Low Risk Denial of Service in Firefox
07.30.08 - 12:30pm
Issue
A null pointer dereference in the content layout component of Firefox allows an attacker to crash the browser when a user navigates to a malicious page.
Impact
If a user browses to a malicious page that takes advantage of this vulnerability, the browser will crash. A feature in Firefox called Session Restore will restore the browser session when Firefox is restarted and will likely save user typed content in text areas as well. This feature is designed to save users’ work in the event of a crash or browser restart.
Status
This issue is currently under investigation. Mozilla has assigned this bug an initial severity rating of low because of the minimal security risk to users.
Credit
Radware reported this issue to Mozilla.
If the page that you crashed on is in the session won’t you just crash as soon as you start up again though?
What’s special about this crash bug that merits a post on the Security Blog? Most such bugs are public and not treated as security holes.
Is there some sort of bug number we can refer to? (Even if the bug is private, so that we would be able to refer back to it once it has been removed from the group)
Mook, the bug is here: https://bugzilla.mozilla.org/show_bug.cgi?id=448564
Jesse, I posted about this issue because Radware issued a press release and I wanted to make sure our users had enough context to understand that this is a low risk issue.
If this is the same security issue as in Firefox 2, then there is a temporary solution, as stated in [Mozilla Firefox 2.0.0.3 Release Notes, March 2007]. See also [Firefox 3 Knowledge Base / Session Restore]:
“The Session Restore functionality provided in Firefox 2 will restore connections to services which use session cookies to maintain login state such as GMail. It is recommended that users with concerns about the privacy implications of this behavior change the value of browser.sessionstore.resume_from_crash to false.”