Firefox bug crashes your browser and sometimes your PC

Bug affects Firefox on Mac, Linux, and Windows, but not Android.
Written by Catalin Cimpanu, Contributor

A security researcher who two weeks ago found a bug that could crash all WebKit-based apps on iPhones, iPads, and Macs, has now discovered another browser bug that can crash Firefox browsers, and sometimes the entire operating system underneath it.

The bug is just the latest addition to Browser Reaper, a web portal set up by Sabri Haddouche, a software engineer and security researcher at encrypted instant messaging app Wire.

Also: Apple reassures customers after teen is busted for hacking it CNET

Haddouche has been researching denial of service (DoS) vulnerabilities as a hobby and has now identified one in every major browser engine --Chrome, Safari (WebKit), and Firefox.

His latest addition, the Firefox bug, will crash Firefox's browser process on Macs and Linux systems, resulting in the browser showing its classic Crash Reporter popup.

On Windows, the bug is a little bit worse, as besides sometimes crashing the browser, the bug has also been observed freezing the entire operating system, requiring users to perform a hard reboot.


DoS bug crashing Firefox, and later freezing Windows itself

Image: ZDNet

During our experiments, the DoS bug worked against the latest Firefox stable release, but also Firefox Developer and Nightly editions. The bug did not crash Firefox for Android instances, according to ZDNet's tests. Firefox uses the WebKit engine on iOS, instead of its new Quantum engine, so iPhone and iPad users aren't affected.

"What happens is that the script generates a file (a blob) that contains an extremely long filename and prompts the user to download it every one millisecond," Haddouche told ZDNet in an interview.

Also: Here's Google's biggest secret to not failing at security TechRepublic

"It, therefore, floods the IPC (Inter-Process Communication) channel between Firefox's child and main process, making the browser at the very least freeze," the researcher added.

A proof-of-concept HTML page that triggers the bug has been hosted on GitHub. Accessing this link won't crash your browser, but only reveal the test page's source code.

Haddouche reported the bug to Mozilla's staff earlier today. ZDNet readers can follow the bug report for more details and an upcoming Firefox update.

On Friday, September 21, Mozilla released Firefox 62.0.2, a new Firefox version that includes 13 bug fixes, one of which is an SSL-related security issue rated "moderate" in terms of severity.

All the Chromium-based browsers

Previous and related coverage:

What is malware? Everything you need to know

Cyber attacks and malware are one of the biggest threats on the internet. Learn about the different types of malware - and how to avoid falling victim to attacks.

Security 101: Here's how to keep your data private, step by step

This simple advice will help to protect you against hackers and government surveillance.

VPN services 2018: The ultimate guide to protecting your data on the internet

Whether you're in the office or on the road, a VPN is still one of the best ways to protect yourself on the big, bad internet.

Five computer security questions you must be able to answer right now

If you can't answer these basic questions, your security could be at risk.

Critical infrastructure will have to operate if there's malware on it or not

Retired US Air Force cyber-security expert shares his thoughts on the future of critical infrastructure security.

Ordinary Wi-Fi devices can be used to detect suspicious luggage, bombs, weapons

Researchers turn ordinary WiFi devices in rudimentary scanners that can identify potentially dangerous objects hidden inside bags or luggage.

Related stories:

Editorial standards