A newly discovered bug in the desktop version of the Firefox web browser may crash the browser and under certain circumstances the entire operating system.
Discovered and revealed by security researcher Sabri Haddouche, the bug causes the Firefox web browser to crash when a specifically prepared website is loaded in the web browser.
What happens then depends on the operating system. Firefox displays the browser's Crash Reporter prompt on Linux and Mac OS X which may be used to inform Mozilla about the crash and to restart Firefox.
Firefox users on Windows who load a website that is specifically prepared will notice that the entire operating system freezes. The only option to get out of this is to reset the PC so that it restarts.
Note: I tried the bug on a Linux distribution in a virtual machine and Firefox did not crash when I opened a page that included the exploit code. Firefox displayed a "cannot save download" warning prompt and the tab crashed. The crash had no effect on other tabs open in the browser.
You can check out the code on the researcher's GitHub website. The exploit code generates files with long filenames and initiates a file download every millisecond. The crash is caused by the flood of requests that at the very least freeze the web browser.
A live-version of the exploit is available on the researcher's website Reaper Bugs. Opening the site itself has no negative impact on the browser. You need to select one of the available exploits, e.g. Reap Firefox, and confirm the "danger" prompt that is displayed to run the code.
Note that it may freeze or crash the browser and even the operating system under certain circumstances. Make sure that you have saved all work before you run it or run it in a test environment.
All current versions of Firefox for the desktop are affected including Nightly and Beta versions of the browser.
Mozilla seems to be aware of the issue and is working on a solution right now. Haddouche released exploits for Chrome, Safari, and iOS previously that affect the browsers and operating systems in similar fashion.
Check out Pure CSS crashes iPhones for our coverage of one of the issues.
All recent versions of the Firefox web browser are affected by the issue. It seems unlikely that the issue will be exploited on a larger scale; still, there appears to be little that Firefox users can do right now to protect the browser against the issue. Setting the browser's download behavior to "always ask" does not seem to prevent it.
A browser extension like NoScript prevents scripts from running by default.Advertisement
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.