Newly Reported Firefox 3.5.1 Vulnerability Not Exploitable

Several vulnerability research organizations have reported a remote stack buffer overflow vulnerability in the newly released Firefox 3.5.1 version. Mozilla dismisses claims that this bug can be exploited to compromise computers and says that its impact is only limited to a denial of service condition.

Just a day before Mozilla released version 3.5.1 of its Firefox browser in order to address a highly critical flaw in the JavaScript Just-in-Time (JIT) compiler, security researchers reported a separate stack-based buffer overflow vulnerability.

"By sending an overly long string of unicode data to the document.write method, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash," an alert from IBM's ISS X-Force, which assigns a severity rating of high to the flaw, reads.

Security researchers Andrew Haynes and Simon Berry-Byrne, who discovered and reported this boundary-condition error, have also published proof-of-concept exploit code for it. Meanwhile, experts from SANS ISC warn that the bug affects Firefox 3.5.1, that no patch is currently available and that, "The vulnerability can lead to system compromise or induce a DOS."

Mike Shaver, Mozilla's vice-president of engineering, confirmed the denial of service condition resulting from attempts to exploit it, but dismissed the claims it could be used to execute arbitrary code. "While these strings can result in crashes of some versions of Firefox, the reports by press and various security agencies have incorrectly indicated that this is an exploitable bug," he writes on the Mozilla Security blog.

Shaver notes that the resulting unexpected termination of the application is "safe and immediate," making code execution impossible. "[...] We believe that the IBM report is in error, and that the severity rating in the National Vulnerability Database report is incorrect. We have contacted them and hope to resolve the inaccuracies shortly," he concludes.