This Firefox bug may crash the browser and your operating system
A newly discovered bug in the desktop version of the Firefox web browser may crash the browser and under certain circumstances the entire operating system.
Discovered and revealed by security researcher Sabri Haddouche, the bug causes the Firefox web browser to crash when a specifically prepared website is loaded in the web browser.
What happens then depends on the operating system. Firefox displays the browser's Crash Reporter prompt on Linux and Mac OS X which may be used to inform Mozilla about the crash and to restart Firefox.
Firefox users on Windows who load a website that is specifically prepared will notice that the entire operating system freezes. The only option to get out of this is to reset the PC so that it restarts.
Note: I tried the bug on a Linux distribution in a virtual machine and Firefox did not crash when I opened a page that included the exploit code. Firefox displayed a "cannot save download" warning prompt and the tab crashed. The crash had no effect on other tabs open in the browser.
You can check out the code on the researcher's GitHub website. The exploit code generates files with long filenames and initiates a file download every millisecond. The crash is caused by the flood of requests that at the very least freeze the web browser.
A live-version of the exploit is available on the researcher's website Reaper Bugs. Opening the site itself has no negative impact on the browser. You need to select one of the available exploits, e.g. Reap Firefox, and confirm the "danger" prompt that is displayed to run the code.
Note that it may freeze or crash the browser and even the operating system under certain circumstances. Make sure that you have saved all work before you run it or run it in a test environment.
All current versions of Firefox for the desktop are affected including Nightly and Beta versions of the browser.
Mozilla seems to be aware of the issue and is working on a solution right now. Haddouche released exploits for Chrome, Safari, and iOS previously that affect the browsers and operating systems in similar fashion.
Check out Pure CSS crashes iPhones for our coverage of one of the issues.
Closing Words
All recent versions of the Firefox web browser are affected by the issue. It seems unlikely that the issue will be exploited on a larger scale; still, there appears to be little that Firefox users can do right now to protect the browser against the issue. Setting the browser's download behavior to "always ask" does not seem to prevent it.
A browser extension like NoScript prevents scripts from running by default.
This works on Linux too. Almost crashed my system before I had to switch to TTY to kill the process!
It is painful to understand the point that, the more feature web browser add, the more vulnerable they will become…
The latest version of uBlock Origin now has the functionality to block JavaScript on a per site basis.
Example rule –
no-scripting: http://www.ghacks.net true
Basilisk (on Linux, at least) throws an error message and keeps filling up RAM slowly until you close the tab, but doesn’t crash, or freeze whatsoever.
Waterfox, on the other hand, (also on Linux) throws an error message and keeps filling up RAM quickly, while not letting you change the focus, so you can’t close the tab. You have to end the process instead.
@Anonymous
Interesting. I use Waterfox on Linux every day and have never had any of those thing happen. Since both Waterfox and Basilisk are throwing error messages, the implication is that there’s something wrong with your system rather than the browsers.
Firefox doesn’t need this to crash Linux. I’ve regularly had Firefox completely jump to 100% CPU and freeze my openSUSE Linux box, requiring a power button reset. I don’t know whether it is Firefox’s interaction with the video drivers in Linux or whether it is Firefox’s utterly crappy memory management that causes this, but it happens every few weeks and has for some time under various versions of Firefox.
The other main annoyance I have with Firefox is its habit of erasing the file name from the Save Page file picker dialog when you change the directory to which one is trying to save the Web page. This is completely random from Web site to Web site and even from page to page in a given Web site. It forces me to copy the page title and paste it in the file picker file name which is incredibly annoying, especially when I forget to do it as that is when it is guaranteed to erase the file name.
Just another example of the incompetence of Mozilla’s developers who waste too much time on new “features” no one asked for rather than solving the reliability aspects of their software.
Thanks as I wanted to try OpenSuse but I can clearly see that’s your problem comes from your operating system instead of FF…
I will stick with Ubuntu-MATE as I never got a single problem and FireFox is working so well (i have currently 342 tabs open in a single window (addon: tab counter)) and Firefox uses only 426MiB !!
