More discussion on the Firefox 1.5.0.3 “image bug”



There’s quite a bit more discussion on a DOS bug in Firefox 1.5.0.3, the link goes to a site where they’ve confirmed the issue and there is a link there to a POC, so be cautious. It turns out that using javascript, image tags can be made to have a mailto: link which can automatically launch tons of instances of whatever default mailhandler a system has (essentially one for each image tag.) Right now, this sounds more like a Denial of Service risk, as I don’t see at this point any evidence that anything WORSE could be done than really freezing up the system with too many copies of the mail program open.


There have been rumblings about this since at least May 6th… Sans (Incidents.org) had this to say about a workaround…

One possible workaround is to turn off automatic startup of your e-mai application in Firefox. To do so, enter in the URL bar: about:config . This will show a long list of configuration options. Search for ‘warn-external.mailto’ (e.g. use the ‘Filter’ option). By default, this value should be set to “false”. Click on the line to toggle it to “true” (it will be bold if it is not set to the default).Now, whenever you click on a mailto: link, you will first be asked if you would like to start your e-mail application. In the case of the exploit this will keep your system responsive, even though you may still have to click on all the dialogs. Disabling javascript is another option, or disabling mailto: link all together. But these options are more intrusive.

It doesn’t seem to be a high risk vulnerability – but a low danger, annoyance denial of service risk.

Related Posts

Blog Traffic Exchange Related Posts
  • The "secure software" dilemma It's quite a dilemma when a software product is billed as more secure than another.... several days back when Mozilla Firefox released v. 1.5.0.4 which fixed a number of security issues, I saw someone comment "I thought firefox was supposed to be secure." I think there's a misunderstanding when it......
  • Mustek ScanExpress A3 USB 1200 Pro Scanners... I had a nice microtek scanner that for the last year has refused to work and I decided to replace it. I have a project coming up that would require scanning some larger format pages so I was really pleased to find a $165 A3 scanner (usually the larger......
  • List of Open Source software Packages The following is long, but likely not complete. This is a list of open-source software packages: Computer software licensed under an open-source license. Software that fits the Free software definition may be more appropriately called free software; the GNU project in particular objects to their works being referred to as......
Blog Traffic Exchange Related Websites
  • Link Building - How To Deal With This Thing Do you want to know the nuts and bolts about link building business? I wonder you still do not know how to deal with this kind of business. But in the opposite way – there are no quality issues which are able to give you what you want. Be sure......
  • SEO Tips for Blog Traffic Generation While it may be true to say content is king when it comes to blog publishing, the truth is that writing your blog content is not by far the only thing that you should be focusing on when it comes to attracting a readership following. Quality SEO, or search engine......
  • Handyman - Chrome Extension of the Day Nothing is as valuable as Real Estate these days, so why should computers make an exception? I always try to find a way to maximize the screen space I get by closing unnecessary gadgets, tweaking windows, adjusting resolution, minimizing font size and so on. It irks me to scroll in......
en.pdf24.org    Send article as PDF   

Similar Posts


See what happened this day in history from either BBC Wikipedia
Search:
Keywords:
Amazon Logo

Comments are closed.


Switch to our mobile site