Firefox crashes

Tuesday, October 18. 2005

In a recent security comment at Whitedust Security an exploit was posted which will make all versions of Firefox and Thunderbird crash (100% CPU usage). So if you you want to mess with FF users include this in your homepage: ;-)

<strong>
  <sourcetext>
    Goodbye FF
  </sourcetext>
</strong>

Try it here. This seems to be an error in the Gecko rendering engine and should be quick to fix, so lets hope there's an update out soon. Not because of the danger that you would surf to sites including the above code, but surely there will be some jokers sending around spam including this HTML-snipped and making Thunderbird crash.

Some browser vulnerability statistics from secunia.com
Internet Explorer (20/86 unpatched)
Mozilla Firefox (3/25 unpatched)
Opera (0/8 unpatched)

Later
Matthias



Geschrieben von dakira Abgelegt in Techie Stuff.
Comments (4) Trackbacks (0)
Sie können einen Kommentar hinterlassen, oder ein Trackback von Ihrem eigenen Blog senden.

Trackbacks


Trackback specific URI for this entry
    No Trackbacks

Comments


    #1 Jed on 10/20/05 at 04:08 AM [Reply]

    Exploit? So now days when you find a bug tha crashes a program, you can call it a "Security Comment" and an "Exploit"?

    You can kill IE with a one liner HTML code (search google for it), yet no one is claiming an exploit.

    Sheesh.

    #1.1 dakira on 10/20/05 at 03:48 PM [Reply]

    Hi Jed,

    I'm a firefox user myself and I didn't use those words. I wrote "comment" in italic because those were the words of Whitedust Security (they said: this is a comment and not an advisory).

    The story is: this bug was considered minor back in 2003. Now think spam containing this code crashing thousands of Thunderbirds out there. This is not so minor I think.

    This bug seems to be a big problem. I heard some "internal" rumors that is is very hard to fix because it is impossible to locate without huge code reviews. But thats just rumors.

    #2 John on 10/21/05 at 05:41 AM [Reply]

    Don't think it will be too big of a problem. Firefox 1.5 Beta 2 isn't affected so I would assume that the beta release of Thunderbird probably isn't affected either. Hopefully Mozilla will release version 1.5 of both of them soon and this security comment will cease being important. Then again, I'm sure thousands of users probably won't update right away, but having the program crash might be a good way to get people updating :-)

    #3 FunnyMan on 02/05/06 at 01:46 PM [Reply]

    Just to confirm, it's definitely fixed in 1.5.0.1.

    -FM

Add Comment

Markdown format allowed
E-Mail addresses will not be displayed and will only be used for E-Mail notifications.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA