Today i have read the news 🙁 New FireFox and First Vulnerability ….
When Firefox 1.5 was officially released I wondered when the first security vulnerability would be announced. To be fair, it’s taken longer than I thought it would. Packetstorm Security has released proof of concept code that causes a buffer overflow and denial of service on the Firefox browser. Long and short of it is, history.dat stores various pieces of information on websites you’ve visited. If the topic of a page is crafted to be long enough, it will crash the browser each time it is started after going to such a page. This vulnerability has been tested and does work, and no known patches are available at this time. Once this happens, firefox will be unable to be started until you erase the history.dat file manually. Presumably, if the topic was more tightly crafted than in the proof-of-concept code, a more malicious attack could be crafted that would install malware on the machine with the extra fun step of being reinstalled after each restart of firefox (unless you erase history.dat).
UPDATES:
The machine I was testing this on has McAfee Enterprise 8, and Firefox would not crash. Despite my valiant efforts in disabling the protection, I couldn’t get it to crash. While annoyed that I couldn’t (short of uninstalling) get the protection disabled, it probablly is a good thing. I’ll test more when I get in the office tomorrow and have more machines to play with.
POSSIBLE WORKAROUND:
However, the following is a workaround that should work (if it doesn’t let me know). Go to Tools -> Options.
Select the Privacy Icon, and then the History tab. Set the number of days to save pages at 0. This will disable writing anything to history.dat as far as I can tell, and should nullify the exploit. Readers have confirmed that this workaround does prevent the buffer overflow.
Some users have reported being unable to reproduce this error. I will test more to try to establish what makes this work and not. So far it appears Mac users are not affected by this.
HOW TO LOCATE THE PROFILE FOLDER:
If you need to delete your history.dat file (in case you tested this PoC code), it can be difficult to locate where exactly this file is.
You can find instructions for locating the profile folder at the following URL: http://www.mozilla.org/support/firefox/edit#profile.
by John Bambenek, bambenek *at* gmail *dot* com
The people at Mozilla did investigate this issue and could find no basis for claims that variants of this denial-of-service attack can cause an exploitable crash, and no evidence for this claim has been offered. There does not appear to be any risk to users or their computers beyond the temporary unresponsiveness at startup.
Should the user encounter this problem the slow starts can be fixed by deleting the item from history.
from:
http://www.mozilla.org/security/history-title.html