Linked by Thom Holwerda on Sat 10th Sep 2005 16:14 UTC, submitted by kellym
Privacy, Security, Encryption Next week's 'Patch Tuesday' was already going to be quiet, with an update only for Windows. On Friday, Microsoft pulled that update, saying more testing is needed. In related news, officials at the Mozilla Foundation on Friday acknowledged that a potentially dangerous code execution hole exists in fully patched versions of its flagship Firefox web browser. Update: Seems like there already is a (temporary) fix available.
Thread beginning with comment 29370
To read all comments associated with this story, please click here.
Arbitrary code execution? Really?
by gonzalo on Sat 10th Sep 2005 20:54 UTC
gonzalo
Member since:
2005-07-06

I've seen proofs of concept that make Firefox crash (I've also seen some that claim to do it, but don't). But I haven't been able to find any code execution exploits yet.

Reply Score: 1

Member since:

It doesn't actually work.. the proof of concept that is. Something tells me this is a big sham.

Reply Parent Score: 0

Member since:

For more info, see:

https://addons.mozilla.org/messages/307259.html
http://mozillanews.org/bugzilla_warning.php3?id=307259

So it only works for long strings of soft hyphens. The number of hyphens is very arbitrary :p (The actual code that might get executed isn't)

According to the bug report, it was opened (reported to Mozilla.org) on Sept 6. Surely the bug had existed for long, but nobody knew about it.

Oh, and the actual analysis was done by the Mozilla.org folks too.

Reply Parent Score: 0