Any truth to this Firefox 1.5 exploit

  • Thread starter Thread starter Fuzzy Logic
  • Start date Start date
All I do, is make my comp, as secure as I know how.

Maybe this can be a point of disscussion, lengthy & time consuming as
it may be.
Click to expand...

Relying on a browser or OS to protect you is just as unlikely as bricks that
will lay themselves.

Since no OS or browser is totally secure, it doesn't make sense to choose
them based solely on security. Regardless of which OS and browser you use,
you can not relax and be lazy. You still have to be cautious and use common
sense. Software that can replace common sense has never been made, and never
will. Hackers know this, and mainly prey on those who do not use common
sense.

~~~~~~~~~~~~

-=Computer security is like hygiene. It's strictly up to you.=-
 
Stumbled across this and I'm curious if there is any truth to it:

http://packetstormsecurity.org/0512-exploits/firefox-1.5-buffer-overflow.txt
Click to expand...

Some. It's not a security issue, buffer overflow, or remote code
execution threat.

For me, using Win XP home SP2, it leads to a hang of about 90
seconds on the next load, not to a crash. I don't have to clear
the history.dat manually; I can do it through the GUI. Some people
report crashing, but most just get a delay like mine. A few report
no effect.

But it is something of a PiTA. It has caused me to have to search
bugzilla twice, since I had to clear the history after finding it
the first time. ;)

<https://bugzilla.mozilla.org/show_bug.cgi?id=319004>
 
»Q« said:
Some. It's not a security issue, buffer overflow, or remote code
execution threat.

For me, using Win XP home SP2, it leads to a hang of about 90
seconds on the next load, not to a crash. I don't have to clear
the history.dat manually; I can do it through the GUI. Some people
report crashing, but most just get a delay like mine. A few report
no effect.

But it is something of a PiTA. It has caused me to have to search
bugzilla twice, since I had to clear the history after finding it
the first time. ;)

<https://bugzilla.mozilla.org/show_bug.cgi?id=319004>
Click to expand...

I use a batch file with a shortcut on the desktop that deletes the
history.dat file along with a bunch of other garbage. I run it after
being online and before I turn off the computer. Guess that's why I
never noticed the problem.

--
Regards from John Corliss
I don't reply to trolls and other such idiots. No adware, cdware,
commercial software, crippleware, demoware, nagware, PROmotionware,
shareware, spyware, time-limited software, trialware, viruses or warez
please.
 
by way of Message-id said:
If it is, you can expect 1.5.1 shortly. And THAT is why I use Firefox.
Click to expand...

"Shortly" will not come soon enough : - (
--

Those who will not reason, are bigots, those who
cannot, are fools, and those who dare not,
are slaves.

George Gordon Noel Byron (1788-1824), [Lord Byron]
 
Some. It's not a security issue, buffer overflow, or remote code
execution threat.
Click to expand...

You sure? They say it's a buffer overflow, and might be used for remote
code execution, though the proof of concept is only for DOS.

BTW the Proof of concept doesn't work for me (with javascript on).
Apparantly the work around is to set history to 0 days. I.E
Tools,options,privacy,history tab.

Something I do already.

Some other work arounds here

http://isc.sans.org/diary.php
 
You sure? They say it's a buffer overflow, and might be used for
remote code execution, though the proof of concept is only for
DOS.
Click to expand...

I can't be sure; I'm just going by what's in the bug entry. If the Fx
developers considered remote code execution a possibility, they would
mark the bug so that it wouldn't be displayed to the public. AFAICT,
the PoC author made the claim with only hand-waving to support it, but
the tech press is taking his word for it. Secunia's classifies the bug
as "Not critical". <http://secunia.com/advisories/17934/>
 
» said:
I can't be sure; I'm just going by what's in the bug entry. If
the Fx developers considered remote code execution a possibility,
they would mark the bug so that it wouldn't be displayed to the
public. AFAICT, the PoC author made the claim with only
hand-waving to support it, but the tech press is taking his word
for it. Secunia's classifies the bug as "Not critical".
<http://secunia.com/advisories/17934/>
Click to expand...

Mozilla.org now has a page up about it,
<http://www.mozilla.org/security/history-title.html>.
 
I can't be sure; I'm just going by what's in the bug entry. If the Fx
developers considered remote code execution a possibility, they would
mark the bug so that it wouldn't be displayed to the public. AFAICT,
