User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.19 (KHTML, like Gecko) Chrome/1.0.154.46 Safari/525.19 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.6) Gecko/2009011913 Firefox/3.0.6 (.NET CLR 3.5.30729) The security vulnerability occurs for any known content type that is identified under Options -> Applications Tab to open using firefox, i.e. either having set as an action to "Use Firefox" or "Use Other" and browse to file firefox.exe . If any such file is opened or clicked upon (e.g. mailto: link, .java file, etc.) the browser proceeds in a never exiting loop to open an infinite amount of blank tabs (tabs not displaying anything), while constantly consuming more memory, until it crashes. A malicious attacker, knowing that any known content type is set to open using firefox, can cause remotely, a Denial of Service on the browser. This is achieved by getting the user to click, or open a file or location of the particular content type. Such an action will trigger in an infinite loop the constant opening of blank tabs. Reproducible: Always Steps to Reproduce: 1. Open Firefox, go to "Tools" -> "Options" and select the "Applications" tab 2. In the "Content Type", select "mailto" and as action, select "Use Other" 3. Browse to the installation directory and select "firefox.exe", click ok 4. Select "OK" in the options panel 5. Browse to any page that has a mailto html link and click on it 6. The Open Tab DoS begins, opening an infinite amount of blank tabs Actual Results: Firefox enters an infinite loop, continuously opening blank tabs or new blank windows, while consuming more memory. Expected Results: A single tab or window should open with the contents of the content type rendered by Firefox. In the case that the user has the option "New pages should be opened:" set to "a new tab" this attack can be stopped by clicking the stop button. If though the setting "New pages should be opened:" is set to "a new window" an infinite number of blank windows starts appearing! This could even result to an operating system Denial of Service, if the user does not select to kill the process in time. Also, closing an individual window does not appear to effect the continuous opening of blank windows. Finally this vulnerability has been replicated (following steps 1-6 above) on Windows XP and Windows 2008 Standard Server, using both Firefox 3.0.5 and Firefox 3.0.6 on both platforms.

How would you trigger this in a normal Firefox setup? Are there any content types that Firefox cannot display internally, and yet Firefox has registered for?

I discovered this bug when attempting to de-register .java content types from opening in visual studio. The second option from the drop down menu of actions was to use firefox. Even though I've replicated it with many other content types, I have not investigated any other registered ones.

I assume the unduping was a mid-air collision. If it was on purpose please explain how this differs from bug 167320