Mozilla Downplays Firefox 1.5 Exploit

**Arch_Angel** · Dec 8, 2005, 06:33 PM

A private security outfit has released a proof-of-concept exploit for a security flaw in Firefox 1.5, warning that the code can be modified to launch code execution attacks.

However, officials at the Mozilla Foundation are downplaying the threat, insisting the bug is more of an "annoyance" than a serious security vulnerability.

Read more: http://www.eweek.com/article2/0,1895,1898253,00.asp
Link to Proof of Concept code found here: http://isc.sans.org/diary.php?storyid=920

**leoandru** · Dec 9, 2005, 06:23 PM

Well its good that firefox seems to be getting constant attention where security is concerned. This will just help to get rid of these bugs faster.

**Arch_Angel** · Dec 11, 2005, 02:59 PM

Originally Posted by Mozilla.org

Web pages with extremely long titles (the posted proof of concept used 2.5 million characters) can cause Mozilla Firefox and the Mozilla Suite to appear to "hang" on startup when reading the browsing history data. The browser will eventually continue normally although this can take up to several minutes on a slower computer. The unresponsive starts will continue until the item with the long title is removed from the history file or eventually expires.

We have investigated this issue and can find no basis for claims that variants of this denial-of-service attack can cause an exploitable crash, and no evidence for this claim has been offered. There does not appear to be any risk to users or their computers beyond the temporary unresponsiveness at startup.

Should the user encounter this problem the slow starts can be fixed by deleting the item from history.

Taken from: http://www.mozilla.org/security/history-title.html

**digitalchef** · Dec 12, 2005, 09:54 AM

Originally Posted by mitchie

Which firefox user gonna test this Proof of concept? Arch??

lol, i'll pass on that one.

**leoandru** · Dec 12, 2005, 10:17 AM

I'll try it and let you guys know.

**leoandru** · Dec 12, 2005, 10:36 AM

Well the proof worked.

Before:

Firefox trying to start after visiting url:

I didnt wait until it started to find out how long it would take, Waiting a minute is long enough.

**leoandru** · Dec 12, 2005, 10:39 AM

I didnt delete the entire history.dat file is you open it in notepad u'll see the extremly long url. Just delete it using the combination keys to highlight it else lots of scrolling. here is how it looked:

**CyberCat** · Dec 13, 2005, 01:02 AM

Hah! It doesn't affect Opera.

**leoandru** · Dec 13, 2005, 01:37 AM

Where did all of Mitchie's post disappeared to?

**ProdMaster** · Dec 13, 2005, 02:04 PM

Originally Posted by leoandru

Where did all of Mitchie's post disappeared to?

Wondering the same thing...

Thread: Mozilla Downplays Firefox 1.5 Exploit

Thread Tools

Mozilla Downplays Firefox 1.5 Exploit

Long-title temporary startup unresponsiveness

Posting Permissions

Options

About

Social Media