Mozilla Says Firefox 1.5 Bug Not Serious
Malicious pages with very long titles--the proof of concept for the pseudo denial-of-service (DoS) attack contained 2.5 million characters--make the browser appear to hang, said Mozilla in an online security advisory, although the software is actually busy processing the name. Once encountered, the very slow start can't be corrected until the site name is removed from Firefox's history file.
Last week, researchers of the PacketStorm security group claimed that the bug could result in not just a DoS, but a more serious buffer overflow, which could be used in turn by attackers to compromise the system.
Mozilla, however, said that additional investigations showed that there is no danger of a buffer overflow. "We can find no basis for claims that variants of this denial-of-service attack can cause an exploitable crash," stated the Mozilla advisory. "There does not appear to be any risk to users or their computers beyond the temporary unresponsiveness at startup."
The advisory also includes instructions on clearing the history file of the too-long site name.
Mozilla has not set a release date for a fix.