Last week Tom Ferris reported a buffer overflow vulnerability in Firefox Web browsers. The vulnerability exists due to faulty processing of URLs and could lead to the execution of remote code. Netscape and Mozilla browsers are also affected by the problem because they share the same code base as Firefox. The vulnerability has a wide-ranging effects on the Internet community as a whole since millions of people rely on Firefox, Mozilla, and Netscape as their browsers of choice.
Inexplicably, Ferris posted a simple demonstration of the vulnerablity on his Web site three days after notifying Mozilla Foundation. While the demonstration only crashed the browser and did not show how to launch a remote code execution attack, the Mozilla Foundation had not a had chance to formally respond to the problem by releasing a patch.
Ferris had previously reported a problem in a Microsoft product and gave no details to the public until a patch was available. Ferris gave no explanation for his differing methods of disclosure. The posting of demonstration code for the Firefox problem led to the development of an exploit by another researcher, Berend-Jan Wever, who has not released his working example to the public. Wever said it took him only three and a half hours to figure out how to exploit the problem based on Ferris' original disclosure.
The problem has been reported to affect Firefox 1.0.6, Firefox 1.5 beta, Netscape 220.127.116.11, and Mozilla 1.7.11. Previous versions of these browsers may also be affected. A simple workaround prevents the browsers from being exploited. Mozilla Foundation released a self-installing patch (XPI file) that contains a workaround that disables International Domain Name (IDN) processing. The workaround changes a configuration parameter, network.enableIDN, to false. People who do not want to install the patch can perform the same action contained in the XPI file by entering about:config into the address bar and then searching for the parameter, which should be reset to false. At least one person reported that the same workaround and XPI file can be applied to Netscape browser.