Firefox Remote Exploit: Highly Critical URL Domain Name Buffer Overflow

  • Thread starter Thread starter dduardo
  • Start date Start date
  • Tags Tags
    Firefox
AI Thread Summary
A highly critical vulnerability related to a buffer overflow in Firefox's handling of URL domain names has been identified, with potential crashes when visiting certain links. Users can check if they are affected by visiting a specific URL, though results may vary based on individual setups. To mitigate the issue, users are advised to disable Internationalized Domain Names (IDN) by accessing the about:config settings and setting network.enableIDN to false. Mozilla is reportedly working on a patch to permanently disable IDN due to its flaws. An official patch is available for those who have not yet disabled IDN, but it is unnecessary for users who have already made the change. The discussion highlights that not all users experience the crash, indicating variability in the vulnerability's impact.
dduardo
Staff Emeritus
Science Advisor
Insights Author
Messages
1,902
Reaction score
3
Firefox URL Domain Name Buffer Overflow

Rating: Highly Critical

http://secunia.com/advisories/16764/

See if your vulnerable by clicking the the following link (Note: Firefox might crash) :

http://www.security-protocols.com/firefox-death.html

Depending on your Firefox setup this may or may not effect you. This did not affect me (Gentoo Linux, FF 1.06 compiled with fstack-protector-all).

Solution:

1) In the url bar go to about:config
2) Click on network.enableIDN to set to false

[edit] Mozilla has been planning to disable IDN for some time now since it is a broken standard. The patch Mozilla will be releasing shortly will disable IDN for good. You can actually go to Mozilla's Bugzilla and download the xpi patch.

https://bugzilla.mozilla.org/attachment.cgi?id=195467
 
Last edited by a moderator:
Physics news on Phys.org
Its kinda weird it tries to download a file from NOAA's website

and the line in that file says

Matt Foster - SHV 1.2e
 
What are you talking about? The patch? The patch comes straight from bugzilla.mozilla.org.
 
dduardo said:
Solution:

1) In the url bar go to about:config
2) Click on network.enableIDN to set to false[/url]
And how do I set it to false?
 
Monique said:
And how do I set it to false?

Does that mean you're using Firefox now?

Just double click it and it should be set to false.
 
Thanks for the heads up Dduardo. I had to change it.
 
hypnagogue said:
Does that mean you're using Firefox now?
*Shhhhhhhht!*


Actually, I found a skin that solved some critical problems I had.

Just double click it and it should be set to false.
Right, next time I should just go to sleep at 3 am.
 
dduardo said:
See if your vulnerable by clicking the the following link (Note: Firefox might crash) :

http://www.security-protocols.com/firefox-death.html

I use Firefox 1.0.6 on winXPsp2 and network.enableIDN to set to true, but the link does not crash Firefox it just gives me an empty page.
 
Last edited by a moderator:

Hot Threads

Recent Insights

Back
Top