Date: 12/08/05 (Mozilla)    Keywords: browser, asp, java, security, virus, linux

News of a new security vulnerability has been posted for Firefox 1.5 (my own testing confirms it also affects Firefox 1.0.7, Mozilla 1.7.12, and Camino 1.0b1) that allows for Denial of Service or potentially arbitrary code execution. It has to do with a buffer overflow in the parsing of history.dat, which stores browser history.

Basically, if you visit a malcious site using this vulnerability, the next time you try to start Firefox it will run the malicious code, which could be as minor as causing Firefox not to work (such as the Proof of Concept) or as serious as executing arbitrary code (i.e. it could install a virus or other malware). Fortunately, there is a simple workaround: just set Firefox to keep browser history for 0 (zero) days, essentially setting it not to keep history, and then restart Firefox to make the change take effect. Note that disabling JavaScript DOES NOT mitigate this vulnerability; only disabling browser history does, since that prevents the creation of history.dat. Also note that the malcious code would run each time you attempt to start Firefox, until you delete history.dat from your profile folder.

I don't believe Mozilla has announced anything about this yet, but proof of concept code is available, and I confirmed with my own testing that it works as I described on both Mac OS X and Windows, using both Firefox 1.5 and Firefox 1.0.7, meaning that all versions are probably affected (or at least all recent versions).

Here are the steps to mitigate this vulnerability until a patch is released (for Firefox 1.5):

1. Open Firefox Options (Tools->Options on Windows) or Preferences (Edit->Preferences on Linux, Firefox->Preferences on Mac OS X).
2. Choose "Privacy" from the top button bar, and choose the "History" tab.
3. Set "Remember visited pages for the last ____ days." to 0 (zero).
4. On Windows, click OK to close the Options window. On Linux or Mac, simply close the Preferences window.
5. Restart Firefox to make sure the setting takes effect.

The same steps apply to Firefox 1.0.x, it's just that the options/preferences window is different. Basically, for step 2 the "Privacy" button is on the left side button bar, and history is the top section on that pane.

More details for the technically minded...

X-posted to mozilla

Update 1: My own testing confirms that other Mozilla-based browsers are affected by this vulnerability as well, including Mozilla Suite and Camino. I've also confirmed that this can be exploited without JavaScript (which I already suspected), and it has the same effect as the original PoC. All users of Gecko-based browsers should disable browser history.

Also, Secunia has released an advisory on the issue, but they only mention the DoS aspect, not the possibility of code execution that the original researchers claim is possible. While I can't confirm myself whether or not that is true, it is still certainly a nuisance to have Firefox become unusable, so you should all still protect yourselves.

Update 2: Mozilla has released a statement, claiming that the flaw only causes Firefox and Mozilla to hang for a long time when starting, but that they eventually do start. They also say that they don't think code execution is possible, since the original researchers present no proof of it other than claiming its possible. Though they don't state it, it doesn't sound like they're planning to release a patch anytime soon...

Also, testing confirms that this affects Linux, though depending on the distribution it seems to affect it differently. For example, on Gentoo using the twm window manager, accessing the test case caused the window manager to completely lock up, and then after restarting Firefox wouldn't work. On Fedora Core 4, however, after restarting Gnome (which locked up for me similarly to twm) Firefox did seem to keep working normally. Perhaps the fact that the window managers are locking up is a sign that they can't handle extremely long window titles...

Source: http://community.livejournal.com/mozilla/341566.html