informa
/
News

Exploit Circulates For Firefox Flaw

An exploit for the just-patched IDN bug in Mozilla's Firefox browser and namesake suite has been published on the Internet.
An exploit for the just-patched IDN bug in Mozilla's Firefox browser and namesake suite has been published on the Internet, a French security vendor said late Thursday.

FrSIRT warned users of Firefox and Mozilla that the exploit code -- which FrSIRT published in its entirety, a not-uncommon practice for the firm -- should be considered a critical risk.

According to the comments posted by the exploit's author, identified as Berend-Jan Wever, a Dutch programmer who has previously cranked out exploit code for Internet Explorer vulnerabilities, the hack creates a heap buffer overflow, and when it works, can give the user complete control of a vulnerable machine running Firefox, Mozilla, or even Netscape.

Like many browser-oriented exploits, an attack using the exploit would require that the victim surf to a malicious site; the usual methods of getting users to evil Web sites is with spam e-mail.

Tuesday, Mozilla patched the Firefox browser against the bug in its support of international domain names (IDN). Thursday, it followed up with a similar fix for the Mozilla suite in its Windows, Linux, and Mac OS X incarnations.

Netscape, however, has not yet patched that browser.

That may not matter, wrote Wever in his code comments. "[The code] is optimized to work with FireFox, who [sic] do have a patch out, but on a rare occasion it will work in Netscape."

Firefox 1.0.7 and Mozilla 1.7.12, which stymie the exploit, can be downloaded from the Mozilla site.