Update Firefox to 1.5.0.1, the exploit is out

So far the exploit has only been tested on Gentoo Linux with the stock mozilla-firefox 1.5.0.0 package. It took almost 1 gig of padded code to overwrite the memory buffers and unleash the exploit code. Chances are this exploit will not work under Windows and perhaps not even under other Linux distributions. But it does prove the concept and other exploits may be released soon.

John Herron, CISSP
More info at NIST.org

 

i think that's just one exploit which has been written for the vulnerability. others have probably been written too.

 

Only one exploit has been made public so far and there have been no announcements of others. That doesn't mean they're not out there. But keep in mind that buffer overflow exploits aren't the easiest thing to code for. Over flowing the data buffer in to code space and causing a DoS isn't hard. But flowing exactly the correct program code in to exactly the right memory space to give you control over a computer can be very difficult. A whole lot of trial and error goes in to it. Simply because the bad guys have successfully exploited the vulnerability on one platform doesn't necessarily make them closer to exploiting it on another platform. Even going from different versions of Windows to another can sometimes require a whole new exploit to be written.

But you can bet they're working on it.

John Herron, CISSP
at NIST.org

 

i said what i said because i was looking at some exploit code which said something like "this has been tested on Gentoo with firefox 1.5.0" so i asked some (whitehat) hackers if Ubuntu was vulnerable too and they said yes it was and to use 1.5.1 instead. i didn't know that was the only known exploit. i thought there might be more because i was told about Ubuntu being vulnerable too. either it's the same exploit or there's more.