Update:
New vulnerability discovered for Firefox 3.5.1(IMG:J.Anderson)
Mozilla says that the reports from SANS and IBM are incorrect. Based on internal testing, the vulnerability is not exploitable.
"In the last few days, there have been several reports (including one via SANS) of a bug in Firefox related to handling of certain very long Unicode strings. While these strings can result in crashes of some versions of Firefox, the reports by press and various security agencies have incorrectly indicated that this is an exploitable bug. Our analysis indicates that it is not, and we have seen no example of exploitability," wrote Mike Shaver on the Mozilla Security Blog.
"As a result of our analysis, we do not believe that this represents an exploitable vulnerability in Firefox. Further, we believe that the IBM report is in error, and that the severity rating in the National Vulnerability Database report is incorrect. We have contacted them and hope to resolve the inaccuracies shortly."
Original Article:
On Thursday or early Friday, depending on how you look at it, Mozilla released Firefox 3.5.1 to address a vulnerability in the Just-in-Time (JIT) compiler. Now, there are confirmed reports of a second vulnerability, exploit code already published, which affects Firefox 3.5.1, and other versions could be vulnerable as well.
The vulnerability was reported to SecurityFocus (BID 35707) on July 15. This morning, a report from SANS Internet Storm Center, followed by an IBM ISS X-Force alert, confirmed that this vulnerability was confirmed present in Firefox 3.5.1.
The vulnerability is a remote stack-based buffer-overflow, triggered by sending an overly long string of Unicode data to the document.write method. If exploited, the resulting overflow could lead to code execution,, or if exploit attempts fail, a denial of service scenario. The flaw has posted proof-of-concept code, which can be viewed here.
According to several sources, there is no patch at this time for the vulnerability. In addition, this vulnerability was discovered by the same person who published details on the previously patched flaw.
According to a comment on SANS ISC, eEye has said that in this case NoScript might not help. "Note: Although Javascript access can be restricted with applications such as the NoScript Add-On, it may still be possible for the browser to be exploited if an untrusted website is loaded (with/without the consent of the user, for example, via XSS or compromised-whitelisted website)"
If Mozilla issues a comment or if there is more information to report, we will update this story.
Interested in a more interactive TTH? Join our Facebook Group Want regular updates from The Tech Herald? Follow us on Twitter
Advertising
Comment on this Story