Forgot your password?
typodupeerror

Another Denial of Service Bug Found in Firefox 2 206

Posted by samzenpus
from the be-more-secure dept.
An anonymous reader writes "A second security flaw that could cause the new Firefox 2 browser to crash has been publicly disclosed. The vulnerability lies in the way the open-source browser handles JavaScript code. Viewing a rigged Web page will cause the browser to exit, a representative for Mozilla, the publisher of the software, said Wednesday. Contrary to claims on security mailing lists, the bug cannot be exploited to run arbitrary code on a PC running Firefox 2, the representative said. This flaw in the JavaScript Range object is different than the denial-of-service vulnerability in Firefox 2 that was confirmed by Mozilla last week. That bug is related to a more serious security hole, which was fixed in earlier versions of Firefox, the organization has said. The two 'crashers' are the only publicly released vulnerabilities that have been confirmed by Mozilla in the week since Firefox 2 was launched. The issues are only minor, the organization has said."
This discussion has been archived. No new comments can be posted.

Another Denial of Service Bug Found in Firefox 2

Comments Filter:
  • Old times (Score:5, Insightful)

    by managementboy (223451) on Thursday November 02, 2006 @03:10AM (#16685441) Homepage
    It used to be that if one an application crashed and it was called just that: it crashed. Today its a DOS attack! Imagine how many DOS my old Windows 3.11 had... come to think of it, it only had one DOS.

    We present "DOS reloaded"!
    • by utlemming (654269)
      If you read the article, Microsoft is calling one of their's a design decision. I love those undocumented features...
    • by eklitzke (873155)
      Like it or not, the fact remains: if you can cause someone's application to crash, it is a denial of service. Treating it as a security flaw is completely justified.
      • by kfg (145172)
        Treating it as a security flaw is completely justified.

        While it is a flaw in the code, I would call shutting down on the detection of a maliciously rigged web site a security enhancement.

        KFG
    • by kfg (145172)
      It used to be that if one an application crashed and it was called just that: it crashed. Today its a DOS attack!

      Wait until next year when it becomes a suspected cyber warfare attack.

      KFG
    • Re:Old times (Score:5, Insightful)

      by cperciva (102828) on Thursday November 02, 2006 @03:52AM (#16685651) Homepage
      It used to be that if one an application crashed and it was called just that: it crashed. Today its a DOS attack!

      Not necessarily. Application-crashing bugs are Denial of Service bugs if they can be triggered remotely.

      There's a fundamental difference between "I can make my copy of FireFox crash" and "I can make your copy of FireFox crash".
      • by phorm (591458)
        It is, but it seems that the term is broadly. In many cases, the term DOS was often used as a term to describe an attack which would render an entire system inoperable. That is to say, when I heard it used in this context, I expected that it would crash the browser, and lock or disable the OS. As it is, it's still an annoying bug, but having to simply restart the browser hardly seems as serious as a full-out machine crash.
      • Re:Old times (Score:4, Insightful)

        by jesser (77961) on Thursday November 02, 2006 @05:49AM (#16686109) Homepage Journal
        More to the point, there's a fundamental difference between "I can make your copy of Firefox crash when you visit my site" and "I can make your copy of Apache crash".

        Crash bugs in client software such as web browsers are "crashes", not "DoS vulnerabilities".
        • by CastrTroy (595695)
          Exactly. If all the browser does is crash every time you go to a specific website, then the user is just going to stop visiting that website. Or, they're stupid and don't understand cause and effect. I wouldn't call it a DOS attack since you can't really make the user visit your website to crash it. It's still a bug, and still needs to be fixed, but I think calling it a DOS is blowing it a little out of proportion. If it somehow broke firefox and made it unable to visit any site, until it was reinstall
      • by a.d.trick (894813)
        Hm, that's weird, because by using JavaScript or CSS in the right places there are about a million and one ways to crash IE. This isn't from using malformed stuff, it's just what I've come upon as a webdeveloper trying to get my site to work with a broken browser. I've only crashed Firefox once, and while I consider that bad for a web browser, it's much better than the day's I've spent with IE. The problem with IE was also complicated by the fact that explorer is everywhere, so when it hung, it screwed ever
  • Is anyone else thinking that running firefox 2 with noscript installed means this vulnerability is no big deal?
  • It also has a beginner's privacy bug: (full disclosure: my blog) http://tech-dissect.blogspot.com/2006/10/firefox-p rivacy-bug.html [blogspot.com].
    In short: Ctrl-Shift-Del doesn't delete everything you expect it to delete, your browse history can still be recovered.
    • 1.5.0.7 on xp clears the javascript console on browser close.

