Flaw found in Firefox 2.0

Attackers could exploit the security flaw to crash versions 1.5.0.7 and 2.0 of the browser, according to various security advisories.

A week after its release, vulnerability researchers are already reporting a flaw in Firefox 2.0 attackers could potentially exploit to cause a denial of service.

The United States Computer Emergency Readiness Team (US-CERT) released an advisory on the flaw Tuesday, saying Firefox 1.5.0.7 and 2.0 "allows remote attackers to cause a denial of service by creating a range object using createRange, calling selectNode on a DocType node, then calling createContextualFragment on the range, which triggers a null dereference."

The Bethesda, Md.-based SANS Internet Storm Center (ISC) also warned of the flaw on its Web site. Original reports indicated attackers could exploit the flaw to cause a buffer overflow and launch malicious code, the ISC noted. But as of Tuesday, that could not be verified. The potential for a denial of service has been confirmed, however.

"This exploit will occur when a specifically crafted Web page tries to create a range object with 'createRange,'" the ISC said. "So far it will only make the browser crash. If new information is made available, we will post updates."

Mozilla released Firefox 2.0 last week, nearly a year after making the last big upgrade. New features warn users of phishing Web sites, offer suggestions regarding frequently used search terms and corrects spelling mistakes.

Dig deeper on Web Browser Security

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close