Saturday, September 10, 2005

Firefox Web Links Bugs

Recently, Tom Ferris discovered a major bug in Firefox's handing of web links that may allow a malicous web site to execute malicious code on firefox users' computers. In short, it's called "Host:" Buffer overflow (including proof-of-concept).

It worked like this... Imagine you went to a bad, evil website somewhere in the internet, and the website has a link with extremely long address in it like this: "https:-------------------------------------------------------------... ".

When you clicked on it, the extremely long address will overwhem the NormalizeIDN buffer and spill over the rest of the address (which could include malicous code) into other parts of Firefox.

Remember, this is not the first bug arise from IDN. Another bug from IDN was the IDN spoofing (giving fake address in the address bar), but that bug been fixed by version 1.0.1.

If you don't want to wait for the patch (or Firefox 1.5 with the patch), it only take very, very simple fix with 2 steps:

1) Go to about:config
2) Double-click "network.enableIDN" from TRUE to FALSE.
3) You are done!

I tested the fix myself using the proof-of-concept. The fix worked.

UPDATE: Mozilla posted a formal suggestion of fixes for this IDN bug (including a downloadable temporary patch).

No comments: