Diary

 

Vulnerability in FireFox 3.5.1 confirmed, exploit PoC, no patch
Published: 2009-07-18,
Last Updated: 2009-07-18 15:04:23 UTC
by Patrick Nolan (Version: 1)
4 comment(s) Facebookacebook witter

Various analysts and sites have recently confirmed a vulnerability is present in FireFox 3.5.1 that has had exploit PoC released. When exploited, the vulnerability can lead to system compromise or induce a DOS. No Patch is available.

Mozilla Firefox 3.5 Unicode Data Remote Stack Buffer Overflow Vulnerability

CVE-2009-2479

Keywords:
4 comment(s) Facebookacebook witter

Comments

Will no script act as a work around ?
posted by grummy, Sat Jul 18 2009, 16:49
eEye says "Note: Although Javascript access can be restricted with applications such as the NoScript Add-On, it may still be possible for the browser to be exploited if an untrusted website is loaded (with/without the consent of the user, for example, via XSS or compromised-whitelisted website)" and rates this as a Medium Risk, all other sites I checked rate this at their highest risk. HTH
posted by Patrick, Sat Jul 18 2009, 17:20
eEye is ignorant or purposely misleading here: NoScript features the first and best client-side anti-XSS protection, therefore running JavaScript code from an untrusted website "without the consent of the user" is practically impossible...
posted by Giorgio Maone, Sat Jul 18 2009, 19:35
Thanks for the comment on the FF anti-XSS protection Giorgio. FWIW, I do not interpret their work as ignorant or misleading, they're correct and probably the only analysts that point out to users how you might get exploited even with "applications such as" NoScript. Compromised "Whitelisted" websites deserve mentioning too, for those that rely heavily in "Trusted" options in browsers and apps like NoScript.
posted by Patrick, Sat Jul 18 2009, 20:07
you need to log in to comment.
Use your ISC/DShield credentials
E-Mail:
Password:
Diary Archive