Security

posted.
"Mozilla/Firefox/Netscape Browsers IDN URI Buffer Overflow

Description: Exploit code has been publicly posted for the IDN URI
buffer overflow in Mozilla, Firefox and Netscape browsers"

Exploit Code
http://www.frsirt.com/exploits/20050922.PwnZilla.php

This exploit was reported last week, the code was released this week.

but not to worry:
"
FireFox, Mozilla and Thunderbird Remote Command Injection
Affected:
On UNIX platforms:
Mozilla Firefox 1.0.6 and prior
Mozilla Suite 1.7.11 and prior
Thunderbird 1.0.6 and prior

Description: This vulnerability in Mozilla/FireFox browsers and
Thunderbird email client can be exploited to execute arbitrary commands
on UNIX systems. The problem occurs when a URL containing "backtick" is
passed as an argument to Mozilla, Firefox or Thunderbird. For instance,
issuing a command "firefox http://local\`ls`\" will result in the
execution of the 'ls' command. Systems using Mozilla/Firefox as default
browsers and Thunderbird as default email client are at a higher risk
as visiting a malicious webpage may result in the execution of attacker
specified commands.

Status: Updates have been released to address this issue for Mozilla and Firefox.
"

Mozilla Bugzilla Entry
https://bugzilla.mozilla.org/show_bug.cgi?id=307185
Secunia Advisory (discovered by Peter Zelezny)
http://secunia.com/advisories/16869
SecurityFocus BID
http://www.securityfocus.com/bid/14888

one week, patched, and released.
exploit code posted after patch released.
and all within the 60 day time limit.

more egg on the faces of proprietary software vendors?
( in my opinion, yes. )


just figured that this would be of interest to those that followed this:

http://techrepublic.com.com/5208-11193-0.html?forumID=4&threadID=180733&messageID=1842098