Clearly, you got a problem with SUSE
@RSH
Interesting. Our tickets may be comprised to two different issues, but for me, when I use FF (I will stay with 59.0.2 until FF forces an upgrade) about:preferences#privacy: History / Cookies are kept until I close FF. In addition, I use CC (5.31) to clear cookies that still remain, depending on length of previous session, generally there is 30 maybe 40 cookies still left to clear out.
I CClean after every session.
Intermittently, while online…the usual “everyday” sites…I’ll note bandwidth slows to a crawl, CPU is okay, but FF using about 35% of my 8 Gigs Ram….And I keep a spotless system.
During this particular episode, I close-out FF, launch CCleaner…clearly, CC is talking much longer to clean than usual…. when the cleaning is done, and looking at the summary…CC cleaned over 500 cookies???? I wonder where these came from…it is a memory dump…is it system related, or FF related.
As I indicated, my problem could be different their yours, still I pause and wonder. like I said, 2 maybe 3 times a month…
Wow, and all that work to protect against the 1/1000000 chance of encountering a freeze or a theoretical JS exploit. Great.
Nothing can beat NoScript! i use it as the first line of defense. When surfing in the wild i use a special Firefox profile configured to permanent privet + Noscript + UBlock origin. Pages can be broken at times, but nothing gets in! When you train yourself to surf and operate Noscript at the same time, surfing is fast and relatively secure.
John G. comment on NoScript? OMG! John G.’s English is the worst crapware ever made, as it wastes the user time and patience every click in the mouse, every move on the screen, even for paranoid people, making the single act of browsing the worst dysfunctional behaviour. Unplug your router as fast as you have read his comment, I sure you that you will browse even safer and even more faster, specially faster. Happier, too!
@noemata the worst, most indirect, most unrealistic, most backward-oriented post I’ve read in a long time. No thx for this point of view outside the techie bubble!
To be noted : latest uBlock Origin 1.17.0 provides a new per-site switch which has been added to the popup panel and acts as a master switch for JavaScript for the current site.
NoScript? OMG. NoScript is the worst crapware ever made, as it wastes the user time and patience every click in the mouse, every move on the screen, even for paranoid people, making the single act of browsing the worst dysfunctional behaviour. Unplug your router as fast as you have read this comment, I sure you that you will browse even safer and even more faster, specially faster.
So impatient. No seriously blame Mozilla not Giorgio Maone (the developer of NoScript) for rushing the release of Firefox 57 release.
For the uninitiated, NoScript is definitely not something to implement for a typical user, its target audience is for more advanced people who intentionally want more granular control over their web browsing habits.
Falsely maligning it as ‘worst crapware ever’ is more opinion than factual and not helpful in any way, sadly a pervasive problem in our current culture where anything one doesn’t like or understand is tagged as distasteful.
In reality, almost any web site you might go to these days will be running a lot of JavaScript in the background (emphasis on ‘a lot’), most just being a part of the site’s functionality and presentation but occasionally some being very malicious by doing things like inserting unwanted code into your browser, or adding tracking cookies, etc. NoScript is one tool to rely upon to manage that flood of JavaScript, but it isn’t for everyone. There is a lot of user interaction involved, something some just don’t want to bother with.
If anything, install NoScript just temporarily to get a handle on just how pervasive the JavaScript issue actually is. Again, most scripting isn’t malicious at all, but when there is a problem even if it’s not a security matter, there are frequent privacy-related issues. At least by trying out NoScript this will give one a better overall picture on what happens each time you visit a web site.
@John G. the best, most direct, most realistic, most future-oriented post i’ve read in a long time. thx for this point of view outside the techie bubble. only then it’s techies again who have to find something new and better outside this bubble. but first they have to get out of the outdated bubble. you contributed to this.
Absolutely agree. :-)
@John G.
Your experience with NoScript doesn’t even remotely resemble mine. For me, NoScript works fantastically well and makes using the web actually tolerable.
I got a warning that something could not be saved on the system “temp” folder, but Windows 7 was fine. Here the tab did not crash, but I could not interact with Fx UI anymore besides clicking [x] on that warning window. Maybe because I have multiprocess disabled.