Information Concerning Reported FireFox Vulnerability

A recent PacketStorm article reproduced by SecuriTeam indicates that a vulnerability has been found in the Browsing History code of Mozilla Firefox. Initial investigation confirms that FireFox 1.5 on Windows is not affected, and it appears that the report may be false.

Peter Laborge of SecurityFocus has also written a “news brief” on this vulnerability. It appears at this time that SecurityFocus is spreading inaccurate information and contributing to overblown media reporting on the issue.

Testing of the PoC code on Mozilla Firefox 1.5 with Windows XP Service Pack 2 causes no ill-effects. Contrary to the public claims, the browser runs normally. Startup is slowed considerably, but the browser does indeed function after some delay. Deleting history links will clear the slight sluggishness that the supposed “exploit” causes. The problem will clear up naturally once the malicious link expires from the history, which seems to be 9 days in Firefox 1.5 by default.

Other posters have also reported that the browser operates normally, with only a delay in startup, after the attack is carried out. Users who are concerned about a few seconds of delay in Firefox’s startup can turn off the history — something many privacy-conscious users have already done — via the Options window in the “Privacy” section.

To reiterate… there is no evidence that a vulnerability exists in FireFox related to history processing at this time.

[EDIT: Mozilla has investigated this issue, and come to the same conclusion. Though there's some slowdown at startup, it's not a hang (the browser loads) and it's not a crash. The Mozilla advisory is available here.]

  • Aviv Raff

    I can confirm this to work using Firefox 1.5 on WinXP SP2.
    There is no crash. The browser just hang for a while, when I start it.
    Also, there is a way to hang the browser for much longer time by modifying the proof of concept code.

  • Juha-Matti Laurio

    OSVDB (which has this SecuriTeam Blog reference listed)
    lists in turn Netscape and K-Meleon browsers affected too. K-Meleon 0.9.12 version update fixes this issue.