"...Packetstorm Security has released proof of concept code that causes a buffer overflow and denial of service on the Firefox browser. Long and short of it is, history.dat stores various pieces of information on websites you've visited. If the topic of a page is crafted to be long enough, it will crash the browser each time it is started after going to such a page. This vulnerability has been tested and does work, and no known patches are available at this time. Once this happens, firefox will be unable to be started until you erase the history.dat file manually. Presumably, if the topic was more tightly crafted than in the proof-of-concept code, a more malicious attack could be crafted that would install malware on the machine with the extra fun step of being reinstalled after each restart of firefox (unless you erase history.dat). As we research this more, details will be added on to this post...
POSSIBLE WORKAROUND
However, the following is a workaround that should work...
Go to Tools -> Options.
Select the Privacy Icon, and then the History tab. Set the number of days to save pages at 0. This will disable writing anything to history.dat as far as I can tell, and should nullify the exploit.
HOW TO LOCATE THE PROFILE FOLDER
If you need to delete your history.dat file (in case you tested this PoC code), it can be difficult to locate where exactly this file is. You can find instructions for locating the profile folder at the following URL:
Last Updated: 2005-12-08 02:24:41 UTC
"...Packetstorm Security has released proof of concept code that causes a buffer overflow and denial of service on the Firefox browser. Long and short of it is, history.dat stores various pieces of information on websites you've visited. If the topic of a page is crafted to be long enough, it will crash the browser each time it is started after going to such a page. This vulnerability has been tested and does work, and no known patches are available at this time. Once this happens, firefox will be unable to be started until you erase the history.dat file manually. Presumably, if the topic was more tightly crafted than in the proof-of-concept code, a more malicious attack could be crafted that would install malware on the machine with the extra fun step of being reinstalled after each restart of firefox (unless you erase history.dat). As we research this more, details will be added on to this post...
POSSIBLE WORKAROUND
However, the following is a workaround that should work...
Go to Tools -> Options.
Select the Privacy Icon, and then the History tab. Set the number of days to save pages at 0. This will disable writing anything to history.dat as far as I can tell, and should nullify the exploit.
HOW TO LOCATE THE PROFILE FOLDER
If you need to delete your history.dat file (in case you tested this PoC code), it can be difficult to locate where exactly this file is. You can find instructions for locating the profile folder at the following URL:
- http://www.mozilla.org/support/firefox/edit#profile ..."
.
[ reply ]
Link to this comment: http://www.securityfocus.com/comments/newsbriefs/73/270#270