• On TV.com: THE GIRLS NEXT DOOR photos

December 8, 2005 8:54 AM PST

Unpatched Firefox 1.5 exploit made public

By Dawn Kawamoto
Staff Writer, CNET News
Last modified: December 8, 2005 1:36 PM PST

  • Font size
  • Print
Related Stories

Firefox sees 100 millionth download

 October 19, 2005

Netscape update fixes Firefox bugs

 October 19, 2005

Firefox promo site taken down by hackers

 October 4, 2005
A correction was made to this story. Read below for details.

Exploit code for the latest version of open-source browser Firefox was published Wednesday, potentially putting users at risk of a denial-of-service attack.

The exploit code takes advantage of a bug in the recently released Firefox 1.5, running on Windows XP with Service Pack 2. Firefox, which initially debuted over a year ago, has moved swiftly to capture 8 percent of the browser market.

The latest Firefox flaw exists in the history.dat file, which stores information from Web sites users have visited with the Firefox 1.5 browser, according to a posting on the Internet Storm Center, which monitors online threats.

"If the topic of a page is crafted to be long enough, it will crash the browser each time it is started after going to such a page," according to the Internet Storm Center posting. "Once this happens, Firefox will be unable to be started until you erase the history.dat file manually."

In testing Firefox 1.5 without a system running McAfee security software, the Firefox 1.5 browser would stall and not respond to a user's mouse, said Johannes Ullrich, chief research officer for the Sans Institute, which runs the Internet Storm Center.

"Users have to kill out of the browser and start over again. This stalled browser creates a DOS (denial of service) condition," Ullrich said.

The author of the proof-of-concept exploit code, initially published by nonprofit group Packet Storm, claimed the glitch is a buffer overflow that could lead to a denial-of-service attack and may even be used for a malicious execution of code. Packet Storm itself said a possible denial-of-service condition exists.

Ullrich, however, said while the potential may exist, it has not been proven either way that malicious code could be executed.

The Mozilla Foundation, which released Firefox, said it was not able to confirm the browser would crash or be at risk of a DOS attack, after visiting certain Web sites. And Mozilla has not received any reports from users of such a problem, said Mike Schroepfer, vice president of engineering for Mozilla Corp.

He added that Firefox 1.5 can be slugglish on its next start-up, due to a bug in the history.dat, but it is not a security problem.

"We have gotten no independent verification that it crashes (Firefox), but there have been a lot of attempts to try," Schroepfer said.

 
Correction: This story incorrectly stated the affiliation of Mike Schroepfer. It also misstated Mozilla's results in verifying the Firefox 1.5 flaw. The problem itself was not a security vulnerability but actually a flaw in the browser, according to Mozilla. In addition, it misstated PacketStorm's assessment of the situation.

See more CNET content tagged:
Firefox 1.5, Internet Storm Center, denial of service, Firefox, Mozilla Corp.

Add a Comment (Log in or register) 26 comments
<cough>
by KTLA_knew December 8, 2005 9:17 AM PST
<cough>
Reply to this comment
Here's a lozenge.
by libertyaikido December 8, 2005 9:39 AM PST
Here's a lozenge.
My understanding.
by System Tyrant December 8, 2005 9:40 AM PST
Someone correct me if I am wrong here, but I would have to visit a site that performs the exploit in order for this to actually affect me. So if I don't visit sites I'm not familiar with then I shouldn't be affected (assuming the site wasn't hacked).

However, Mozilla needs to get a fix out for it ASAP. A flaw is a flaw no matter how hard or easy it is to exploit.
Reply to this comment
Correct
by Nathan Lunn December 8, 2005 9:52 AM PST
Not only do you have to visit a site, but the proof of concept requires you to click a link (not that that would necessarily be required on the site you visit).
View reply
As with 'most' browser flaws
by jpickett December 8, 2005 9:54 AM PST
You're correct. Most browser bugs in general require you to go to a site that intentionally exploits the hole, whether it be Firefox, IE, Opera, etc...
Now that you've scared us...
by elioncaplan December 8, 2005 9:42 AM PST
How does one disable the history.dat file?
Reply to this comment
Go to tools then
by Eskiegirl302 December 9, 2005 10:39 AM PST
Options>Privacy>History Set the save history to 0 Days
View reply
Bugs 'O Plenty
by Stating December 8, 2005 9:43 AM PST
After using v1.5 for 2 days I had to revert back to v1.0.7. Problems I ran into included broken images on pages (which refresh did not fix), cookies that didn't stick, and jumpy scrolling. My impression is that this is NOT a very good release of the product.
Reply to this comment
Sounds like bad luck to me
by PlaceHolder December 8, 2005 10:02 AM PST
Hard to know if it was just back luck, or whether you go to some "out of the way" sites... but I use Firefox 1.5 for browsing on mainstream sites (such as this one, news.com) and have never had those kinds of problems. Not that I haven't had other problems (such as pages appearing to never finish rendering, or the URL text being out of sync with the current tab) but in general I found 1.5 to be much faster and stable that 1.07.
View reply
I'm glad you call it a product.
by katamari December 8, 2005 10:53 AM PST
Because I do as well -- although most open-source advocates would argue with you and I on this point. "It's not a product, a product is something you buy or pay for. This is free, as in free beer. You should write a patch and submit it."

