본문 바로가기

Securities/SecurityFocus Vulnerabilities

Mozilla Firefox Malformed GIF File Denial of Service Vulnerability

Bugtraq ID: 27243
Class: Failure to Handle Exceptional Conditions
CVE:
Remote: Yes
Local: No
Published: Jan 11 2008 12:00AM
Updated: Jan 12 2008 01:09AM
Credit: Hanno Bock is credited with discovering this vulnerability.
Vulnerable: Mozilla Firefox 2.0 8
Mozilla Firefox 2.0 .9
Mozilla Firefox 2.0 .7
Mozilla Firefox 2.0 .6
Mozilla Firefox 2.0 .5
Mozilla Firefox 2.0 .4
Mozilla Firefox 2.0 .3
Mozilla Firefox 2.0 .10
Mozilla Firefox 2.0 .1
Mozilla Firefox 1.5 beta 2
Mozilla Firefox 1.5 beta 1
Mozilla Firefox 1.5 12
Mozilla Firefox 1.5 .8
Mozilla Firefox 1.5 .6
Mozilla Firefox 1.5
Mozilla Firefox 1.5
Mozilla Firefox 2.0.0.3
Mozilla Firefox 2.0.0.2
Mozilla Firefox 2.0.0.11
Mozilla Firefox 2.0.0.10
Mozilla Firefox 2.0.0.10
Mozilla Firefox 2.0 RC3
Mozilla Firefox 2.0 RC2
Mozilla Firefox 2.0 beta 1
Mozilla Firefox 2.0
Mozilla Firefox 1.5.0.9
Mozilla Firefox 1.5.0.7
Mozilla Firefox 1.5.0.6
Mozilla Firefox 1.5.0.5
Mozilla Firefox 1.5.0.4
Mozilla Firefox 1.5.0.3
Mozilla Firefox 1.5.0.2
Mozilla Firefox 1.5.0.2
Mozilla Firefox 1.5.0.11
Mozilla Firefox 1.5.0.10
Mozilla Firefox 1.5.0.1
[discussion]
Mozilla Firefox is prone to a remote denial-of-service vulnerability.

Successful exploits can allow attackers to crash the affected browser, resulting in denial-of-service conditions.

[exploit]
Attackers can exploit this issue by enticing an unsuspecting victim to view a malicious GIF file.

The 'zzuf' fuzzing tool demonstrates this issue. The tool can be obtained from the following website:

http://sam.zoy.org/zzuf/

[solution]
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: vuldb@securityfocus.com.

[references]
How long does it take to fix a crash-bug? (Hanno Bock)
Mozilla Homepage (Mozilla)
re-resting of zzuf results ('Hanno =?utf-8?q?B=C3=B6ck?=' )