Image Processing Flaw Found in Firefox
Firefox users may be vulnerable to a denial of service attack after researchers looked into reports of a new vulnerability within Firefox 1.5.0.3. The flaw exists in how the browser handles image tags. The SANS Internet Storm Center first wrote off the problem, but continued research has shown that the flaw could be used maliciously.
The exploit was initially believed to only be a joke, as a hyperlinked "image" when opened would launch the media player and play a .wav file. However, researchers now say the same flaw could be used in conjunction with JavaScript to open a mail client and open up multiple windows using the "mailto:" command.
Eventually, the system would become unresponsive, say researchers. While this may seem fairly benign, some security experts sounded the alarm.
"Guys, this is a PoC [proof of concept], do you understand what it can do? Now it opens ~100 mail windows, but what if it does a lot worse, just because the img xsrc= tag can be used to open almost everything?" warned Securityview in a Web log post on Saturday.
Chris Mosby of myITforum.com shared several suggestions on how to avoid exploitation of the flaw. "One possible workaround is to turn off automatic startup of your e-mai application in Firefox," he said. Additionally, a user could disable JavaScript, or block "mailto:" altogether.
Security firms such as Secunia did not list the vulnerability as of press time, but it is likely they would eventually post an advisory, as would other firms. Mozilla has not yet commented on the discovery of the vulnerability.