Mozilla Firefox Link Buffer Overflow Allows Arbitrary Code Execution

CNET News.com is reporting that details of an unpatched buffer overflow flaw in Mozilla Firefox have been made public. The security vulnerability is caused by a bug in the way long links with dashes are handled and is reported to allow an attacker to execute arbitrary code on a victim's system.

The problem was discovered by security researcher Tom Ferris and published on the Security Protocols website yesterday. The Security Protocols advisory refers to the flaw as the Mozilla Firefox "Host:" Buffer Overflow and states that it is present in Firefox 1.0.6 and Firefox 1.5 Beta 1. The advisory features some extremely simple sample exploit code, which will crash Firefox if it's included in a webpage.

The French Security Incident Response Team (FrSIRT) has published two advisories relating to the security vulnerability. The Mozilla Browsers "Host:" Parameter Remote Buffer Overflow advisory warns that the flaw affects both Mozilla Firefox and the latest version of the Mozilla Application Suite, while the Netscape "Host:" Parameter Remote Buffer Overflow Vulnerability advisory states that Netscape Browser 8.0 is also affected.

According to the News.com article, Ferris reported the flaw to the Mozilla Foundation on Sunday, in line with the Mozilla security bugs policy. However, he decided to make the vulnerability public "after a run-in with Mozilla staff".

Thanks to roseman for the link to the News.com article, Juha-Matti Laurio and Padraig O'hIceadha for the link to the Security Protocols documentation and Juha-Matti Laurio again for the links to the FrSIRT advisories.

Update: The Mozilla Foundation has published a document entitled What Mozilla users should know about the IDN buffer overflow security issue, which explains how users can immunise themselves against the flaw by disabling support for international domain names (the buffer overflow is in the code that normalises IDNs). A patch that disables IDN support will be made available soon as an alternative for users who do not wish manually edit their browser configuration. This patch will update the version number of Firefox from 1.0.6 to 1.0.6.1 and the Mozilla Application Suite from 1.7.11 to 1.7.11.1.

Ferris's bug report on the issue, bug 307259, has now been made public. The bug was filed on Tuesday afternoon (Pacific Daylight Time) and not Sunday as Ferris originally claimed. According to comments in the report, a more permanent fix for the problem (one that does not involve disabling IDN support) has been developed and will be included in future releases.

In a slight correction to the information above, please note that the security vulnerability is exploited using long links with soft hyphens, not dashes (although soft hyphens and dashes look similar on screen, they are not the same character).

Another Update: The downloadable patch for disabling IDN support is now available. It does not update the version number as originally planned, instead adding "(noIDN)" to the user-agent string.

Talkback

http://www.mozillazine.org/talkback.html?article=7307