Slashdot Mirror
New Mozilla Firefox 1.0.3 Exploit
An anonymous reader writes "News sources are reporting that a 'killer' new Firefox exploit has been revealed today by FrSIRT who warn that this 0day exploit/vulnerability (as yet unpatched) should be rated as critical. Summary of the exploit: If a user clicks anywhere on a specially crafted page, this code will automatically create and execute a malicious batch/exe file. Proof of concept code supplied by FrSIRT."
This was reported to the mozilla bugzilla a while ago. https://bugzilla.mozilla.org/show_bug.cgi?id=29269 1
Bugzilla bug 293302 has been filed. A temporary fix has been implemented on UMO.
Woe is us.
the layman's guide to computer science
They were already working on patching this, but it was stolen before they could finish and leaked to bugtraq with LIVE material in the exploit (it's not a proof of concept, folks!) and no explanation or advisory.
/. referers. Copy URL and paste in new to view. (Beware Slashcode's extra spaces.)
9 1 %lt; Original security bug (probably still blocked to outsiders to prevent someone stealing it before mitigation)
0 2 %lt; Duplicate (reported after leak)
h tml
Reminder: Bugzilla blocks
https://bugzilla.mozilla.org/show_bug.cgi?id=2926
https://bugzilla.mozilla.org/show_bug.cgi?id=2933
They are going to release a 1.0.4 shortly, I gather.
Still more timely than most of Microsoft's advisories... despite their earlier announcement. http://www.eeye.com/html/research/upcoming/index.
Yes, it's in Bugzilla (bug is temporarily restricted because of security concerns). There's also a dupe already. No need to add more.
A^C^E, a Firefox security researcher, is claiming on Addict3D.org that this is a 0day duplicate of a leaked, known bug. He says, "I suspect that my server was compromised, and I am currently using my contacts to find the culprit and bring him to justice."
Also, bugzilla.mozilla.org is claiming they've been slashdotted. Go easy on em.
Uncheck Tools > Options > Web Features > Allow web sites to install software
http://www.boingboing.net/2005/01/27/jailed_for_us ing_a_n.html
http://yro.slashdot.org/article.pl?sid=05/01/28/03 1248
This is what he was refering to.
"Those who would give up Essential Liberty, to purchase a little Temporary Safety, deserve neither Liberty nor Safety"
Disable JavaScript, or disable the "Allow web sites to install software" option [Tools - Options - Web Features].
Why would anyone run routinely with "Allow web sites to install software" enabled ?
The script is supposed to inject code into the chrome by calling a (chrome-)function "install(event, extensionname, iconurl)" with a javascript iconurl which then uses its elevated privileges to create and start the batch file.
On my main system (WinXP, Firefox 1.0.3, fresh profile), the Javascript console tells me it can't find the install function.
On my other system (WinXP, Firefox 1.0.3, fresh profile), it throws an access violation error about not being allowed to access window.title. I don't see how these installations differ, but apparently, the test-exploit is quite fragile.
Today is the day that you should brave the yellow face, go upstairs and thank your mom for letting you turn the basement into a Nethack dungeon. Not posting in the typical smarmy, "I told you so" Slashdot fashion. You never told me so. You just say it now to look 'visionary'.
Firefox is going to have bugs, it's going to break, it's going to suck sometimes. The difference between it and IE is that the Firefox devs actually *care*.
So put on a less dirty shirt, douse yourself with some of that Stetson cologne you got for Christmas about ten years ago, pick some dandelions and go tell your mom 'Happy Mother's Day'.
Unfortunately, the exploit could have just as easily created a file starting with #!/bin/sh, and passed 555 as the 'permissions' argument to createUnique.
Why on earth the browser thinks it's necessary to allow scripts to create executeable files is beyond me.
Secunia have already released an advisory explaining how the exploit works:
http://secunia.com/advisories/15292/
This is the first Firefox exploit that has received the rating 'Extremely Critical'.
