matunga
join:2003-07-26
4 edits |  Firefox 3.0.3 remote null pointer DoS vulnerability
Severity: High
Description:
The mozilla firefox is vulnerable to user interface event dispatcher null
pointer dereference denial of service attacks. The dispatched event created
dynamically leads to firefox crash when it is called directly or in a
defined l
oop with number of generated user interface events.The resultant crash
results in:
a fully working exploit is available here (it will crash your firefox):
»www.secniche.org/moz303/index.html | |
|
 SUMware
Premium
join:2002-05-21
4 edits | Re: Firefox 3.0.3 remote null pointer remote DoS vulnerability said by matunga  :(it will crash your firefox): With NoScript, it won't.
Solution:
Reports indicate that the vendor has address this issue in Firefox 3.1 pre-release nightly builds. A fixed version of Firefox 3.0.4 will be released in the near future. | |
|
 | 
rcdailey
Dragoonfly
Premium
join:2005-03-29
Rialto, CA | Re: Firefox 3.0.3 remote null pointer remote DoS vulnerability I can confirm that it will not crash Firefox 3.0.3 if NoScript is installed. I did not allow the page in NoScript, because I already knew it was dangerous  | |
|
Alphanet
join:2001-12-24
U.K.
| Re: Firefox 3.0.3 remote null pointer DoS vulnerability So, you go to a web site and it crashes your browser, if you go back it crashes it again. After a few tries you reliase that if you don't go back to the site again it will stop your browser crashing.
That is a minor bug,it is not a high severity security issue. | |
|
| 
WeenieBoy
join:2003-06-25
Pasadena, MD | Re: Firefox 3.0.3 remote null pointer DoS vulnerability It does not affect version 2 series. used 2.0.0.17. I agree with both SUMware and Alphanet. | |
|
Elite
join:2002-10-03
Orange, CT
 ·Optimum Online
| Yeah, considering this is just a DoS, there isn't much to worry about in terms of it being an actual "security threat" to anybody.
Now if you could get it to run shellcode... that's another story. This would actually pose a problem, considering you could exploit the said vulnerability and make FF run whatever payload you'd like.
--
QUAD!!!! | |
|
|
GILXA1226
Premium,MVM
join:2000-12-29
London, OH
clubs: | doesn't affect anything before 3.0.3... kind of pointless if you ask me. | |
|
BeesTea
Network Janitor
Premium,VIP
join:2003-03-08
00000
| Wow, thanks for pointing this vulnerability out!
For a second, I was relieved to see that it wasn't Microsoft Internet Explorer 7 affected. That relief was short lived though. Your post about this Open-Source web browser made me compare the security track records of my version of Microsoft Internet Explorer and this Open-Source solution.
»secunia.com/advisories/product/19089/
»secunia.com/advisories/product/12366/
Wow! I had no idea Microsoft Internet Explorer 7 had over four times the vulnerabilities as this Open-Source solution. With 32% of the reported vulnerabilities un-patched! The worst of which is rated moderately critical!!.
Thanks so much for this great thread. Had this issue not been brought to my attention by your informative post, I might still be planning to continue my use of Internet Explorer. There will be none of that for me though, I'm moving to this Open-Source browser. It looks to be the safest by far!
Those open-source guys really owe you, you might be their best advertiser!
Thanks matunga !
--
Overpower, overcome. | |
|
| 
Cabal
Premium
join:2007-01-21
Boston, MA
| Re: Firefox 3.0.3 remote null pointer DoS vulnerability said by BeesTea :For a second, I was relieved to see that it wasn't Microsoft Internet Explorer 7 affected. That relief was short lived though. Your post about this Open-Source web browser made me compare the security track records of my version of Microsoft Internet Explorer and this Open-Source solution. » secunia.com/advisories/product/19089/» secunia.com/advisories/product/12366/ Good info, thanks for the heads up.
--
Why did Obama sue Citibank under the CRA to force it to make bad loans? | |
|
| 
tomazyk
join:2006-12-04
| Thanks for that info. I knew IE has un-patched vulnerabilities but never thought there were so many. | |
|
| |
| |
BeesTea
Network Janitor
Premium,VIP
join:2003-03-08
00000
| Re: Firefox 3.0.3 remote null pointer DoS vulnerability Thanks!
Though really, all the thanks go to matunga . Once again they've let us know about these safer, Open-Source, alternatives to vulnerable software.
Thanks again matunga , you've really helped me realize the security of these Open-Source projects like Firefox. If it weren't for your posts here, I'd still be using the Microsoft equivalent!
--
Overpower, overcome. | |
|
33591094
join:2002-11-19
Canada
4 edits | Your expolit did not crash firefox, on my machines.
--
Sig? What Sig? | |
|
Tux789
@anonymouse.org | Firefox 3.0.3 on linux ubuntu crashed too  | |
|
| |
|
|
|
|
·
