It could be hard to believe, but after the recent release of Firefox 3.5.1 update, a new security flaw that allows remote code execution through JavaScript code was discovered. A proof of concept for the exploit code was also made public and it works, because Mozilla Firefox browser is still vulnerable to a stack-based buffer overflow. The attacker could generate the buffer overflow by sending long Unicode strings to the document.write method and in this way is possible the remote code execution to compromise an operating system or a DOS (Denial Of Service) attack.

Mozilla has responded to the press articles regarding the existence of the stack-based buffer overflow security flaw in Firefox 3.5.1 and previous versions, by explaining the fact that this browser security leak is not exploitable:

“These strings can result in crashes of some versions of Firefox. On Windows, Firefox 3.0.x and Firefox 3.5.x are terminated due to an uncaught exception during an attempt to allocate a very large string buffer; this termination is safe and immediate, and does not permit the execution of attacker code.“

Several security websites has confirmed the new Firefox security flaw, like SANS Internet Storm Center and IBM ISS X-Force. The proof of concept for the JavaScript exploit code shows a simple function that is capable to crash Firefox 3.5.1 browser and maybe with a few tweaks the code could be optimized for successful remote code execution.

Until now, a patch is not available for this security issue discovered in Firefox 3.5.1. You should also know that even JavaScript is disabled, an attacker is still able to execute remote code through the web browser (by XSS for example) in order to gain the total control of your operating system. Therefore, there is recommended to use only safe web sites and a daily updated anti-virus software.

Related Articles

• A Quick Introduction To Opera Widgets (0)
• Top 101 Most Downloaded Windows Software: Free Demo Movies and Download Links (0)
• The Instant Conversion Of Web Pages To PDF Files With Any Browser (0)
• Squish Provides Support For Web Applications Running in Firefox 3.0 (1)
• Safari 4 Beta Is Ready For Free Download (1)
• Pixastic Library: Image Processing With JavaScript (0)

This entry was posted on Monday, July 20th, 2009 at 7:13 am and is filed under Web Browsers, Web Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.