Exploit Circulates For Firefox Flaw

An exploit for the just-patched IDN bug in Mozilla's Firefox browser and namesake suite has been published on the Internet.



An exploit for the just-patched IDN bug in Mozilla's Firefox browser and namesake suite has been published on the Internet, a French security vendor said late Thursday.

FrSIRT warned users of Firefox and Mozilla that the exploit code -- which FrSIRT published in its entirety, a not-uncommon practice for the firm -- should be considered a critical risk.

According to the comments posted by the exploit's author, identified as Berend-Jan Wever, a Dutch programmer who has previously cranked out exploit code for Internet Explorer vulnerabilities, the hack creates a heap buffer overflow, and when it works, can give the user complete control of a vulnerable machine running Firefox, Mozilla, or even Netscape.

Like many browser-oriented exploits, an attack using the exploit would require that the victim surf to a malicious site; the usual methods of getting users to evil Web sites is with spam e-mail.

Tuesday, Mozilla patched the Firefox browser against the bug in its support of international domain names (IDN). Thursday, it followed up with a similar fix for the Mozilla suite in its Windows, Linux, and Mac OS X incarnations.

Netscape, however, has not yet patched that browser.

That may not matter, wrote Wever in his code comments. "[The code] is optimized to work with FireFox, who [sic] do have a patch out, but on a rare occasion it will work in Netscape."

Firefox 1.0.7 and Mozilla 1.7.12, which stymie the exploit, can be downloaded from the Mozilla site.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Email This  | 
Print  | 
RSS
More Insights
Copyright © 2021 UBM Electronics, A UBM company, All rights reserved. Privacy Policy | Terms of Service