Additional DoS vulnerabilities in Firefox 2.0
Discussion is ongoing at the security mailing list Bugtraq about the effects of a newly discovered hole in Firefox 220.127.116.11 and 2.0. The anonymous discoverer of the hole maintains that it could in theory be used to smuggle code into the Mozilla Foundation's browser, but he has provided no proof as yet. As far as is known at this point, the new vulnerability appears to be based on a null pointer dereference, that is, following an uninitialised pointer that leads to nothing (see Thou shalt not follow the Null pointer). As a result, the application crashes during the creation of a range object using the function createRange, as publicly demonstrated by the proof of concept exploit. Calling up a specially prepared website would be sufficient to provoke the crash.
Other security specialists have released analysis claiming that the hole is in no way suitable for smuggling code. In the opinion of the anonymous discoverer, however, there are past precedents for null pointer dereferences capable of compromising a computer, such as the hole in Internet Explorer that was made public this past April.
Dan Veditz, Director of the Mozilla Security Group, has also addressed the topic. While the cited example is true, he writes, the attack on IE can in fact be controlled to prevent the null pointer call, which in turn allows the smuggling of code. That is not the case with the existing flaw in Firefox 18.104.22.168 and 2.0. The error has already been fixed in the code for Firefox 3, Veditz claims. He does not mention when updates for 1.5.x or 2.0 will be available, unfortunately.
- Security Advisory from US-CERT/NIST