      But it should wipe it on ctrl-shift-del
  • Another bug?? I want a refund! It's free? I want double my money back!
  • Install (Score:2, Informative)

    by ms1234 (211056)
    You could install NoScript addon... Great utility :)
    • by CCFreak2K (930973)
      Parent has a point. These kinds of attacks are mitigated by user-created plug-ins. Once again, the problem is semi-contained before it's even released. There's still people that will be affected by it, but the simple and elegant plug-in system as well as plug-in writers (yes, they're simple and elegant, too) bring great tools to extend the usability of Firefox.

      End marketing rant.
  • And... (Score:2, Funny)

    I remember reading about the memory leak. While others see this as a "failure" of the browser, I see it as increasing the odds that the browser exits and frees up your memory. I mean, how hard is it to re-open a browser?
    • by RAMMS+EIN (578166)
      ``I remember reading about the memory leak. While others see this as a "failure" of the browser, I see it as increasing the odds that the browser exits and frees up your memory.''

      You mean like garbage collection? I seem to recall that one McCarthy, in the late 1950s, came up with an algorithm that does that _without_ requiring the program to be restarted. Perhaps the FF2 team could look into that.
  • Yahoo! mail seems to use a less dangerous of these vulnerabilities - while stable versions earlier than 2.0 would crash, 2.0 only crashes when exiting Yahoo! Mail or when closing all the tabs of Yahoo Mail. Firebird 0.7 is not affected
  • Oo (Score:1, Offtopic)

    by Konster (252488)
    Editors need to RTFA.
  • So funny (Score:2, Informative)

    by ZeroExistenZ (721849)
    How slashdotters start pointing and laughing when there's a IE exploit, doesn't matter how big or small, and always the "workaround" is looked at as unacceptable.

    When it's about Firefox, they immediatly relativate it and minimalize it. "Oh, just install noscript", "tis just a small exploit", "well, why not restart your browser? If it crashes, so what? Why don't you click the icon again? You lazy bastard!"...

    I even read some comments, in reply that there's said IE 7 feels better then FF 2.0, that the fa
    • by RAMMS+EIN (578166)
      ``For me, Firefox 2.0 is worthless; bloathed, crashes constantly, and is just not workable anymore. I've been using Firefox from the very start, but Firefox 2.0 make me switch to Opera.''

      And for those of you wishing to stick with open source software, there's Konqueror. Compared to Firefox, it runs faster, uses way less memory, and several of the new features in Firefox 2 (like an integrated spell checker) have been available for ages. I can't comment on the stability, as neither Firefox (1; I haven't ran 2
      • Thanks for the tip, I'm downloading it now.
      • by CastrTroy (595695)
        Can Konquerer run on windows yet?

        Slashdot is denying my service because it only took me 12 seconds to type that sentence above.
    • I already ditched FF2 and went back to the previous version.

      What is up with the developer team? Were they just so horny to get a "2.0" out before the end of the year that it was "ok" to release this thing?

      You are right, there is a double standard. MS is an easy target as negative comments are expected and encouraged by the moderation system here.

      Firefox is no longer Firefox most of us want. Sorry, its nearing the point where we will need to clamour for that slim browser that we had when Firefox first cam
    • Re: (Score:3, Insightful)

      by snero3 (610114)

      Personally I think the comments you are referring to come from a number of different factors

      1. Microsoft is often not the one to admit the security flaw. Where as Mozilla/firefox community is.
      2. Often Microsoft will denie the flaw pointed out in point number 1
      3. There have been numerous occurrences where an IE bug has allowed a whole PC to be taken over from bug that either MS denies exists or is very slow to patch. Holes like that in firefox generally get patched well before it is public knowledge.
      4. for
    • by DrSkwid (118965)
      What are these "slashdotters" that think and act as one?

      Perhaps you should use :

      Whenever I read a discussion, there is usually some group of posters that play down an issue, some who play it up and those that use it as a platform for discussion of wider issues. Often those who shout the loudest have the least to say.

    • Re: (Score:3, Interesting)

      by molnarcs (675885)
      Agreed. I don't have a problem with the interface, but I can't imagine how shoddy the coding must be seeing the resources it needs to run. For older machines (I have to maintain a few in a comp lab) FF simply doesn't work, while Opera has no problems on the same machines (this are limited functionality FreeBSD boxes with fluxbox and a simplified menu). You won't notice how heavy Firefox is on relatively modern hardware, but as you go down to a PII (and to 64Mb RAM) - you'll find that Opera works fine, while
    • It achieves a sort of sacred status in which people engage in flat-out denial that there are issues because they put too much blind faith in the development process behind it. They will tell you that the only real way of proving anything is the scientific method and then turn around and say they have complete faith that this is the year of Linux on the desktop. This is the primary reason why this site is not considered respectable among some IT professionals: it thrives only on fanboys and huge amounts of b
    • by Ant P. (974313)
      When it's about Firefox, the same volume of whining occurs.

