Friday, September 23, 2005

Mozilla Bug 307259

The Firefox 1.0.6 Web browser was hit by a nasty buffer overflow bug in the past week. The Bugzilla bug report can be found here. It was reported on Full Disclosure and Mozilla's Bugzilla on Sep 6 by Tom Ferris of and has since been a hot topic of discussion on the FD mailing lists. A little knowledge about the bug. The problem lies in the way Firefox/Mozilla handle IDN URI's.IDN is International Domain Nomenclature, a naming system which is used for non-english Domain names like russian,chinese etc. Basically a URI like http: //---------------------------------------- can trigger this bug to cause the buffer overflow.No exploit code is present so at the most your browser will shut donw.Note that the "-" 's in the URI are soft hyphens encoded in UTF-8(Unicode). Currently, there is no patch/fix available for this bug, the best alternative is to disable IDN in Firefox through the about:config settings interface. A little not about Tom Ferris, Tom is well known among security circles and highly respected but of late he was under a lot of flak for the way the Firefox bug was handled. Usually, a bug is reported to the upstream developers and then the dev's are given some time to whip up a patch/update for the vulnerability. IN this case,Ferris filed a bug report,announced it on FD,published POCC (Proof of Concept Code) all at the same time without giving the Firefox dev's enough time to even come out with a Security Advisory. This is not the right way to go about handling a critical vulnerability tike #307259. Compare this to Ferris' way of handling IE bugs. Ferris reported 2 bugs in IE which were not made public and are still not fixed.Moreover, the Advisory came a week later and no POCC was published.


Post a Comment

<< Home

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 2.5 License. My Way My blog. Toufeeq Hussain