A new, unpatched flaw that affects all versions of Firefox could let attackers surreptitiously run malicious code on users' PCs, a security researcher has warned.
The problem lies in the way Firefox handles Web links that are overly long and contain dashes, security researcher Tom Ferris said in an IM interview late on Thursday.
He posted an advisory and a proof of concept to the Full Disclosure security mailing list and to his Security Protocols Web site.
The security vulnerability is a buffer overflow flaw that "allows for an attacker to remotely execute arbitrary code" on a vulnerable PC, Ferris said. An attacker could host a Web site containing the malicious code to exploit the flaw, he said. Though his proof of concept only crashes Firefox, Ferris claims he has been able to tweak it to run code.
Buffer overflows are a commonly exploited security problem. They occur when a program allows data to be written beyond the allocated end of a buffer in memory. A computer can be made to execute potentially malicious code by feeding in extra data that is designed to flood the buffer.
Ferris reported the bug to the Mozilla Foundation on 4 September, intending to go through the organisation's bug reporting process, he said. However, in an example of the uneasy alliance between security researchers and software makers, he decided to publicly disclose the flaw after a run-in with Mozilla staff, he said.
Mozilla, which coordinates development of Firefox and distributes the software, could not immediately comment on the flaw disclosure. However, a source close to the organization confirmed that Ferris had filed several bug reports, including this specific one.
Since the debut of Firefox 1.0 in November, usage of the open source browser has grown. Security has been a main selling point for Firefox over Microsoft's Internet Explorer, which has begun to see its market share dip slightly — for the first time in years.
However, Firefox has had its own security woes. Several serious holes in the browser have been plugged since its official release and experts have said that safe Web browsers don't exist.
The public bug disclosure comes just as Mozilla released the first beta of Firefox 1.5. The final release of the next Firefox update, which includes security enhancements, is due by year's end, according to the Firefox road map.
Ferris has found bugs in Microsoft software before, including a yet-unpatched flaw in Internet Explorer that Microsoft still has under investigation.
Earlier this month Microsoft credited Ferris with reporting a bug in a Windows feature called the Remote Desktop Protocol that could allow an attacker to remotely restart Windows systems.
Talkback
"A buffer-overflow vulnerability in the open source browser has revelealed by a researched apparrently frustrated with Mozilla's security procedures"
Not only are there spelling mistakes, this also makes little sense!
Let me help you. "Open source software has security bugs too". Better now?
I'm confused. His technical explanation states that the buffer must be full of all dashes. If he can tweak in a malicious payload, this description is not true. If the description is true, then this is a crash bug, and not a remote execution exploit (unless a string of dashes is a malicious code snippet).
I love Security Publicity^H^H^H^H^H^H^H^HExploit Seekers.
It appears to me that this article has been run without proof, or at least checking to see if this actually happens. I am currently running "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6" and can not reproduce this "flaw". I even tried adding several lines of "dashes" and still could not reproduce this supposed "flaw", maybe that is why the Mozilla Firefox team is ignoring him. I am using the Binary Version from the main website, I did not compile the version myself, so maybe that could be a cause for the "flaw", and that could be caused by the user setting incorrect options in .config or the makefile. Just a guess.
I'll repeat one thing frrom appove, "<a href=https:----------------------------- >" did nothing to my 1.0.6 Firefox browser, I even tried adding "Click Me</a>". The only behaviour from this that I encountered was getting a google page searching for "--------------------------".
I'd really like to see others post and explain any behavior they encountered with their browser.