*yawn* Same old rhetoric...
Disabling History
by Stating December 8, 2005 9:44 AM PST
Tools/Options/Privacy/History set Days=0
Reply to this comment
Exploit seems to work on only a very limited number of systems
by hansschmucker December 8, 2005 10:16 AM PST
I don't know who tested this exploit, but it seems like the majority of users is not affected... The majority of posts about this on Heise.de is about the exploit not working, and I couldn't get it to work on Firefox 1.5 / XPSP1 either... seems like a publicity stunt to me.
Reply to this comment
I thought...
by System Tyrant December 8, 2005 11:29 AM PST
they said it worked on Windows XP SP2.
View reply
Publicity stunt?
by Hernys December 8, 2005 6:17 PM PST
It's not. It's a security vulnerability. If it's less serious than others, good. But reporting a security vulnerability is far from a publicity stunt.
False bug reported or a bug that is hard to exploit
by pentium4forever December 8, 2005 2:33 PM PST
I haven't noticed anything like this yet. I downloaded the 1.5 release the day it was released. I don't visit any sites I'm not familiar with. If the Mozilla team can duplicate this problem then that's another story. It seems most people can't even get this exploit to work. At least it's not a security flaw!
Reply to this comment
Security flaw: yes
by Hernys December 8, 2005 6:11 PM PST
Denial of service is one of the categories of a security threat, so this IS a security flaw. Denial of service vulnerabilities are generally considered less serious than information disclosure and remote code execution, but they are still serious vulnerabilities. And the fact that the publisher hasn't acknowledged it or that you haven't been attacked yet doesn't mean it's not real.
Did not even know.
by CharlesAK December 8, 2005 3:03 PM PST
I did not even know about this flaw and I upgraded the same week it came out. The thing is though I never use my history so I always set it to erase after 1 day and use firefox's new feature to clean out my history, saved form info, download history, cookies, cache, and authincated sessions. Thats everything except my saved passowrds. I also have zone alram that earses all my tracks and another program that erases all history on my comp and get rid of excess junk on the hd. Anyways if this is a flaw it's not bothering me at all I am happy with my firefox browser and I think they are doing a great job!
Reply to this comment
FireFox
by Eskiegirl302 December 9, 2005 10:54 AM PST
As long as there is technology (and this will now be forever) there will be new products, new flaws to go with them, virus writers, testers, analyst, patchers, open source, and whatever else you can think of. This is the computer world. I love it, you love it (or you would not be on one) and the whole world loves it. Information is key to being safe. Knowledge about your systems, and knowing what you are doing with it is what is going to keep you up and running.

Finding out about flaws and vunerability, may be somewhat scary, but researching, asking the support teams questions, putting the info you know out here so we all can stay ahead of the game, is the computer world.

If I find news on here say, I will visit many sites to find what I need to understand what to do.

Stay safe all
Reply to this comment
The contents of this article are incorrect!!!!
by bjbrock December 9, 2005 2:01 PM PST
Follow the link in this article to SANS and find out the truth. The browser does NOT crash and NO DOS attacks can be proven!!!!

This is pitiful journalism!!!
Reply to this comment
Should change the headline
by driftwolf December 9, 2005 6:37 PM PST
Sure, they posted a correction, but the headlines remains, trumpeting a simple bug as a deadly security flaw. If crashing is a symptom of a security breach, then Microsoft, and most other software makers, should be in court on charges or something.

What a load of utter crap, written by someone without a clue. I want to know who is paying CNet to publish **** like this?

News.com keeps this up, they're going to lose any sort of respect they might have had.

Oh, wait, they already have. As you were then.
Reply to this comment
firefox - What a joy to use.
by grey_eminence December 13, 2005 6:55 AM PST
I love Firefox and the options.
Reply to this comment
 See all 26 Comments >>
advertisement

Latest tech news headlines

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.

More feeds available in our RSS feed index.

Markets

Market news, charts, SEC filings, and more

Related quotes

Microsoft (-4.77%) -0.99 19.77
Dow Jones Industrials (-2.73%) -245.79 8,769.31
S&P 500 (-2.65%) -24.76 909.94
NASDAQ (-2.94%) -48.66 1,603.72
CNET TECH (-3.28%) -38.51 1,136.94
  Symbol Lookup

Inside CNET News

Scroll Left Scroll Right
News
Site map
Latest news
Business tech
Green tech
Wireless
Security
Popular topics
Apple iPhone
Apple iPod
CES
Cell phones
Dell
GPS
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
Corrections
Customer Help Center
RSS
CNET Widgets
About CNET