Flaw found in Firefox 2.0

Bill Brenner, Senior News Writer
A week after its release, vulnerability researchers are already reporting a flaw in Firefox 2.0 attackers could potentially exploit to cause a denial of service.

The United States Computer Emergency Readiness Team (US-CERT) released an advisory

    Requires Free Membership to View

on the flaw Tuesday, saying Firefox and 2.0 "allows remote attackers to cause a denial of service by creating a range object using createRange, calling selectNode on a DocType node, then calling createContextualFragment on the range, which triggers a null dereference."

The Bethesda, Md.-based SANS Internet Storm Center (ISC) also warned of the flaw on its Web site. Original reports indicated attackers could exploit the flaw to cause a buffer overflow and launch malicious code, the ISC noted. But as of Tuesday, that could not be verified. The potential for a denial of service has been confirmed, however.

"This exploit will occur when a specifically crafted Web page tries to create a range object with 'createRange,'" the ISC said. "So far it will only make the browser crash. If new information is made available, we will post updates."

Mozilla released Firefox 2.0 last week, nearly a year after making the last big upgrade. New features warn users of phishing Web sites, offer suggestions regarding frequently used search terms and corrects spelling mistakes.

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: