Tricky DoS Attack Crashes Mozilla Firefox

A newly released proof-of-concept attack using malicious JavaScript can crash or freeze Mozilla Firefox when an unsuspecting victim visits a specially crafted webpage on the browser.

Researcher Sabri Haddouche, a security researcher with Wire, on Sunday released the source code for the attack, which he included in a series of browser bugs dubbed Browser Reaper, which he said could crash Firefox versions 62.0.2 and earlier.

Haddouche has also released Browser Reaper source code for Chrome (including Chrome 69, ChromeOS 69 and earlier), as well as Safari (Safari iOS and macOS from 9.0 to 12.0).

Last week, the same researcher revealed a proof-of-concept (PoC) that could cause iOS devices to crash or restart due to a few lines of specially crafted cascading style sheets (CSS) and HTML code. And earlier this month, he revealed an attack that freezes Chrome browsers using one line of JavaScript.  The three browser attacks (Safari, Firefox and Chrome) are now grouped together under the name “Browser Reaper” on Haddouche’s website.

The source code uses JavaScript to crash or freeze the Firefox browser. The proof-of-concept is a denial-of-service (DoS) attack – essentially it will generate a file with a long name, which the system then tries to continuously download once every millisecond – eventually flooding the inter-process communication (IPC) channel and freezing or crashing the browser.

“What happen is that we generate a file (a blob) that contains an extremely long filename and prompt the user to download it every 1ms, therefore it [floods] the IPC channel between the child and main process, making the browser at very least freeze,” Haddouche told Threatpost in a message.

Haddouche tested the attack on Mac and Linux systems, which then triggered the “Mozilla Crash Reporter” notification.

A victim would need to visit a page that contains the attack source code. There is currently no way to mitigate the attack, Haddouche told Threatpost.

Mozilla did not respond to a request for comment from Threatpost regarding the attack. However, Haddouche said he has notified the company about the PoC, and they are working on a file download limitation for the browser so that the IPC channel would not be flooded by long filenames being continuously downloaded.

Once this feature is released, it should resolve the issue, said Haddouche: “However, this new feature has not been seen anywhere so far, even in the most experimental version of Firefox (Nightly),” he said.