Yet another vulnerability issue arises for Firefox 3.5.1 [Updated]

It has been just a few days since we informed you about the Firefox 3.5.1 update that was aimed at resolving a Javascript vulnerability found in Firefox 3.5. Well unfortunately another vulnerability has been found in Firefox 3.5.1. The latest vulnerability appears to be a critical one. This undesirable issue can be exploited remotely. It uses a stack based buffer overflow that is triggered by an overly large and long string containing Unicode data. It has the potential to allow

• Remote code execution
• Crashes
• Freezes
• Allocating huge and I mean huge amount of memory.

A proof of concept that showcases this vulnerability has already been developed. Uptil now no patch has been made available from Firefox team. So it is advised and recommended to disable Javascript until a patch is made available that resolves this critical issue. This is the only way you can protect and avoid your computer being exposed to a remote attack. To disable Javascript just go the Tools tab -> Options -> Content Tab-> Uncheck Enable Javascript option.

Thanks to Mike Shaver who has corrected us and enlightened us on the issue. He has informed us that the latest bug is not capable of code execution and the only thing that it will do is it will result in an unexploitable crash (in the worst case scenario). According to the Mozilla Security Blog:

On Windows, Firefox 3.0.x and Firefox 3.5.x are terminated due to an uncaught exception during an attempt to allocate a very large string buffer; this termination is safe and immediate, and does not permit the execution of attacker code.

On the Macintosh in Firefox 3.0.x and 3.5.x, a crash occurs inside the ATSUI system library (part of OS X), due to what appears to be a failure to check allocation results. This issue is likely to affect any application using the recommended text-handling libraries on OS X. We have reported this issue to Apple, but in the event that they do not provide a fix we will look to implement mitigations in Mozilla code. We recommend that other developers who use these libraries consider a similar practice, and we have added mitigations in the past for similar bugs in these libraries.

As a result of our analysis, we do not believe that this represents an exploitable vulnerability in Firefox.

Follow us on twitter and facebook to stay up-to-date with different technologies around the globe.