Mozilla Says Firefox 1.5 Bug Not Serious

TechWeb News ^ | December 12, 2005 | Greg Keizer

[Eagle9]

Mozilla Corp. has warned users of its newest browser, Firefox 1.5, that a bug in how the software handles extremely long names can make it seem that the computer has crashed. The flaw, however, does not expose users to attack, contrary to earlier reports by researchers.

Malicious pages with very long titles--the proof of concept for the pseudo denial-of-service (DoS) attack contained 2.5 million characters--make the browser appear to hang, said Mozilla in an online security advisory, although the software is actually busy processing the name. Once encountered, the very slow start can't be corrected until the site name is removed from Firefox's history file.

Last week, researchers of the PacketStorm security group claimed that the bug could result in not just a DoS, but a more serious buffer overflow, which could be used in turn by attackers to compromise the system.

Mozilla, however, said that additional investigations showed that there is no danger of a buffer overflow. "We can find no basis for claims that variants of this denial-of-service attack can cause an exploitable crash," stated the Mozilla advisory. "There does not appear to be any risk to users or their computers beyond the temporary unresponsiveness at startup."

The advisory also includes instructions on clearing the history file of the too-long site name.

Mozilla has not set a release date for a fix.

[JoJo Gunn]

I don't have an answer, but the fact you say you have a lot of bookmarks leads me to ask if you do or how you back your stuff up. If you don't have this, get it, since it's free:

http://mozbackup.jasnapaka.com/

It works with FF and the Mozilla suite and T-bird.

One of my biggest gripes is how FF has had a bookmark problem for who knows how long, and they've yet to address it.

[Eagle9]

I've been using Firefox since the 0.7 version when it was named Firebird. I have no technical training or background other than what little I've been able to learn from others when they were using terms that I understood. This 1.5 version of Firefox has some major changes, which the developers tried to test and have most of the wrinkles ironed out before releasing it out of beta. The real acid test is to release it to the average Internet user and then resolve the remaining issues that are reported by way of complaints, either with a work around or a patch. Those of you here who haven't visited the Mozilla Firefox Forum might want to consider doing so and maybe you'll see a topic that fits your particular problem. You can read without registering, or register and ask specific questions. It's no different than posting here at FR. I would help if I could but those who worked on the developement of this version of Firefox are who I would post my questions to if I were having problems. Fortunately for me, 1.5 is running fast with no major problems. Below is the link to the Mozilla Firefox Forum.

http://forums.mozillazine.org/viewforum.php?f=38

I'm not saying don't post questions here, just giving those who don't know another place to look for answers if none are found here at FR.

[Eagle9]

That web site loads for me in FF 1.5. I have Flash blocked but allowed it to load and it played as it should.The solution to your particular problem is explained at the following linked web page. It depends on what version of Windows you're running.

http://forums.mozillazine.org/viewtopic.php?t=320838

[Eagle9]

See #16 by chronic_loser. Need more info to help.

[M0sby]

Thank you CL...
We defrag every Wed and Virus "stuff" (norton corporate is updated weekly too.)
I don't know if this is the "fixit" utility that you mentioned?
I don't know about the RAM part..

I will ask my husband.
He is a HUGE computer GEEK..but isn't running Firefox which is why I thought I would ask you guys instead of him! LOL!
(It is possible that I may have offended his computer geek manly-hood though ;-)

Anyway...the other thing I run into is a HUGE lag-time when I open the program (by double clicking on the desktop icon)

AND...if I leave the program "open" and minimized for a long period (like overnight) sometimes it "sort of" hangs...is very slow and I might have to "force quit" to get out and reopen..

Just wondering if other people are having these "issues"...

THANKS for your FAST reply last time!
Sorry mine WASN'T!

[ShadowAce]

Here's more information on the flaw.

It appears that the flaw is actually concerned with the history.dat file as opposed to the actual long website name.

[BallyBill]

It worked for a few hours.

[Big Giant Head]

Hey thanks Eagle9! That worked.

[dwollmann]

The problem is the markup's TITLE attribute (in html, the stuff between the <TITLE></TITLE> tags) not the URL.