Another Denial of Service Bug Found in Firefox 2

An anonymous reader writes "A second security flaw that could cause the new Firefox 2 browser to crash has been publicly disclosed. The vulnerability lies in the way the open-source browser handles JavaScript code. Viewing a rigged Web page will cause the browser to exit, a representative for Mozilla, the publisher of the software, said Wednesday. Contrary to claims on security mailing lists, the bug cannot be exploited to run arbitrary code on a PC running Firefox 2, the representative said. This flaw in the JavaScript Range object is different than the denial-of-service vulnerability in Firefox 2 that was confirmed by Mozilla last week. That bug is related to a more serious security hole, which was fixed in earlier versions of Firefox, the organization has said. The two 'crashers' are the only publicly released vulnerabilities that have been confirmed by Mozilla in the week since Firefox 2 was launched. The issues are only minor, the organization has said."

Re:LOL IE Users!

[paul248]

I filed a bug for another DoS over a year ago and they still haven't fixed it:

Crash Firefox [purdue.edu]

The insta-crash only seems to work on Linux though.

There's a browser safer than Firefox...

[Giorgio Maone]

... it is Firefox with NoScript [noscript.net] :)

I wrote this Firefox add-on just after one of these disclosures, because the majority of the browser vulnerabilities was JavaScript related, and the suggested work-around was always "turn off JavaScript".

Disabling JavaScript as a whole seemed quite an impractical advice to me in this AJAXified Web 2.0: I thought that maintaining a white-list of trusted sites allowed to run JavaScript and keeping all the unknown web content "static" until I decided otherwise was a still safe but more convenient approach.

Since then I've been browsing the web with my shields up (NoScript can block also Java, Flash and other plugins [noscript.net]), but I allow on the fly with one click, either temporarily or permanently, those sites which I trust and which do need dynamic client side technologies to work properly. To my surprise in 1 year and half I found few sites belonging to this category, because most places I usually browse are well designed enough to work with plain XHTML/CSS and nothing else (like Slashdot itself).

Notice: Firefox is a very safe browser because its vulnerabilities gets patched very quickly, once they're found by developers. I'm a Firefox contributor myself, and I'm very proud of the quality of the Mozilla developers community. NoScript [noscript.net], though, provides some extra protection even against those JavaScript/Java related vulnerabilities which have not been found yet...

Re:So funny

[molnarcs]

Agreed. I don't have a problem with the interface, but I can't imagine how shoddy the coding must be seeing the resources it needs to run. For older machines (I have to maintain a few in a comp lab) FF simply doesn't work, while Opera has no problems on the same machines (this are limited functionality FreeBSD boxes with fluxbox and a simplified menu). You won't notice how heavy Firefox is on relatively modern hardware, but as you go down to a PII (and to 64Mb RAM) - you'll find that Opera works fine, while FF is completely unusable. For kicks, I even installed kdebase, and called konqueror from fluxbox (meaning it had to load all the supporting libraries) - and it started up and ran faster than FF.

I still have to use it though (flash only works well with linux-firefox on FreeBSD, in Konqi I don't have sound with youtube) - and just checked: 109Mb of memory usage, with only one tab open (this one). Basically that's how much memory the entire KDE uses after startup, xorg included. Isn't that ridiculous? I know I can set FF to use smaller memory cache, but that still mean 60-70Mb. There is something fundemantelly wrong with gecko (it must be gecko, because Epiphany and friends suffer from the same flaws), but there is little or no intention to fix that, because all the hype FF gets despite its flaws.