Security Vulnerability Threatens Firefox
A security researcher has issued an advisory on a new vulnerability in Firefox that could lead to the remote execution of arbitrary code. The flaw was first reported to Mozilla developers by Tom Ferris earlier this week, but he opted to publicly disclose the problem following a disagreement.
The vulnerability relates to Firefox's handling of IDN, or international domain names, and can be exploited by long Web links that contain dashes. The flaw causes a buffer overflow and opens the door for malicious code to be run on a PC.
"The problem seems to be when a hostname which has all dashes causes the NormalizeIDN call in nsStandardURL:: BuildNormalizedSpec to return true, but is sets encHost to an empty string. Meaning, Firefox appends 0 to approxLen and then appends the long string of dashes to the buffer instead," Ferris explained.
Ferris recently discovered a flaw in Internet Explorer 6, which he reported to Microsoft in August. He did not disclose details on that vulnerability, however. Ferris was also credited by Microsoft for discovering a security flaw in the Remote Desktop Protocol.
The disclosure of security vulnerabilities has become a hot topic as of late. Microsoft and other software vendors have pushed for "responsible disclosure," which means notifying a company and giving them ample time to patch the issue before making any public announcement.
Security researchers, however, have long complained about the slow response of companies to fix problems that threaten users and have used public advisories as a way to bring about action.
Mozilla has not said whether the issue was corrected in the latest Beta 1 release of Firefox 1.5. "I'm guessing they are working on a patch," said Ferris. "Who knows though?"