Security researcher Sabri Haddouche has found a bug in the Firefox web browser that can crash the browser and also the entire operating system running underneath.
As reported by ZDNet, this Firefox bug can force the browser to crash on all the three popular desktop platforms — Mac, Linux, and Windows.
On a Windows machine, this bug freezes the entire operating system which requires users to perform a hard reboot. Whereas on a Mac or Linux system, it displays the classic Crash Reporter popup on the browser.
(and yes, it includes a crash / freeze for Firefox and its source code as promised) pic.twitter.com/Q6UlBWIXe6
— Sabri (@pwnsdx) September 23, 2018
So far, the tests performed on mobile platforms confirm that Firefox on Android and iOS are not affected by this bug. One of the reasons behind the same is that instead of the new Quantum engine, Firefox uses the WebKit engine on iOS which leaves iPhone and iPad users unaffected.
How does it work?
Haddouche explained that the bug contains a script which generates a file (a blob) with an extremely long filename.
The script prompts the browser to download it every one millisecond which “floods the the IPC (Inter-Process Communication) channel between Firefox’s child and main process,” and eventually freezes the browser.
You can access the proof-of-concept HTML page that triggers the bug on GitHub to check out the test page’s source code.
Meanwhile, Mozilla has been notified of the new exploit and it has been added to the company’s bug tracking platform so that we can expect a fix soon enough.