--- Extract from Secunia's site ---
Description:
Two vulnerabilities have been discovered in Firefox, which can be exploited by malicious people to conduct cross-site scripting attacks and compromise a user's system.
1) The problem is that "IFRAME" JavaScript URLs are not properly protected from being executed in context of another URL in the history list. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an arbitrary site.
2) Input passed to the "IconURL" parameter in "InstallTrigger.install()" is not properly verified before being used. This can be exploited to execute arbitrary JavaScript code with escalated privileges via a specially crafted JavaScript URL.
Successful exploitation requires that the site is allowed to install software (default sites are "update.mozilla.org" and "addons.mozilla.org").
A combination of vulnerability 1 and 2 can be exploited to execute arbitrary code.
NOTE: Exploit code is publicly available.
The vulnerabilities have been confirmed in version 1.0.3. Other versions may also be affected.
Solution:
Disable JavaScript.
I'll probably be modded down for this...
Start your stop watches and let's see how long before a patch is forthcoming
Might as well hit stop now. The bug isn't exploitable any more since update.mozilla.org itself has been fixed.
Reading the Secunia explanation:
Successful exploitation requires that the site is allowed to install software (default sites are "update.mozilla.org" and "addons.mozilla.org").
So, unless you've whitelisted the exploit site (which generally would mean it's a site you trusted enough to install an XPI from), or the Mozilla website has been compromised, the exploit won't work.
It puts a little red icon in the upper right-hand corner when an update is available. You click on it to get the newest version. It does this for me on both Windows and Linux.
Seems simple enough to me.
If by 'known' you mean public, then yes, you are right. However, there are no less than THREE unpatched remote exploits for IE which have been discovered. See:
h tml
;-)
http://www.eeye.com/html/research/upcoming/index.
I do agree that the 'Firefox is more secure' meme was largely unfounded, but don't let MSFT off the hook so easily. Switch to Opera
In Firefox, to stop this vulnerability:
Web Features->Allow web sites to install software
I'll switch to MS IE as it has no known serious vulns
Internet Explorer Long Share Name Buffer Overflow Highly Critical
Yeah... whatever. I don't mind if you would rather use a browser with a known serious security problem, but saying that IE has no known serious issues is misinformed.
I'll probably be modded down for this...
This is already being worked on and should be in 1.1. ^_^ Check out ben's blog about it.
A quote: "Darin has figured out how to get binary patching working, and is working on a system for incremental background update download."
For people running Firefox in a business or school with centrally locked down settings I think a quick fix might be to add
lockpref("xpinstall.enabled","false");
xpinstall.enabled seems to be the preference changed by "Allow websites to install software"
unlike in Windows, it also wouldn't have superuser privileges.
Linspire (or at least older versions thereof) runs as superuser.
Well, in Windows it would only have administrator priviliges if the user was dumb enough to run Firefox as an administrator. ;)
From a security standpoint, fully updated IE is much better than unupdated Firefox.
Unfortunately, a legit copy of the full update to IE costs at least $100 for users of Microsoft Windows 2000 operating systems.
That is incorrect. The exploit works by loading a page from a trusted site (one of the mozilla.org sites on the whitelist), then taking advantage of another Firefox bug to run some javascript in the security context of the trusted site.
My server
Sounds like a windows only vulnerability. Are the Mac and Linux versions open to the hole as well?
The devs were already working on it before some jerk full-disclosured w/working exploit. It had already been marked as a bug that would block both the 1.0.4 and 1.1 releases. All this person did was cause a lot of headaches for Mozilla developers, and put many users at risk.
My server
The security advisory doesn't explain it too well, but it it seems to imply that this only happens with sites that you've added to your list of sites trusted to install software (in which case it isn't really much of a problem).
Joe Llywelyn Griffith Blakesley
[This post is in the public domain (copyright-free) unless otherwise stated]
Anyone actually tried this yet? I did and it did NOT work on Windows XP, Windows 2000, Linux (obvious), Windows 98, Windows 2003 Server or Windows NT 4.0? So what gives? More FUD being spread about Firefox again?
