Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: [Full-disclosure] FireFox Host: Buffer Overflow is not just exploitable on FireFox
From: "milw0rm Inc." <milw0rm () gmail com>
Date: Fri, 16 Sep 2005 11:39:37 -0500

This problem also effects Thunderbird (tested) and im guessing
Netscape's Mail client (untested) which it really can't do much except
cause Thunderbird/Netscape to crash without javascript.

Include the linked source in an email for your testing.

http://www.milw0rm.com/down.php?id=1204

/str0ke

On 9/13/05, Juha-Matti Laurio <juha-matti.laurio () netti fi> wrote:
Hi all,
Research and development has let to a ~90% reliable working exploit for the
IDN Heap Buffer overrun in FireFox on WinXP and Win2k3 as long as DEP is
turned off and JavaScript is enabled. Some tweaking might yield an even
higher success ratio. It has also revealed that not only FireFox is
vulnerable to this vulnerability, but the exact same exploit works on the
latest releases of all these products based on the Mozilla engine:
- Mozilla FireFox 1.0.6 and 1.5beta,
- Mozilla Browser 1.7.11,
- Netscape 8.0.3.3 <http://8.0.3.3>.
Recommendations for this vulnerability:
- FireFox and Mozilla: Install the workaround for (
https://addons.mozilla.org/messages/307259.html).
- Netscape: hope they'll respond to this email and release a workaround.
- Wait for a patch and install it asap.
Recommendations to make it harder to exploit any FireFox vulnerability:
- Turn on DEP (Data Execution Prevention),
- Turn off JavaScript,
- Switch to another browser,
- Do not browse untrusted sites,
- Do not browse the web at all,
- Unplug your machine from the web,
- Wear a tinfoil hat.
Cheers,
SkyLined

BTW: From where is that security [at] netscape.org address?
1)
An official security URL to Netscape is "Netscape Browser Bug Submission
Form" at
http://browser.netscape.com/ns8/support/bugreport.jsp
(www.netscape.org redirects to home.netscape.com/ , of course they have
netscape.org, netscape.net etc.)

For version 7.2 (and 7.x?) it is the following:
http://wp.netscape.com/browsers/7/feedback/problem.html
Two separate addresses due to different developer teams, according to
my knowledge. Is there any new information?

I have informed the vendor Netscape being affected on 9th September 2005.

2)
Disabling IDN support via about:config (or prefs.js file) is possible in
Netscape Browser 8 too. Xpi file for Firefox and Mozilla Suite works in
Netscape 8.0.3.3 too. Test was successful and even UA was changed to
include ....Gecko/20050729 (No IDN) Netscape/8.0.3.3.
However, the manual method is recommended.
I.e. there is a workaround for Netscape. Vendor developer team contacted
during a weekend, no reply yet.

3)
When an updated version of Netscape Browser 8 is available the download
link is http://browser.netscape.com/ns8/download/default.jsp

- Juha-Matti

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]