Re: [Full-disclosure] FireFox Host: Buffer Overflow is not just exploitable on FireFox

From: milw0rm Inc. (milw0rm_at_gmail.com)
Date: 09/16/05

  • Next message: Aditya Deshmukh: "RE: [Full-disclosure] PGPNet Upgrade path ?" 
    Date: Fri, 16 Sep 2005 11:39:37 -0500
To: Juha-Matti Laurio <juha-matti.laurio@netti.fi>

    This problem also effects Thunderbird (tested) and im guessing
    Netscape's Mail client (untested) which it really can't do much except
    cause Thunderbird/Netscape to crash without javascript.

    Include the linked source in an email for your testing.

    http://www.milw0rm.com/down.php?id=1204

    /str0ke

    On 9/13/05, Juha-Matti Laurio <juha-matti.laurio@netti.fi> wrote:
    > >Hi all,
    > >Research and development has let to a ~90% reliable working exploit for the
    > >IDN Heap Buffer overrun in FireFox on WinXP and Win2k3 as long as DEP is
    > >turned off and JavaScript is enabled. Some tweaking might yield an even
    > >higher success ratio. It has also revealed that not only FireFox is
    > >vulnerable to this vulnerability, but the exact same exploit works on the
    > >latest releases of all these products based on the Mozilla engine:
    > >- Mozilla FireFox 1.0.6 and 1.5beta,
    > >- Mozilla Browser 1.7.11,
    > >- Netscape 8.0.3.3 <http://8.0.3.3>.
    > >Recommendations for this vulnerability:
    > >- FireFox and Mozilla: Install the workaround for (
    > https://addons.mozilla.org/messages/307259.html).
    > >- Netscape: hope they'll respond to this email and release a workaround.
    > >- Wait for a patch and install it asap.
    > >Recommendations to make it harder to exploit any FireFox vulnerability:
    > >- Turn on DEP (Data Execution Prevention),
    > >- Turn off JavaScript,
    > >- Switch to another browser,
    > >- Do not browse untrusted sites,
    > >- Do not browse the web at all,
    > >- Unplug your machine from the web,
    > >- Wear a tinfoil hat.
    > >Cheers,
    > >SkyLined
    >
    > BTW: From where is that security [at] netscape.org address?
    > 1)
    > An official security URL to Netscape is "Netscape Browser Bug Submission
    > Form" at
    > http://browser.netscape.com/ns8/support/bugreport.jsp
    > (www.netscape.org redirects to home.netscape.com/ , of course they have
    > netscape.org, netscape.net etc.)
    >
    > For version 7.2 (and 7.x?) it is the following:
    > http://wp.netscape.com/browsers/7/feedback/problem.html
    > Two separate addresses due to different developer teams, according to
    > my knowledge. Is there any new information?
    >
    > I have informed the vendor Netscape being affected on 9th September 2005.
    >
    > 2)
    > Disabling IDN support via about:config (or prefs.js file) is possible in
    > Netscape Browser 8 too. Xpi file for Firefox and Mozilla Suite works in
    > Netscape 8.0.3.3 too. Test was successful and even UA was changed to
    > include ....Gecko/20050729 (No IDN) Netscape/8.0.3.3.
    > However, the manual method is recommended.
    > I.e. there is a workaround for Netscape. Vendor developer team contacted
    > during a weekend, no reply yet.
    >
    > 3)
    > When an updated version of Netscape Browser 8 is available the download
    > link is http://browser.netscape.com/ns8/download/default.jsp
    >
    > - Juha-Matti
    >
    > _______________________________________________
    > Full-Disclosure - We believe in it.
    > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    > Hosted and sponsored by Secunia - http://secunia.com/
    >
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/

  • Next message: Aditya Deshmukh: "RE: [Full-disclosure] PGPNet Upgrade path ?"