grandeduc - Fotolia

Browser Reaper POC exploit crashes Mozilla Firefox

A security researcher developed a proof-of-concept attack on Firefox, called Browser Reaper, which can crash or freeze the browser. But he gave Mozilla short notice of the flaw.

A new proof-of-concept attack that uses malicious embedded JavaScript to crash or freeze Mozilla Firefox was published this week.

Security researcher Sabri Haddouche created the proof-of-concept (POC) exploit and published it this week on GitHub. Haddouche previously created and released several denial-of-service POCs that cause Chrome, Firefox and Safari web browsers to crash or freeze.

This series of exploits is called Browser Reaper, and the latest one for Mozilla works on Firefox versions 62.0.2 and earlier. Haddouche has also created exploits that could crash an iPhone using CSS and HTML.

The source code for the Firefox version of Browser Reaper uses JavaScript and generates a file with a long name.

The file attempts to download once every millisecond on a continuous loop, which overwhelms the interprocess communication channel and eventually results in the browser freezing or crashing.

Haddouche tested this version of Browser Reaper on Linux and Mac systems. In both cases, it triggered the Mozilla Crash Reporter notification, which Haddouche included in his Tweet.

In order to launch the Browser Reaper attack, the victim would have to visit a webpage that contains the source code.

Haddouche said he notified Mozilla about the POC "a few hours before" the POC went live on Sunday. According to Haddouche, Mozilla said this issue is a duplicate of another bug reported in February 2018. However, the researcher disagreed that it's a duplicate.

"It is similar, but I wouldn't say the same," he said.

The issue reported by Haddouche is being tracked as bug 1493539 on Bugzilla, and it's listed as a duplicate of the earlier bug 1438214. It's unclear whether Haddouche released the POC code on GitHub before or after he received a response from Mozilla that identified the bug as a duplicate. Responsible vulnerability disclosure practices generally give organizations 90 days to issue a patch or mitigation before a bug is made public.

Haddouche said the attack he created is different from the other bug in two ways. First, "a new blob is created every time" in the earlier bug, but his "code only creates one." And, second, "the long file name I provide causes more damage to the main process; therefore, the download pop-up is never shown, unlike in the 'duplicate.'"

Haddouche also said his Browser Reaper attack works faster than the alleged duplicate.

"I tried the 'duplicate' and, indeed, the browser freezes. However, the memory consumption is going up much slower than the POC I made."

Mozilla has the status of Haddouche's bug 1493539 listed as "resolved duplicate," but a fix may still be in the works.

"We are aware of this issue and are actively working on mitigating it," a Mozilla spokesperson said.

Dig Deeper on Application and platform security