Risk: High
A vulnerability has been discovered in Firefox, which can be exploited to cause a DoS (Denial of Service) or to compromise a user's system.
The vulnerability is caused due to an error in the handling of an IDN URLs that contains the 0xAD character in its domain name. This can be exploited to cause a heap-based buffer overflow.
Successful exploitation crashes Firefox and allows code execution but requires that the user be tricked into visiting a malicious web site or open a specially crafted HTML file.
NOTE: Exploit code is publicly available.
The vulnerability has been confirmed in version 1.0.6, and is reported to affect versions prior to 1.0.6, and version 1.5 Beta 1.
Technical Details:
The problem seems to be when a hostname which has all dashes causes the NormalizeIDN call in nsStandardURL:BuildNormalizedSpec to return true, but it sets encHost to an empty string. Meaning, Firefox appends 0 to approxLen and then appends the long string of dashes to the buffer instead.