the PoC author made the claim with only hand-waving to support it, but
the tech press is taking his word for it. Secunia's classifies the bug
as "Not critical". <http://secunia.com/advisories/17934/>
Click to expand...

Excerpt from a forum today:
- - - - -

ZIPLOCK has discovered a weakness in Mozilla Firefox, which can be
exploited by malicious people to cause a DoS (Denial of Service).

The weakness is caused due to an error in the handling of large
history information. This can be exploited to fill the history file
"history.dat" with large history information by tricking a user into
visiting a malicious web site with an overly large title (e.g. set via
JavaScript).

Successful exploitation causes the browser to consume a large amount
of CPU and memory resources on a vulnerable system when the affected
browser is started up again after an attack. Users may have to remove
the "history.dat" file in order to be able to use the affected
browser.

The weakness has been confirmed in version 1.5. Other versions may
also be affected.

Solution:

Configure Firefox to clear history information when closing the
browser. This affects functionality.

Tools -> Options... --> Privacy --> Settings...
- - - - -

Clear Private Data on closing and optionally Ask Me First
settings are recommended to prevent this weakness. Ask Me
First gives you the option at, each closing, to change the
types of data that is cleared. Also if you have no preference,
you can set History - Remember Visited Pages to 0 [zero].

BoB
 
Another tool that can help prevent Denial of Service attacks.

Kerio Personal Firewall (KPF)
Kerio Personal Firewall 2.1.5 (last freeware version) OS:
Win98/Me/NT4/2000/XP
http://www.321download.com/LastFreeware/page7.html
http://pricelessware.org/thelist/sec.htm
Kerio Personal Firewall (KPF) is a software agent that builds a barrier
between your personal
computer and the Internet. KPF is designed to protect your PC against
attacks from both the
Internet, and other computers in the local network.
KPF controls all data flow in both directions from the Internet to your
computer and vice
versa, and it can block all attempted communication allowing only what
you choose to permit. This makes KPF an ideal solution for notebook
computers that freely travel in and out of the corporate network,
facing exposure to various risks as they connect from different
locations.
Kerio Personal Firewall protects againstinformation theft, modification
or destruction
Trojan horse applications spyware
unauthorized access from within the local network
denial of service attacks to applications or services
Available FREE for home use.
For Windows 98, Me, NT, 2000 and XP.
NOTE: Windows 95 is no longer supported due to the termination of its
support by its producer.
 
Another tool that can help prevent Denial of Service attacks.

Kerio Personal Firewall (KPF)
Kerio Personal Firewall 2.1.5 (last freeware version) OS:
Win98/Me/NT4/2000/XP
http://www.321download.com/LastFreeware/page7.html
http://pricelessware.org/thelist/sec.htm
Kerio Personal Firewall (KPF) is a software agent that builds a barrier
between your personal
computer and the Internet. KPF is designed to protect your PC against
attacks from both the
Internet, and other computers in the local network.
KPF controls all data flow in both directions from the Internet to your
computer and vice
versa, and it can block all attempted communication allowing only what
you choose to permit. This makes KPF an ideal solution for notebook
computers that freely travel in and out of the corporate network,
facing exposure to various risks as they connect from different
locations.
Kerio Personal Firewall protects againstinformation theft, modification
or destruction
Trojan horse applications spyware
unauthorized access from within the local network
denial of service attacks to applications or services
Available FREE for home use.
For Windows 98, Me, NT, 2000 and XP.
NOTE: Windows 95 is no longer supported due to the termination of its
support by its producer.
Click to expand...
Another simpler and easier and free solution is to use Harden-It:

http://www.sniff-em.com/hardenit.shtml
 
(e-mail address removed) wrote in @o13g2000cwo.googlegroups.com:
"Denial of Service"

You can use SafeXP to prevent attacks.
Click to expand...
Safe XP
http://free.hostdepartment.com/t/theorica/safexp.htm
http://free.hostdepartment.com/t/theorica/SafeXPHelp.htm
http://www.softcities.com/Safe-XP/download/10988.htm
http://freewebhosting.hostdepartment.com/p/publicfree/download.htm
Click to expand...


You probably know this, but I highly doubt, SafeXP can stop all DOS, much
less this one. In particular this one, relating to a browser on which the
correctness of the term "Denial of service" is debated by some.
 
Back
Top