Author Topic: Another serious hole in Fx 3.5 within a week from the previous one....  (Read 2499 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast √úberevangelist
  • Probably Bot
  • *****
  • Posts: 33932
  • malware fighter
Hi malware fighters,

After a serious hole was being patched with Firefox 3.5.1 and yet another serious hole has been found up within a week's time, that apparently still exists in 3.5.1. The  "Unicode Data Remote Stack buffer overflow" was reported July 15th, see the POC here: http://downloads.securityfocus.com/vulnerabilities/exploits/35707.html
According to the Internet Storm Center Fx 3.5.1. is also vulnerable. The exploit, it is remote stack-based buffer-overflow vulnerability that can make the browser crash or enable remote code execution, so successful exploits may allow an attacker to execute arbitrary code in the context of the user running the affected application. Failed attempts will likely result in denial-of-service conditions,

The NoScript extension for Firefox protects against this, as long as you don't whitelist the malicious code as trusted,

polonus
« Last Edit: July 19, 2009, 12:18:30 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Alan Baxter

  • Guest
Mozilla has determined the problem isn't exploitable.  The authorities have been notified so they can update their advisories to something less alarming.
http://blog.mozilla.com/security/2009/07/19/milw0rm-9158-stack-overflow-crash-not-exploitable-cve-2009-2479/

Offline polonus

  • Avast √úberevangelist
  • Probably Bot
  • *****
  • Posts: 33932
  • malware fighter
Hi Alan Baxter,

Good reporting, right on the ball. We say with a Dutch proverb: "the soup is never eaten as hot as it is being served", and that is true in this case,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!