flaw in Internet Explorer that Microsoft still has under investigation.
Earlier this month Microsoft credited Ferris with reporting a bug in a Windows feature called Remote Desktop Protocol that could allow an attacker to remotely restart Windows systems.
Get an AMD64 and XP SP2 and buffer overflows will not compromise your machine.
As an expert, I resent that.
IDN has been nothing but a pain, I just wish they would disable it by default!
Thanks fot the heads up. I'll update to the patch which should be released tomorrow. :-)
You're an expert? Where and what did you pert, and why did you quit?
I was kidding. I would never call myself an expert because an expert knows everything and I learn something new every day.
1. what is this whole buffer overflow problem. it would seem 99% of all security problems have to do with buffer overflows, is it that hard to program in way to stop these sort of problems.
2. not a flame starter but does linux products run into buffer overflow security problems?
Yes, linux products also have these flaws. It has more to do with the tool you are using for development and the skill of the programmer in trapping them.
The good side to this, though, is that with OSS, the patches are released much sooner than their counterparts in proprietary software. This is due to several factors, not the least of which is that the maintainer of the particular vulnerable product doesn't usually have 16 other priorities on his desk. Once he knows about it, it's fairly simple to fix and release a patch.
I would say so. "Linux" is under no pressure to integrate apps into the kernel space, and kernel-space developers can actually design it porperly, without all sorts of rigging to get certain apps to work.
The separation of "control" also means that no one person or group can make bad decisions without being called on it. If you ever get the urge, hang out on some of the mailing lists for linux, and you'll see all sorts of discussion going on about the best way to implement a certain feature or idea. Once the pros and cons are weighed out, then the design is implemented.
Probably the greatest innovation OSS has contributed to the world is not the software itself, but the methods by which that software is designed, coded, implemented, and tested. A proprietary company just doesn't have the resources that OSS does for that kind of development.
Everything programmed in C or other non-memory-safe languages can have a buffer overflow. It's up to the coders to properly monitor memory allocation, and nobody's perfect.
i've seen that bleed over into the windows world as well. one of my favorite programs gb-pvr is like mythtv. it's not open source but it is open platform. at first several people developed add on programs to it. as time went on the better programs emerged and over shadowed the inferior programs. at that time the 2nd place programmers often joined the the top dog to help improve his application, or just plain gave up.
perhaps linux greatest contribution will be to change how windows programs are designed and improved. somewhat like how third parties effect our two party political process.
when the day comes when programs can ran on all platforms then windows will have to go toe to toe with the linux kernel. i would like to see that day when i can bring my aplications from OS to OS and have the different operating systems fight it over for users.
What kind of pain? I've installed about thirty copies, including some upgrades from 98 and ME, without any significant problems. Most of the hangups have been with older machines that had been infected with spyware.
Even these have not presented any real problem.
On some machines I've replaced the Windows firewall with free ZoneAlarm, because it controls outgoing internet access and is easy to use.
i'm with you on this. i have boxes with AMDs i like them but i don't know why they would be any more secure. is there any reason with that.
SP2=crap, crap and more crap. i must say my surfing pool is pretty small so i don't get into waters filled with sharks. security hasn't been a big problem for me.
fixing a MS computer for others have been pretty easy.
1.run>msconfig>uncheck all startups
2.deselect auto update from microsoft
3.tell them to stop surfing porn and downloading pirated software.
IMO:the reason linux has less security problems.
1.less of a target
2.smarter users(aviod websites and downloads that can hurt them)
3.they don't need pirated software
oh i get it, your one of those who believes that if everyone switched to linux all the virus writers would give up and start a peaceful life of planting flowers and kissing babies.
how is your kool aide tasting?
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.