Mozilla is downplaying the severity of a purported threat to its recently updated Firefox web browser.
Soon after the company on Thursday pushed out Firefox 3.5.1 to resolve a major JavaScript vulnerability, reports began surfacing of a new proof-of-concept, zero-day "boundary condition" exploit. According to a SANS Internet Storm Center blog post, the flaw could be exploited to cause a denial-of-service (DoS) attack or a system compromise.
But Mozilla engineers, in a post Sunday on the company's Security Blog, refuted those claims, saying the threat actually is not exploitable. Firefox versions 3 and 3.5 on Windows could be terminated by an "attempt to allocate a very large string buffer" -- but this could not lead to code execution.
"This termination is safe and immediate, and does not permit the execution of attacker code," Mike Shaver, vice president of engineering at Mozilla, wrote.
The issue also can cause an unexpected crash on Firefox 3 and 3.5 for the Mac, affecting the ATSUI (Apple Type Services for Unicode Imaging) system library, which is part of the Mac OS X. But it cannot cause code execution.
"We have reported this issue to Apple, but in the event that they do not provide a fix, we will look to implement mitigations in Mozilla code," Shaver wrote.
As a result of the post, SecurityFocus, which tracks security issues, revised its advisory, but did note that the bug could be exploited for DoS attacks.
Soon after the company on Thursday pushed out Firefox 3.5.1 to resolve a major JavaScript vulnerability, reports began surfacing of a new proof-of-concept, zero-day "boundary condition" exploit. According to a SANS Internet Storm Center blog post, the flaw could be exploited to cause a denial-of-service (DoS) attack or a system compromise.
But Mozilla engineers, in a post Sunday on the company's Security Blog, refuted those claims, saying the threat actually is not exploitable. Firefox versions 3 and 3.5 on Windows could be terminated by an "attempt to allocate a very large string buffer" -- but this could not lead to code execution.
"This termination is safe and immediate, and does not permit the execution of attacker code," Mike Shaver, vice president of engineering at Mozilla, wrote.
The issue also can cause an unexpected crash on Firefox 3 and 3.5 for the Mac, affecting the ATSUI (Apple Type Services for Unicode Imaging) system library, which is part of the Mac OS X. But it cannot cause code execution.
"We have reported this issue to Apple, but in the event that they do not provide a fix, we will look to implement mitigations in Mozilla code," Shaver wrote.
As a result of the post, SecurityFocus, which tracks security issues, revised its advisory, but did note that the bug could be exploited for DoS attacks.