      It just comes from a smaller, more concentrated, more obnoxious group.
    • For me, Firefox 2.0 is worthless; bloathed, crashes constantly, and is just not workable anymore.

      What is this "bloathedness" of which you speak?

      I've been running FFv2.0 on my home machine for 5 days with my usual full complement of 25+ extensions[*], sessions longer than 24 hours, usually 8-12 tabs open, often using OOo and the GIMP concurrently (under WinXP at 1.6 GHz with 768 MB ram). For the enriched experience and development tools that FF offers, it isn't bloated. It is more stable in this develop

  • What a load of utter crap, calling a bug that crashes an application a "Denial of Service'. Morons!

    Bart
    • by tsa (15680)
      Bart,

      Your website acts a bit strange on FF 2.0. Pictures on the text. Take a look at it, it doesn't come over very professionally this way.

      Moderators, please mod me down OT.
      • Looks like a bad stylesheet, making too many assumptions about the browsers font-size...
    • If I can interrupt your usage of a particular program remotely, it IS a denial of service attack. I am denying you the ability to use a service.

      DoS does not always involve botnets, although they are one way to bring a service down.
  • by Giorgio Maone (913745) on Thursday November 02, 2006 @05:52AM (#16686135) Homepage

    ... it is Firefox with NoScript [noscript.net] :)

    I wrote this Firefox add-on just after one of these disclosures, because the majority of the browser vulnerabilities was JavaScript related, and the suggested work-around was always "turn off JavaScript".

    Disabling JavaScript as a whole seemed quite an impractical advice to me in this AJAXified Web 2.0: I thought that maintaining a white-list of trusted sites allowed to run JavaScript and keeping all the unknown web content "static" until I decided otherwise was a still safe but more convenient approach.

    Since then I've been browsing the web with my shields up (NoScript can block also Java, Flash and other plugins [noscript.net]), but I allow on the fly with one click, either temporarily or permanently, those sites which I trust and which do need dynamic client side technologies to work properly. To my surprise in 1 year and half I found few sites belonging to this category, because most places I usually browse are well designed enough to work with plain XHTML/CSS and nothing else (like Slashdot itself).

    Notice: Firefox is a very safe browser because its vulnerabilities gets patched very quickly, once they're found by developers. I'm a Firefox contributor myself, and I'm very proud of the quality of the Mozilla developers community. NoScript [noscript.net], though, provides some extra protection even against those JavaScript/Java related vulnerabilities which have not been found yet...

    • I'll just add my 0.02 Euros by saying that domain-specific JavaScript settings are available in Konqueror, too (I don't know since which version, but 3.5.2 has them). It also has domain-specific settings for Java, images, and cookies.
    • by Daath (225404)
      Thanks man! I just started using it recently. You have to get used to it, but I really like it! Especially that if you allow a site to run javascript, no external javascript from, say, advertizers get run :) Very cool add-on!
    • "...I allow on the fly with one click, either temporarily or permanently, those sites which I trust and which do need dynamic client side technologies to work properly. To my surprise in 1 year and half I found few sites belonging to this category..."

      I had the opposite experience, I'm afraid. I found I was enabling scripts/plugins/etc for probabbly about half the sites I visited more than one page on. Worse, many of those were sites I would most want that stuff disabled on -- e.g., MySpace. Eventually, I

    • by Vexorian (959249)

      Yep, firefox with noscript is safer than all the other browsers actually, I couldn't find such an option in any of them, maye konqueror has an option to have a whitelist for javascript.

      For those wondering, dealing with noscript is 'as annoying' as dealing with the popup blocker.

      Javascript will eventually kill your browser (points out that some Opera versions had DoS exploits as well)

      • by makomk (752139)
        As someone has already pointed out, Konqueror has the option to disable JavaScript globally and whitelist certain sites built in. In fact, I think it's had it since at least the first version I used (2.2.2 back in mid-2004, or probably an even earlier version than that now I come to think about it). Mind you, it needed it - it had some really annoying crash bugs relating to JavaScript back then (some of which could be worked around by adding or removing semicolons and/or tabs IIRC).
      • Not surprisingly, Opera has this feature.

        If you want to edit it for the current site, it's Tools, Quick Preferences (F12), Edit site preferences...

        If you want to edit a site you're not visiting, it's in Tools, Preferences (Ctrl-F12), Advanced, Content, Manage site preferences..., Add.

        Java and plugins are on the Content tab, Javascript is on the Scripts tab.
    • Sorry I couldn't think anything else after reading the title of your post.

      Now zealots mod me down again.
  • The title reads " Another Denial of Service Bug Found in Firefox 2" but the summary says "... the bug cannot be exploited to run arbitrary code on a PC running Firefox 2, the representative said. This flaw in the JavaScript Range object is different from the denial-of-service vulnerability in Firefox 2 that was confirmed by Mozilla last week."

