The security researcher Sabri Haddouche from Wire discovered a bug that affects Firefox on Mac, Linux, and Windows that could crash the browser and in some cases the underlying PC.
Haddouche was focusing its analysis on vulnerabilities that affect major browsers (Chrome, Safari (WebKit), and Firefox), he published his findings on the Browser Reaper web site.
(and yes, it includes a crash / freeze for Firefox and its source code as promised) pic.twitter.com/Q6UlBWIXe6
— Sabri (@pwnsdx) September 23, 2018
The expert published on the website the PoC code to crash Firefox on Macs and Linux systems, causing the browser displaying the Crash Reporter message.
The expert published the proof-of-concept code on GitHub.
The issue could have more severe effects on Windows because in some circumstance it caused the freezing of the operating system.
Researchers at ZDNet conducted some tests to verify which systems are affected by the bug.
“During our experiments, the DoS bug worked against the latest Firefox stable release, but also Firefox Developer and Nightly editions.” states ZDNet.
“The bug did not crash Firefox for Android instances, according to ZDNet’s tests. Firefox uses the WebKit engine on iOS, instead of its new Quantum engine, so iPhone and iPad users aren’t affected.”
“What happens is that the script generates a file (a blob) that contains an extremely long filename and prompts the user to download it every one millisecond,” Haddouche explained to ZDNet in an interview.
“It, therefore, floods the IPC (Inter-Process Communication) channel between Firefox’s child and main process, making the browser at the very least freeze,” the researcher added.
The researcher reported the bug to Mozilla on September 23.
Haddouche discovered a few days ago a new CSS/HTML attack method that saturates Apple devices’ resources causing iPhone reboot or freezes Macs.
(Security Affairs – Firefox bug, DoS)