matunga
join:2003-07-26
4 edits |  Firefox 3.0.3 remote null pointer DoS vulnerability
»www.milw0rm.com/exploits/6614
Severity: High
Description:
The mozilla firefox is vulnerable to user interface event dispatcher null
pointer dereference denial of service attacks. The dispatched event created
dynamically leads to firefox crash when it is called directly or in a
defined l
oop with number of generated user interface events.The resultant crash
results in:
a fully working exploit is available here (it will crash your firefox):
»www.secniche.org/moz303/index.html |
|
SUMware
Premium
join:2002-05-21
4 edits | Re: Firefox 3.0.3 remote null pointer remote DoS vulnerability
said by matunga  :(it will crash your firefox): With NoScript, it won't.
Solution:
Reports indicate that the vendor has address this issue in Firefox 3.1 pre-release nightly builds. A fixed version of Firefox 3.0.4 will be released in the near future. |
|
Alphanet
join:2001-12-24
U.K.
| reply to matunga
Re: Firefox 3.0.3 remote null pointer DoS vulnerability
So, you go to a web site and it crashes your browser, if you go back it crashes it again. After a few tries you reliase that if you don't go back to the site again it will stop your browser crashing.
That is a minor bug,it is not a high severity security issue. |
|
WeenieBoy
join:2003-06-25
Pasadena, MD | It does not affect version 2 series. used 2.0.0.17. I agree with both SUMware and Alphanet. |
|
Elite
join:2002-10-03
Orange, CT
 ·Optimum Online
| reply to matunga
Yeah, considering this is just a DoS, there isn't much to worry about in terms of it being an actual "security threat" to anybody.
Now if you could get it to run shellcode... that's another story. This would actually pose a problem, considering you could exploit the said vulnerability and make FF run whatever payload you'd like.
--
QUAD!!!! |
|
GILXA1226
Premium,MVM
join:2000-12-29
London, OH
clubs: | reply to matunga
Re: Firefox 3.0.3 remote null pointer DoS vulnerability
doesn't affect anything before 3.0.3... kind of pointless if you ask me. |
|
BeesTea
Network Janitor
Premium,VIP
join:2003-03-08
00000
| reply to matunga
Wow, thanks for pointing this vulnerability out!
For a second, I was relieved to see that it wasn't Microsoft Internet Explorer 7 affected. That relief was short lived though. Your post about this Open-Source web browser made me compare the security track records of my version of Microsoft Internet Explorer and this Open-Source solution.
»secunia.com/advisories/product/19089/
»secunia.com/advisories/product/12366/
Wow! I had no idea Microsoft Internet Explorer 7 had over four times the vulnerabilities as this Open-Source solution. With 32% of the reported vulnerabilities un-patched! The worst of which is rated moderately critical!!.
Thanks so much for this great thread. Had this issue not been brought to my attention by your informative post, I might still be planning to continue my use of Internet Explorer. There will be none of that for me though, I'm moving to this Open-Source browser. It looks to be the safest by far!
Those open-source guys really owe you, you might be their best advertiser!
Thanks matunga !
--
Overpower, overcome. |
|
Cabal
Premium
join:2007-01-21
Boston, MA
| said by BeesTea :For a second, I was relieved to see that it wasn't Microsoft Internet Explorer 7 affected. That relief was short lived though. Your post about this Open-Source web browser made me compare the security track records of my version of Microsoft Internet Explorer and this Open-Source solution. » secunia.com/advisories/product/19089/» secunia.com/advisories/product/12366/ Good info, thanks for the heads up.
--
Why did Obama sue Citibank under the CRA to force it to make bad loans? |
|
rcdailey
Dragoonfly
Premium
join:2005-03-29
Rialto, CA | reply to SUMware
Re: Firefox 3.0.3 remote null pointer remote DoS vulnerability
I can confirm that it will not crash Firefox 3.0.3 if NoScript is installed. I did not allow the page in NoScript, because I already knew it was dangerous  |
|
tomazyk
join:2006-12-04
| reply to BeesTea
Re: Firefox 3.0.3 remote null pointer DoS vulnerability
Thanks for that info. I knew IE has un-patched vulnerabilities but never thought there were so many. |
|
WeenieBoy
join:2003-06-25
Pasadena, MD
 ·Verizon FIOS
·Comcast
1 edit | reply to BeesTea
Wait your kidding.... no your not. Holy Cow I too never had any idea IE 7 had FOUR TIMES the vulnerabilities than firefox. Man from some of the posts here I would have thought the opposite. Thanks for clearing that up for us BeesTea I for one thank you. I guess the OP may wish to read your links.
|
|
BeesTea
Network Janitor
Premium,VIP
join:2003-03-08
00000
| Thanks!
Though really, all the thanks go to matunga . Once again they've let us know about these safer, Open-Source, alternatives to vulnerable software.
Thanks again matunga , you've really helped me realize the security of these Open-Source projects like Firefox. If it weren't for your posts here, I'd still be using the Microsoft equivalent!
--
Overpower, overcome. |
|
33591094
join:2002-11-19
Canada
4 edits | reply to matunga
Your expolit did not crash firefox, on my machines.
--
Sig? What Sig? |
|
Tux789
@anonymouse.org | reply to matunga
Firefox 3.0.3 on linux ubuntu crashed too  |
|
EUS
Kill cancer
Premium
join:2002-09-10
Montreal, QC
clubs: 
1 edit | reply to matunga
Re: Firefox 3.0.3 remote null pointer DoS vulnerability
nm |
|
