Last week, a security researcher pointed out how a CSS-based attack could crash iPhones, iPads, and Mac devices. The same researcher has now come up with another interesting finding. He demonstrates how a new Firefox bug crashes a browser allowing for a denial of service. In fact, the same bug can crash Windows PCs as well.
Firefox Bug Crashes Browser Or PC By Inducing DoS
Reportedly, the security researcher Sabri Haddouche demonstrates how a Firefox bug crashes the browser, or, in some cases, the entire PC. The bug resides in the Firefox API that prompts automatic download. Haddouche presents the demonstration with the new Browser Reaper.
After #Mailsploit, releasing #BrowserReaper so you can kill your browser.
More information: https://t.co/9Ls3AKps72— Sabri (@pwnsdx) September 23, 2018
As explained, upon clicking a certain web-link abusing the buggy API, the browser may freeze in an attempt to handle the repeated download attempts of a file having an extensively long name. Since Firefox cannot handle downloading files with long names, such as one having more than 26,000 characters which was used in his demonstration, it eventually crashes following a DoS. According to his comment
“What happens is that the script generates a file (a blob) that contains an extremely long filename and prompts the user to download it every one millisecond. It, therefore, floods the IPC (Inter-Process Communication) channel between Firefox’s child and main process, making the browser at the very least freeze.”
The bug reportedly affects Firefox browsers running on Windows, Mac, and Linux. In fact, in case of Windows, ZDNet demonstrated that the bug can even crash the entire OS. Hence, compelling the users for a hard reboot.
The researcher has shared the POC for Firefox Reaper HTML page on Github. Anyone can have a look at the source code here.
Android And iOS Users Remain Safe
Allegedly, the Firefox bug crashes browser version 62 – the latest Firefox version released by Mozilla, however Android and iOS users allegedly remain safe.
According to PCMag, Firefox is presently working out to fix the vulnerability reported by the researcher.
“We are aware of this issue and are actively working on mitigating it.”
This bug not only affects Firefox but also Google Chrome. Fortunately, users now have a method to check the vulnerability status of their browsers.
RELEASE: https://t.co/rctEEXr4VT now supports browser detection against @pwnsdx’s Safari, Chrome, and Firefox “Reaper” DoS exploits.
Scan your browser and hit the exploits tab to see if you’re vulnerable!
— spuz.me (@SpuzNiq) September 25, 2018
Until a fix is available, the users can protect themselves from this bug by restricting browsers from auto-running Javascript.
Take your time to comment on this article.