Unpatched Firefox 1.5 exploit made public

[mandy]

Exploit code for the latest version of open-source browser Firefox was published Wednesday, potentially putting users at risk of a denial-of-service attack.

The exploit code takes advantage of a bug in the recently released Firefox 1.5, running on Windows XP with Service Pack 2...

The latest Firefox flaw exists in the history.dat file...

full article: http://news.com.com/Unpatched+Firefox+1....g=nefd.top

WORKAROUNDS:

However, the following is a workaround that should work (if it doesn't let me know).  Go to Tools -> Options.

Select the Privacy Icon, and then the History tab.  Set the number of days to save pages at 0.  This will disable writing anything to history.dat as far as I can tell, and should nullify the exploit

full article: http://isc.sans.org/diary.php?storyid=920

[jezebel]

Mozilla says its not a risk to users

Long-title temporary startup unresponsiveness

Web pages with extremely long titles (the posted proof of concept used 2.5 million characters) can cause Mozilla Firefox and the Mozilla Suite to appear to "hang" on startup when reading the browsing history data. The browser will eventually continue normally although this can take up to several minutes on a slower computer. The unresponsive starts will continue until the item with the long title is removed from the history file or eventually expires.

We have investigated this issue and can find no basis for claims that variants of this denial-of-service attack can cause an exploitable crash, and no evidence for this claim has been offered. There does not appear to be any risk to users or their computers beyond the temporary unresponsiveness at startup.

Should the user encounter this problem the slow starts can be fixed by deleting the item from history.
Deleting the item from history

  1. Open History from the Go menu
  2. Select the item with the long title
  3. Press the delete button

Clearing all history data

    * In Firefox 1.5
        1. Select "Clear Private Data" from the Tools menu
        2. Check the "Browsing History" box and press the "Clear Private Data Now" button
    * In Firefox 1.0 (also works in 1.5)
        1. Select "Options" from the "Tools" menu
        2. On the "Privacy" tab select "History"
        3. Press the Clear button in the History section

[Nat]

One of the first things I did when I downloaded and installed Firefox 1.5 the other day was I went into Tools > Options > Privacy and I clicked the "Settings...." button for the Clear Private Data Tool and clicked the ones I want to clear and then I selected "Clear Private Data When Closing Firefox". 

This way all that I want deleted in the history, cookies, cache, etc is automatically deleted every time I close Firefox.  I haven't had any problems.