A new attack has been created that can crash or freeze the Mozilla Firefox desktop browser simply by visiting a web page that contains an embedded JavaScript script.

This attack was created by Sabri Haddouche, a security researcher at Wire, who has been releasing denial-of-service attacks that cause popular web browsers to crash or freeze. Some of the attacks created by Haddouche could even be used to crash an iPhone using CSS and HTML.

(and yes, it includes a crash / freeze for Firefox and its source code as promised) pic.twitter.com/Q6UlBWIXe6 — Sabri (@pwnsdx) September 23, 2018

This attacks works by flooding the IPC channel between the main Firefox browser process and a child process. This causes the browser to freeze and ultimately crash.

"What happens is that we generate a file (a blob) that contains an extremely long filename and prompt the user to download it every 1ms, therefore it flood the IPC channel between the child and main process, making the browser at the very least freeze." Haddouche told BleepingComputer in an interview.

When a Firefox desktop users visits a page hosting this attack, their browser will quickly become unresponsive and they may see a "Not Responding" screen in Windows as shown below. For others, the browser may crash entirely.

As the attack continues to flood the IPC channel it could also consume large amounts of memory or pin the CPU usage as shown in Task Manager below. Ultimately, this could consume all of the resources on the computer and cause the OS itself to crash.

This attack has been tested using the latest versions of Firefox Quantum, Firefox Beta, and the Firefox Nightly desktop clients and all of them are currently affected by this attack.

The "Reap Firefox" attack will not, though, affect Firefox on mobile browsers. To perform a DoS attack on Mozilla for iOS, though, you can use the Safari attack as it targets browser using WebKit, which Mozilla on iOS uses.

In order to mitigate this bug, Haddouche has told BleepingComputer that Firefox needs to prevent web sites from download multiple files at once without permission.

"Best practice would be to forbid websites to download multiple files at once (like Chrome do), Firefox closed my bug as resolved as they are working on it:"

A Mozilla bug report has already been opened to limit multiple downloads from a site, but it has not been seen in any recent Firefox builds.

Browser Reaper Project

Haddouche is compiling the browser attacks that he has created under the project name of "Browser Reaper". In order to showcase these attacks, a dedicated site has been created at https://www.reaperbugs.com/index, which lists the various browsers that are affected.

At this time, there are attacks for Chrome (Desktop/ChromeOS), Safari (iOS/macOS), and now Firefox (Desktop).

Browser Reaper Project Site

For each attack, Haddouche has also provided the source code so that users can see how they work. It is important, though, that you should not click on the Reap buttons from a production computer as it could cause not only instability in the browser, but also the operating system as well.