Mozilla Says Firefox 1.5 Bug Not Serious A bug in handling of extremely long names can make it seem the computer has crashed, but poses no risk "to users or their computers."
By Gregg Keizer, TechWeb News Dec. 12, 2005 URL: http://www.informationweek.com/story/showArticle.jhtml?articleID=174918763 Mozilla Corp. has warned users of its newest browser, Firefox 1.5, that a bug in how the software handles extremely long names can make it seem that the computer has crashed. The flaw, however, does not expose users to attack, contrary to earlier reports by researchers. Malicious pages with very long titles--the proof of concept for the pseudo denial-of-service (DoS) attack contained 2.5 million characters--make the browser appear to hang, said Mozilla in an online security advisory, although the software is actually busy processing the name. Once encountered, the very slow start can't be corrected until the site name is removed from Firefox's history file. Last week, researchers of the PacketStorm security group claimed that the bug could result in not just a DoS, but a more serious buffer overflow, which could be used in turn by attackers to compromise the system. Mozilla, however, said that additional investigations showed that there is no danger of a buffer overflow. "We can find no basis for claims that variants of this denial-of-service attack can cause an exploitable crash," stated the Mozilla advisory. "There does not appear to be any risk to users or their computers beyond the temporary unresponsiveness at startup." The advisory also includes instructions on clearing the history file of the too-long site name. Mozilla has not set a release date for a fix. You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.