Critical Bug in Firefox, Mozilla, and Netscape Browser

Advanced Search

September 14, 2005 Critical Bug in Firefox, Mozilla, and Netscape Browser A Web Exclusive from WinInfo Mark Joseph Edwards WinInfo InstantDoc #47731 WinInfo	Email this Article Printer Friendly Reader Comments Digg This Del.icio.us RSS
Subscribe to Windows IT Pro \| See More Security Articles Here \| Reprints \| Or get the Monthly Online Pass—only $5.95 a month!

Last week Tom Ferris reported a buffer overflow vulnerability in Firefox Web browsers. The vulnerability exists due to faulty processing of URLs and could lead to the execution of remote code. Netscape and Mozilla browsers are also affected by the problem because they share the same code base as Firefox. The vulnerability has a wide-ranging effects on the Internet community as a whole since millions of people rely on Firefox, Mozilla, and Netscape as their browsers of choice.

Inexplicably, Ferris posted a simple demonstration of the vulnerablity on his Web site three days after notifying Mozilla Foundation. While the demonstration only crashed the browser and did not show how to launch a remote code execution attack, the Mozilla Foundation had not a had chance to formally respond to the problem by releasing a patch.

Ferris had previously reported a problem in a Microsoft product and gave no details to the public until a patch was available. Ferris gave no explanation for his differing methods of disclosure. The posting of demonstration code for the Firefox problem led to the development of an exploit by another researcher, Berend-Jan Wever, who has not released his working example to the public. Wever said it took him only three and a half hours to figure out how to exploit the problem based on Ferris' original disclosure.

The problem has been reported to affect Firefox 1.0.6, Firefox 1.5 beta, Netscape 8.0.3.3, and Mozilla 1.7.11. Previous versions of these browsers may also be affected. A simple workaround prevents the browsers from being exploited. Mozilla Foundation released a self-installing patch (XPI file) that contains a workaround that disables International Domain Name (IDN) processing. The workaround changes a configuration parameter, network.enableIDN, to false. People who do not want to install the patch can perform the same action contained in the XPI file by entering about:config into the address bar and then searching for the parameter, which should be reset to false. At least one person reported that the same workaround and XPI file can be applied to Netscape browser.

End of Article

Reader Comments

You must be a registered user or online subscriber to comment on this article. Please log on before posting a comment. Are you a new visitor? Register now

Top Viewed ArticlesView all articles

Command Prompt Tricks

One reader shares his tip for setting up the command prompt to reflect a remote path. ...

Google Wave Emulates Trends of Changing World

As collaboration continues to increase, the world and how individuals view information is evolving. What does that mean for IT? ...

WinInfo Short Takes: 4th of July Special Edition

An often irreverent look at some of the week's other news, including a shortened work week thanks to the 4th of July, expensive Windows 7 pricing, Bing's modest monthly gains, IE 8 heading to work, Steve Jobs back at Apple, and so much more ...

Security Whitepapers Sustainable Compliance: How to reconnect compliance, security and business goals

The Impact of Messaging and Web Threats

Why SaaS is the Right Solution for Log Management

Related Events Security Summit

Top 10 Email Security Challenges and Solutions

Introduction to Identity Lifecycle Manager "2"

Check out our list of Free Email Newsletters!

Security eBooks Spam Fighting and Email Security for the 21st Century

Understanding and Leveraging Code Signing Technologies

A Guide to Windows Certification and Public Keys

Related Security Resources Introducing Left-Brain.com, the online IT bookstore
Looking for books, CDs, toolkits, eBooks? Prime your mind at Left-Brain.com

Discover Windows IT Pro eLearning Series!
Clear & detailed technical information and helpful how-to's, all in our trademark no-nonsense format

Test Drive IT Solutions and Get Free Music Downloads
Solve your toughest IT problems with these free downloads and receive 5 free music downloads!

ADS BY GOOGLE

Job Openings in IT		SPONSORED LINKS		FEATURED LINKS
		Get Microsoft Microsoft Certified With Train Signal Computer Training Train Signal’s computer training software videos will teach you the skills you need to get certified and gain experience in areas like Windows Server 2008, Exchange Server, SharePoint Server, and more.		Get Mark Minasi’s Windows Server 2008 Audio CDs "Windows expert, consultant and best-selling author Mark Minasi shows you if 2008 is right for you and, if so, how to get the most out of it! Desktop Management is a Never-Ending Job for Administrators Get a complete desktop management solution to centralize the management of thousands of desktops that will help you keep up with increased demand with limited manpower. Integrate Fax Servers into Your Unified Communications Plan In this fundamentals eBook you will learn how you can implement a solution that is easy to support, secure, and integrate. Take Control of Your Email Optimize your email storage – Download this white paper to learn key how-to’s in email storage management. Get Windows IT Pro To Go! The Windows IT Pro Magazine Master CD is a powerful combination of content and convenience. Order now, and save up to 25%--plus you’ll get online access to new articles each and every month! Subscribe today!

Windows IT Pro Home

FAQ for Windows

WinInfo News
Europe Edition

About Us

Contact Us/Customer Service

Media Kit

Affiliates / Licensing

SQL Server Magazine

Office & SharePoint Pro

DevProConnections

IT Job Hound

ITTV
IT Library

Technology Resource Directory

Windows SuperSite

Windows IT Pro is a Division of Penton Media Inc.
© 2009 Penton Media, Inc. Terms of Use | Privacy Statement | Reprints and Licensing