Hi Skylined, Thanks for the heads up.
Yes, certainly this is/was remotely exploitable. The good part is, that the Mozilla Team has released a "workaround"/security patch to fix this issue. They accomplish this by disabling IDN. The "What Firefox and Mozilla users should know about the IDN buffer overflow security issue" can be found at the following URL: https://addons.mozilla.org/messages/307259.html A patch for Mozilla Suite and Firefox users can be found here: http://ftp.mozilla.org/pub/mozilla.org/firefox/releases/1.0.6/patches/307259 .xpi I can confirm that the fix plugs the hole. Regards Peter Kruse ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Berend-Jan Wever Sent: 10. september 2005 12:53 To: [email protected]; [email protected]; [EMAIL PROTECTED] Subject: [Full-disclosure] Mozilla Firefox "Host:" Buffer Overflow Exploit (Just a little heads up, no details or PoC attached) The security vulnerability in Mozilla FireFox reported by Tom Ferris is exploitable on Windows. I developed a working exploit that seems to be 100% stable, though I've only tested it on one system. The exploit will not be released publicly untill patches are out. On a side note: it took only about 3 hours and 30 minutes to develop the exploit, so I might not be the only one able to write it. Cheers, SkyLined -- Berend-Jan Wever <[EMAIL PROTECTED]> http://www.edup.tudelft.nl/~bjwever <http://www.edup.tudelft.nl/~bjwever> _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