    So which do I trust? There's no way in hell I'm gonna actually read the article!
    • by jesser (77961)
      There's no contradiction between the sentences you pasted. It's entirely possible that there are two (or more) "denial of service" bugs (bugs that can't be exploited to run arbitrary code, but do make your browser crash/exit) in Firefox 2.
      • Yeah but the summary refers to two bugs, a bug announced last week which is a DOS bug and a bug announced this week which isn't. The title says that there are more than one DOS bugs in Firefox. I presumed that the bug announced this week was also a DOS bug but it isn't. Tis a but confusing. It looks like Slashdot's reporting on the week-old bug.
  • by suv4x4 (956391) on Thursday November 02, 2006 @07:17AM (#16686543)
    Immediately stop using Internet if you're using one of those browsers:

    IE
    Firefox
    Safari
    Konqueror .. ..

    A new denial of service attack was discovered floating in the cyberspace, that can render any browser inoperable, and it has to be forcefully crashed and reopened. The signature of the exploit was reported to be:

    while(true) alert('Hahaha, suckers!');

    People are advised to immediately move to Lynx: the only browser known to be immune to this attack.
  • by suv4x4 (956391) on Thursday November 02, 2006 @07:23AM (#16686571)
    The two "crashers" are the only publicly released vulnerabilities that have been confirmed by Mozilla in the week since Firefox 2 was launched. The issues are only minor, the organization has said...

    They also added, that the reason the issues are minor, is because Firefox 1.5x and later releases of the popular Mozilla browser feature a special "issue shrinking" technology, patent pending, where no matter what happens, the issue becomes small.

    This is opposition to Microsoft, which appears to ship all their products with "issue expanding" FUD generator technology, now considered by many specialists as obsolete, where never mind what's the trouble, it's blown out of proportions, and brings chaos and despair among geeky web users.
  • If you go search Firefox's bug database for bugs with the "crash" and "testcase" keywords at any time, you'll find dozens of known crash bugs. I imagine it's the same for any other major browser. Meanwhile, very few sites intentionally crash web browsers. It makes more sense for developers to focus on lowering the average time between crashes (by fixing the most common crashes), or on fixing actual security holes, than to focus on squashing the largest number of crash bugs.

    Why are CNet and Slashdot so in
  • With a tremendous amount of code there is bound to be bugs. The difference between Firefox and IE will be what the Firefox team does about the bugs, and how serious they are. If the Firefox team doesn't handle the bugs well and the bugs are "serious", Firefox might be, *gasp*, put in the same bucket as IE! I'll still use it though..
  • So, what, is it a link like <a href="javascript:window.close()">Click Here for Money!!!</a> that causes this "DOS"?
  • Being that any security flaw will make headlines these days, what prevents a "mole" from a competitor (say, for example, a borg developer) from joining an open source project and injecting difficult to detect security flaws? The process seems simple: join the team, create a stupid DOS flaw, wait for the build to go live, AC post to Bugtraq, profit from the carnage.

    Forgive me if this is a stupid question...I don't know much about the Mozilla org, or for that matter, how open source collaboration works in

    • "Being that any security flaw will make headlines these days, what prevents a "mole" from a competitor (say, for example, a borg developer) from joining an open source project and injecting difficult to detect security flaws?"

      The "millions of eyes" that OSS advocates like to tout should prevent such a thing from occurring.
    • by BZ (40346)
      In the case of Mozilla, for example, all patches require review by a well-established developer before being committed to the tree. Linux has a similar setup.
  • A non-exploitable bug is not a security flaw , it is a bug.

    If there were pages with the intention to crash firefox other than those proof of concept ones. I would worry

    It is not only a rule for firefox: When the initial Opera 9 had DoS exploits, nobody really abused them

    It Is mostly because a good hacker would like to have the biggest odds so they target IE

    In fact, no matter how vulnerable the alternatives are they are simply not targetted

    I will just stick to Firefox+NoScript , I consider executing code

  • Just crashing browsers is easy enough. Even just with HTML. Remember this story? [slashdot.org]

    (A bit of self promotion.) I took his idea and incorporated it into a genetic programming system that manages to crash most browsers. It also finds HTML source that causes browsers to work for a looooonnnggg time to render a single page (in one case 19 hours for a page). The HTML is not particularly legal, but then there is no guarantee that any web page you load into a browser will follow any particular standard.

  • Making Firefox crash is no big deal. You can find descriptions of how to do this in Bugzilla, there's no secret about it.

    Here [mozilla.org] is an easy example, a segmentation violation by not specifying the namespace in xbl.

    This is simple way to make people keep away from your site. OTOH I think I just had an idea for browser based minesweeper.

Facts are stubborn, but statistics are more pliable.

Working...