It has been only a few days ago that the Mozilla Firefox team released an update for Firefox 3.5 to Firefox 3.5.1 that would close a recently disclosed critical security vulnerability that allowed attackers to execute arbitrary code on the attacked computer system. Earlier today another Firefox vulnerability was disclosed to the public that affects the latest version of Firefox. The vulnerability can be remotely exploited and uses an stack based buffer overflow that is triggered by an overly long string of Unicode data. It can lead to remote code execution or to crashes, freezes or the allocation of a lot of computer memory.
A proof of concept has already been created that demonstrates the vulnerability. No patch has been made available yet. Firefox users are encouraged to disable JavaScript until a patch is issued to avoid leaving their computer system vulnerable for the attack.
Users working with security add-ons like NoScript might consider their Firefox installation safe without disabling JavaScript. It is however theoretically possible to compromise websites that are in the whitelist of the add-on (if the whitelist is used) which would make the system vulnerable to this kind of attack.
JavaScript can be disabled in the Firefox options in the content tab.
Related posts:
Critical Security Vulnerability In Firefox 3.5Adobe Fixes Critical Shockwave Vulnerability
Firefox 3.5.1 Update Available
Web Browser: Firefox 3.0.8
Google Chrome Address Spoofing Vulnerability
Internet Explorer Vulnerability Fix
Latest Firefox Web Browser Vulnerable to 0-Day Exploit
Firefox 2.0.0.14 critical update
6 Responses to “Another Critical Firefox Vulnerability Emerges”
Trackbacks/Pingbacks
-
[...] that was aimed at resolving a Javascript vulnerability found in Firefox 3.5. Well unfortunately another vulnerability has been found in Firefox 3.5.1. The latest vulnerability appears to be a critical one. This undesirable issue can be exploited [...]
-
[...] Via | Ghacks.net [...]
-
[...] See the rest here: Another Critical Firefox Vulnerability Emerges [...]
This is a browser out of memory crash. There is no evidence that this is exploitable while all evidence points to it not being exploitable. Pretty much all browsers crash from this but that doesn’t mean that it’s a security issue.
This article is incorrect: the bug is not a critical vulnerability, and it cannot result in code execution. On some systems (Firefox 3.0 or 3.5 on Mac, and Firefox 3.0 — not 3.5! — on Windows) it can result in an unexploitable crash. See http://blog.mozilla.com/security/2009/07/19/milw0rm-9158-stack-overflow-crash-not-exploitable-cve-2009-2479/ for more details.
This is not an exploitable crash.
See Mozilla’s announcement:
http://blog.mozilla.com/security/2009/07/19/milw0rm-9158-stack-overflow-crash-not-exploitable-cve-2009-2479/