A Firefox 3.0.8 "high-priority fire drill security update" is on its way, likely to be released by the middle of next week (April the 1st at most, jokes aside). The reason is an emergency patch for a critical vulnerability irresponsibly disclosed by Guido Landi. I feel a bit guilty about it because Mr. Landi is Italian like me -- not that here in Italy we lack reasons for being ashamed...

Beware the PoC: it will crash Firefox on Windows, Linux and Mac OS X even if you've got NoScript. However this crashing bug, like the vast majority of them, is not exploitable if you've got JavaScript and other active content disabled on the attacker site, because reliable exploitation requires scripting to "spray the heap", i.e. to inject the malicious payload at the right places of your memory for execution.
Therefore you can easily survive until the automatic update kicks in, if you don't mind the possibility of an annoying but not dangerous crash (thanks, session restore!) ;)

On a side note, it's time to update Java as well: yet another bunch of critical vulnerabilities, several of them exploitable in your browser. Business as usual...

Important updates here.

20 Responses to “Lock Down Firefox for the Weekend”

  1. #1 Crashing bug in Firefox prompts early update next week - Mozilla Links says:

    [...] Giorgio Maone explains a mitigation tip: “Like the vast majority of [crashing bugs, it] is not exploitable [...]

  2. #2 Tom T. says:

    Yet another good reason to run NS in 100% lockdown mode -- *everything* blocked, including iFrames -- and allow only as needed, per site, or even per visit. Doing anything else is giving up security for laziness.

  3. #3 Alan Baxter says:

    POC crashed Firefox 3.0.7 with NoScript on Windows XP even with Forbid iframe checked and Apply these restrictions to trusted sites too checked.

  4. #4 Giorgio says:

    @Alan Baxter:
    you're right, you get the (innocuous) crash anyway. I'm looking into that (seems that non-XHTML XML documents don't trigger the IFrame blocking codepath), and also decided to consider XSLT as scripting by default. Therefore next development build won't crash at all in default configuration.

  5. #5 GµårÐïåñ says:

    Thanks for the heads up. I have been following this for a while now but good to know how you feel about it.

  6. #6 k`sOSe says:

    dear Giorgio,
    I really appreciate your work, but I think you should not feel guilty for this.

    Indeed the firefox guys got a poc of the vulnerability 6 months ago so it's not my fault. Also, I tried to make a very limited PoC and that's why I got tons of mail from people believing that it was a unexploitable null ptr deref.

  7. #7 Giorgio says:

    so are you Guido? welcome here, anyway.

  8. #8 k`sOSe says:


    yes, it's me. Thank you and keep up the great work.

  9. #9 WebKit says:

    Time to use Safari.

  10. #10 Crashing bug in Firefox prompts early update next week | WinSoftNews - Computers-Technology-Software says:

    [...] Giorgio Maone explains a mitigation tip: “Like the vast majority of [crashing bugs, it] is not exploitable if [...]

  11. #11 Tom T. says:

    Giorgio said: "(seems that non-XHTML XML documents don’t trigger the IFrame blocking codepath)". I "thought" there was a reference to iFrames in the original blog, hence my ref to them in my first post above, which looks strange now. So you *did* edit the blog to remove the ref to disable iframe, and I'm not hallucinating? Whew!

    I clicked the PoC, but it seems you have to d/l a block of code, and then "Windows doesn't know how to open this". Whatever happened to PoC's where the link itself was the malicious site and would crash you or whatever? (asks the dummy).

    P. S. Giorgio, after quick-scanning your link to Silvio Berlusconi, I felt much better that the US is not the only country with sleazeball politicians running the show. Thanks!

  12. #12 Firefox 3.0.8 in wenigen Tagen und neue Logos - Firefox, Logos, Version, Sicherheitslücke, Darf, Promotion-Aktionen, Köln, Sache - Caschys Blog says:

    [...] von der kritischen Sicherheitslücke in Firefox bis zur Version 3.0.7 gehört? Die Sicherheitslücke betrifft alle [...]

  13. #13 Giorgio says:

    @Tom T.:
    sorry for making you feel hallucinated, I edited my post to prevent it from being syndicated with an uneffective advice.

    ROTFL (I wish I could moderate comments Slashdot-style, yours is "5 - Funny" :)

  14. #14 PetFoodz.info says:

    Firefox 3.0.8 is on Mozilla's Release Servers..

  15. #15 Giorgio says:

    I know it, we decided to anticipate the release in order to help home users who can autoupdate more easily during the weekend.

  16. #16 hackademix.net » Firefox Light Speed Update and NoScript XSLT Protection says:

    [...] Lock Down Firefox for the Weekend 27 03 2009 [...]

  17. #17 0-Day Exploit for Critical Firefox Vulnerability | PC Tips says:

    [...] at the right places of your memory for execution,” Giorgio Maone, the creator of NoScript, explains. However, disabling JavaScript will not prevent Firefox from [...]

  18. #18 Firefox 3.0.8 veröffentlicht & neue Logos : Adrian Sauer says:

    [...] Grund einer kritischen Lücke (Firefox Version 3.0 bis 3.0.7) hat das Mozilla Dev-Team eine neue Version des [...]

  19. #19 Blabulius Küngelstein says:

    I wonder if there is a way of spraying without using javascript or any plugin… :/

    Something is telling me that there has to be a way, but I have no idea how.

  20. #20 linkfeedr » Blog Archive » Crashing bug in Firefox prompts early update next week - RSS Indexer (beta) says:

    [...] next Firefox update, 3.0.8, next week, about a week ahead of the targeted mid-April.Mozilla’s Giorgio Maone explains a mitigation tip: “Like the vast majority of [crashing bugs, it] is not exploitable [...]

Bad Behavior has blocked 725 access attempts in the last 7 days.