Doesn't work for me, either. Firefox 1.0.3, Windows XP SP2 here. I'm running Moox's build of Firefox; not sure if that affects anything.
.bat file created at C:\ .........
It looks like the script is spoofing ftp.mozilla.org somehow. I made sure that "Allow Web Sites To Install Software" was enabled in Firefox's preferences, and I even added "ftp.mozilla.org" to the whitelist of allowed sites! Still didn't work.
Here's what happens when I load the page:
1. Fx appears to contact ftp.mozilla.org and downloads the harmless XPI referenced in the "exploit" script. This takes several seconds.
2. An error appears in the JavaScript console: "Error: install is not defined". No
Either this "exploit" is B.S., or some other settings need to be in place for this to work.
OtakuBooty.com: Smart, funny, sexy nerds.
Are you telling me you expect a noob to know this? How is my grandmother supposed to know of this?
Know what? Whats wrong with your grandma, Alzheimer's?
Why doesn't the little red arrow (update icon) display yet?
Because you don't need to update anything. It was fixed on updates.mozilla.org. The site needs to be in your white list of sites that are allowed to install software to be vulnerable. I'm sure they will have a more permanent fix later at some point, but the current exploit no longer works. Go ahead and try it.
So, as far as I'm concerend -- it's not.
But you're a bit of a fool, so I'm not sure your opinion counts.
We made some server-side changes on update.mozilla.org to mitigate the attack.
My server
Um, let's take a minute and remember that according to the secunia advisory, ONLY sites that are allowed to install software can exploit this. And by default, that's only update.mozilla.org and addons.mozilla.org. If you are not adding untrustd sites to the list of sites that can install software to your browser, you are probably not in danger. That is not to say this doesn't need to get fixed, it totally does. But we're probably getting a little more excited/worried than there is cause for.
Perhaps you should manually download and install a release past beta. If you've been running the same version for "all these months" then you probably don't have a version current enough to include the update code. I've been getting the update notification icon since the 1.0 release, and perhaps even one of the release candidates. I've had the update icon working on Win2000, WinXP, SuSE Linux, and for a short time on a FreeBSD box.
I AM, therefore I THINK!
And IE is more secure how?
Windows update is worse. It'll force you to reboot your whole computer, not just your browser. And you still have to click the little button on most computers.
Don't thank God, thank a doctor!
Problem is, this little red icon isn't supported by all skins. I use the "SomeOrbitYellow" theme, and have never seen this icon - it's there and clickable, but invisible.
Don't whistle while you're pissing.
what's wrong with Opera's JavaScript?
It's not the fault of Opera really, but the DOM doesn't match either Netscape/Moz or Exploder.. I wouldn't consider myself a "web developer" by any means, but I've done my share. Getting pages to work in IE and FF is a chore, and supporting Opera is just a waste of time.
Mozilla provides a number of builds- Windows, MacOS X, and Linux i686, and each in a wide variety of languages.
These are the ONLY builds they should be worried about patching (and if they could make it language independent, it would be 3 packages). Everyone else gets the source code. Let Portage figure out how to update things.
Firefox 1.1 will have support for binary patches, meaning no more full application download to fix a single bug.
Why is anything anything?
Obviously "aichpvee" didn't RTFA:
There are two independent bugs which are combined in the demo exploit. The cross site scripting part does not require any whitelist privilege whatsoever. If you're using login cookies, you're vulnerable. It is entirely possible to write an exploit which orders stuff from online stores, in your name and from your IP address. Combined with the cross site scripting bug, the whitelist requirement of the remote execution bug is moot, because a site can simply inject code into one of the standard whitelisted sites. The temporary fix on UMO breaks the published exploit, but there is no reason why an exploit couldn't simply inject its own call to InstallTrigger.install into one of these sites. This is a VERY dangerous combination of bugs. There will be exploits. The only way to escape both bugs is to turn off Javascript. Turning off software installation just prevents the remote execution, not the cross site scripting.