Mozilla Idn Buffer Overflow Security Hole

[borfast]

On September 6 a security vulnerability affecting all versions of Mozilla Firefox and the Mozilla Suite was reported to Mozilla by Tom Ferris and on September 8th was publicly disclosed.

 

On September 9, the Mozilla team released a configuration change which, as a temporary measure to work around this problem, disables IDN in the browser. IDN functionality will be restored in a future product update. The fix is either a manual configuration change or a small download which will make this configuration change for the user. Instructions on administering these changes can be found below.

 

Go here for instructions and downloads.

 

PS - When I went to the page and read the instructions, they seemed familiar. I went to the about:config page and the option they mention is already set to false... wasn't this the solution for a previous problem, also related to IDN?

Edited September 10, 2005 by borfast

[TCH-Don]

Thanks Raul

I just upgraded to 1.0.6

yesterday and it was set to true

[borfast]

Yep, I knew this had been brought up before -> http://www.mozillazine.org/talkback.html?article=6038

 

In that thread, they talk about the IDN vulnerability, as well as the solution mentioned in the page I linked to above.

 

But now I wonder, why is this being brought up again if it had already been solved?... :|

[TCH-Thomas]

Thanks for the info Raul.

[TCH-Bruce]

But now I wonder, why is this being brought up again if it had already been solved?... :|

So people that didn't take the threat seriously before will do so now.

[TCH-Don]

It would appear when I upgraded it was turned back on.

[TCH-Rob]

Maybe Mozillasoft didnt remember when making the upgrade and turned it back on by accident.