FYI...
NEW vuln - FireFox 3.5.1 confirmed, exploit PoC, no patch
- http://isc.sans.org/diary.html?storyid=6829
Last Updated: 2009-07-18 15:04:23 UTC - "Various analysts and sites have recently confirmed a vulnerability is present in FireFox 3.5.1 that has had exploit PoC released. When exploited, the vulnerability can lead to system compromise or induce a DOS. No Patch is available."
Mozilla Firefox 3.5 Unicode Data Remote Stack Buffer Overflow Vulnerability
> http://www.securityfocus.com/bid/35707/
CVE-2009-2479
> http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-2479
Last revised: 07/16/2009
CVSS v2 Base Score: 10.0 (HIGH)
>> http://xforce.iss.net/xforce/xfdb/51729
Reported: July 15, 2009
>> http://www.milw0rm.com/exploits/9158
[2009-07-15]
milw0rm 9158 “stack overflow” crash not exploitable (CVE-2009-2479)
- http://blog.mozilla.com/security/200...cve-2009-2479/
07.19.09 - "In the last few days, there have been several reports (including one via SANS) of a bug in Firefox related to handling of certain very long Unicode strings. While these strings can result in crashes of some versions of Firefox, the reports by press and various security agencies have incorrectly indicated that this is an exploitable bug. Our analysis indicates that it is -not-, and we have seen no example of exploitability... we believe that the IBM report is in error, and that the severity rating in the National Vulnerability Database report is incorrect. We have contacted them and hope to resolve the inaccuracies shortly."