Monday, December 12, 2005
Mozilla Firefox's Long Title Bug
Recently there been news going around about so-called "exploit" that can crash Mozilla Firefox and cause buffer overflows which allows hackers to break into Firefox. I like to point something out:
This "exploit" is, in my opinion, merely just an overrated bug. In most of cases, Firefox didn't crash. All it did is enlarged history.dat to the point (40 megabytes or more) where Firefox get painfully slow start-up. The slow start-up is caused by Firefox loading a huge file such as history.dat. Deleting the history.dat will fix the problem.
It only can be called exploit if the buffer overflow actually happens or at least Firefox crashing (Denial of Service). There were some cases of Firefox crashing, but not often enough or widespread enough to be considered DOS exploit. Heck, sometimes large PDF files crashed my Firefox, but does that mean the PDF reader has DOS exploit?
At worse, it is just a weak DOS exploit, as stated by Secunia. At best, a minor nuisance.
But I am not saying we shouldn't be worrying about this bug. I believe it should be fixed, just like all bugs needed to be fixed. The title should be truncated in the first place as part of good practice. In fact, every single thing we put into buffers should be truncated, no matter how long it SHOULD be, just make it as long as it HAVE to be. It should be standard practice among all developers... make the darn thing fit in the buffer.
My point is... the media tends to overrate the bugs because they have no clue how the bugs work. So when you read about the bugs in the media, check out Secura or Mozilla's site before you make decision. Secura and Mozilla definity know what they talking about, not the press.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment