Mozilla has now posted a notice on their Security Blog about this. According to their analysis, although there is a bug, it is not exploitable in the sense that it would enable an attacker to execute code. The attack consists, essentially, of passing a very long Unicode string to the browser. On Windows, the effect apparently is that the browser session is terminated, with an “out of memory” indication. On the Macintosh, the situation is slightly more complicated:
On the Macintosh in Firefox 3.0.x and 3.5.x, a crash occurs inside the ATSUI system library (part of OS X), due to what appears to be a failure to check allocation results. This issue is likely to affect any application using the recommended text-handling libraries on OS X.
So it appears that this flaw can be used to create a Denial-of-Service attack, by crashing the browser, but it does not seem that more serious exploits are possible.
Incidentally, a report from the SANS Institute suggests that other browsers, and in particular Internet Explorer 8, may also be affected:
Also, one of our readers points out that “…the PoC in Internet Explorer 8 throws a script exception stating that there is ‘not enough storage to complete this operation’…”
At this point, this does not seem to be a particularly serious problem. I will, of course, post updated information as I discover it.