Flaw found in Firefox 2.0

By Bill Brenner, Senior News Writer 01 Nov 2006 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

The United States Computer Emergency Readiness Team (US-CERT) released an advisory on the flaw Tuesday, saying Firefox 1.5.0.7 and 2.0 "allows remote attackers to cause a denial of service by creating a range object using createRange, calling selectNode on a DocType node, then calling createContextualFragment on the range, which triggers a null dereference."

The Bethesda, Md.-based SANS Internet Storm Center (ISC) also warned of the flaw on its Web site. Original reports indicated attackers could exploit the flaw to cause a buffer overflow and launch malicious code, the ISC noted. But as of Tuesday, that could not be verified. The potential for a denial of service has been confirmed, however.

"This exploit will occur when a specifically crafted Web page tries to create a range object with 'createRange,'" the ISC said. "So far it will only make the browser crash. If new information is made available, we will post updates."

Mozilla released Firefox 2.0 last week, nearly a year after making the last big upgrade. New features warn users of phishing Web sites, offer suggestions regarding frequently used search terms and corrects spelling mistakes.

Tags: Web Browser Security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Web Browser Security Exploit code targets Internet Explorer zero-day display flaw InZero Systems launches hardware-based security gateway Web security firm ranks Firefox, Safari browsers as flaw prone Microsoft fixes security update that breaks Internet Explorer Mozilla update repairs Firefox buffer overflow vulnerabilities Kaspersky system analyzes malicious URLs on Twitter for malware Silon malware intercepts Internet Explorer sessions, steals credentials Do Facebook URL security concerns justify blocking social networks? Phishing attacks to remain a major problem, say security experts Adrian Perrig: Improve SSL/TLS Security Through Education and Technology Web Browser Security Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary browser hijacker  (SearchSecurity.com) cache cramming  (SearchSecurity.com) cache poisoning  (SearchSecurity.com) honey monkey  (SearchSecurity.com) JavaScript hijacking  (SearchSecurity.com) NCSA  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary