A private security firm has recently issued a warning about a security vulnerability in the open-source browser Firefox 1.5, suggesting that the exploit code could be modified to facilitate remote code execution attacks.
However, officials from Mozilla have dismissed this information, stating that the security flaw is more of an annoyance than a serious vulnerability.
The exploit code in question has been published on the website PacketStormSecurity.org. This code targets a buffer overflow vulnerability in Firefox 1.5, which is the latest version of Mozilla’s browser.
The exploit has been demonstrated to effectively leverage this security flaw in Firefox 1.5 running on the Windows XP SP2 platform. This bug arises from the browser’s need to process a large amount of historical access data.
A malicious attacker could “fill up” the browser’s “history.dat” file with a substantial amount of information by tricking the user into visiting a malicious website containing an excessively long title. If this vulnerability is successfully exploited, users may find it difficult to reopen their browser.
Mike Schroepfer, Mozilla’s Vice President of Engineering, stated that initial investigations have shown that this security flaw is unlikely to be exploited for remote code execution attacks.
“Attacks that execute malicious code remotely are unfounded. We have not received any reports, either from external sources or internally, regarding denial of service attacks. At this point, we can confirm that we have no specific evidence to suggest this is a serious security vulnerability. It is more of an annoyance for users,” Schroepfer explained.
Schroepfer also noted that Mozilla experts have used analytical tools and found that after being exploited in this manner, there were no indications that the browser was using high CPU or system memory resources.
Security firm Secunia agrees with Schroepfer’s assessment.
Secunia advises users to delete the history.dat file or configure the browser to clear all browsing history data each time the browser is closed (Tools > Options > Privacy > Settings).
Additionally, the disclosure of the “zero-day” exploit targeting Firefox has placed Mozilla in a precarious situation as the company is trying to promote its browser as a secure alternative to Microsoft’s Internet Explorer.
According to the latest statistics from web measurement firm Net, Firefox’s market share continues to rise, reaching 8.84% in November due to Internet Explorer being consistently exploited for security vulnerabilities.
