new critical vulnerability found in Firefox 3.5.1

[jamesVault]

Mozilla Firefox 3.5.1 unicode Remote Buffer Overflow

Mozilla Firefox is prone to a remote stack-based buffer-overflow vulnerability.

Successful exploits may allow an attacker to execute arbitrary code in the context of the user running the affected application.

Live Proof of Concept: http://www.milw0rm.com/exploit.php?id=9158

[smashguy]

When I clicked, it went crashed.

[Miuku.]

That's a negative Houston, does not work on my 3.5.1'er on OS X - perhaps this is a flaw that is only evident on certain platforms (Such as the Win32 / Linux builds)

[jamesVault]

this is a new flaw, still unpatched

[Pc_Madness]

lol, poor Mozilla. Looks like we'll be updating again tomorrow. :p

[zhangm Supervisor]

That's a big wall of text...

[Argi]

I opened in Opera but still triggered Kaspersky, heh. (didn't do anything though, obviously)

[The_Decryptor Veteran]

I think this was reported before 3.5.1 was released, but it doesn't crash here, just uses lots of memory and starts causing the system to page Firefox to disk.

[ultimate99]

Lots of chinese characters, but no crash.

[Wanderermy]

~ 1.5 GB of memory :blink:

[+John. Subscriber¹]

Causes what seems to be a massive memory leak in OS X. Very bad flaw. It's a shame, because it seemed to be such a good release.

[Miuku.]

~ 1.5 GB of memory :blink:

It tries to cause an overflow but fails - either it's patched already in 3.5.1 or stack protection actually works.

Possibly if you had a machine with not much ram and out of disk/swap space, you could cause an exhaust of the clients resources but it should not crash the client even in those circumstances, only provide you with a funky out of memory error.

Edited July 17, 2009 by daPhoenix

[Tiby312]

For me it:

-Freezes Firefox 3.5.1

-Crashes Google Chrome 2.0 Tabs (Not the UI though)

-Freezes IE8

Edited July 17, 2009 by Tiby312

[cork1958]

Oh no's!!

Say it ain't so. Not our beloved Firefox with yet ANOTHER critical vulnerability immediately after release of an update!!

No wonder this is backpage news. It happens so often in Firefox, it's expected, isn't it? :blink:

[primexx]

KIS already detects it so...

[The Patri0t]

Using 3.5.1 and it crashed. This was just an innocent proof that it exists and not actual hack. :ninja:

[Miuku.]

Using 3.5.1 and it crashed. This was just an innocent proof that it exists and not actual hack. :ninja:

What OS and Arch?

[The Patri0t]

What's Arch?

Using XP

[Miuku.]

Sorry, by Arch I mean Architecture, as in 32 bit or 64 :)

[Berserk87]

KIS already detects it so...

kaspersky detected it, and denied it for me, but firefox still ate dirt.

[The Patri0t]

Sorry, by Arch I mean Architecture, as in 32 bit or 64 :)

32; this won't happen on 64 bit? :o

and please tell me that wasn't a real hack, haha. Just a proof that the damn thing exists and can be exploited.

[jasondefaoite]

3.51 on x64 win7 RC ..

Hangs for me ... uses up to 1.5GB of memory... doesn't crash ....

[The_Decryptor Veteran]

32; this won't happen on 64 bit? :o

and please tell me that wasn't a real hack, haha. Just a proof that the damn thing exists and can be exploited.

I'm on 64bit and it doesn't crash (just lots of memory)

Only thing I can think of, is that 64Bit can do hardware DEP (well, so can 32bit in PAE mode, but nobody runs in that mode since it's buggy in the vast majority of cases), and Firefox is set to have DEP enabled (I think only Vista and Win7 will read that info, XP needs an extra function call to enable it, which is going to happen soon)

[iamwhoiam]

I clicked it and it showed 1 line of text. No huge memory usage, no slowdown and no crashing the browser.

[well...]

Caused safari 4.0.2 on osx to become unstable here :(