Slashdot Mirror
New Mozilla Firefox 1.0.3 Exploit
An anonymous reader writes "News sources are reporting that a 'killer' new Firefox exploit has been revealed today by FrSIRT who warn that this 0day exploit/vulnerability (as yet unpatched) should be rated as critical. Summary of the exploit: If a user clicks anywhere on a specially crafted page, this code will automatically create and execute a malicious batch/exe file. Proof of concept code supplied by FrSIRT."
This was reported to the mozilla bugzilla a while ago. https://bugzilla.mozilla.org/show_bug.cgi?id=29269 1
Bugzilla bug 293302 has been filed. A temporary fix has been implemented on UMO.
They were already working on patching this, but it was stolen before they could finish and leaked to bugtraq with LIVE material in the exploit (it's not a proof of concept, folks!) and no explanation or advisory.
/. referers. Copy URL and paste in new to view. (Beware Slashcode's extra spaces.)
9 1 %lt; Original security bug (probably still blocked to outsiders to prevent someone stealing it before mitigation)
0 2 %lt; Duplicate (reported after leak)
h tml
Reminder: Bugzilla blocks
https://bugzilla.mozilla.org/show_bug.cgi?id=2926
https://bugzilla.mozilla.org/show_bug.cgi?id=2933
They are going to release a 1.0.4 shortly, I gather.
Still more timely than most of Microsoft's advisories... despite their earlier announcement. http://www.eeye.com/html/research/upcoming/index.
Yes, it's in Bugzilla (bug is temporarily restricted because of security concerns). There's also a dupe already. No need to add more.
A^C^E, a Firefox security researcher, is claiming on Addict3D.org that this is a 0day duplicate of a leaked, known bug. He says, "I suspect that my server was compromised, and I am currently using my contacts to find the culprit and bring him to justice."
Also, bugzilla.mozilla.org is claiming they've been slashdotted. Go easy on em.
Uncheck Tools > Options > Web Features > Allow web sites to install software
http://yro.slashdot.org/article.pl?sid=05/01/28/03 1248
Disable JavaScript, or disable the "Allow web sites to install software" option [Tools - Options - Web Features].
Why would anyone run routinely with "Allow web sites to install software" enabled ?
Unfortunately, the exploit could have just as easily created a file starting with #!/bin/sh, and passed 555 as the 'permissions' argument to createUnique.
Why on earth the browser thinks it's necessary to allow scripts to create executeable files is beyond me.
Secunia have already released an advisory explaining how the exploit works:
http://secunia.com/advisories/15292/
This is the first Firefox exploit that has received the rating 'Extremely Critical'.
--- Extract from Secunia's site ---
Description:
Two vulnerabilities have been discovered in Firefox, which can be exploited by malicious people to conduct cross-site scripting attacks and compromise a user's system.
1) The problem is that "IFRAME" JavaScript URLs are not properly protected from being executed in context of another URL in the history list. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an arbitrary site.
2) Input passed to the "IconURL" parameter in "InstallTrigger.install()" is not properly verified before being used. This can be exploited to execute arbitrary JavaScript code with escalated privileges via a specially crafted JavaScript URL.
Successful exploitation requires that the site is allowed to install software (default sites are "update.mozilla.org" and "addons.mozilla.org").
A combination of vulnerability 1 and 2 can be exploited to execute arbitrary code.
NOTE: Exploit code is publicly available.
The vulnerabilities have been confirmed in version 1.0.3. Other versions may also be affected.
Solution:
Disable JavaScript.
I'll probably be modded down for this...
Start your stop watches and let's see how long before a patch is forthcoming
Might as well hit stop now. The bug isn't exploitable any more since update.mozilla.org itself has been fixed.
Reading the Secunia explanation:
Successful exploitation requires that the site is allowed to install software (default sites are "update.mozilla.org" and "addons.mozilla.org").
So, unless you've whitelisted the exploit site (which generally would mean it's a site you trusted enough to install an XPI from), or the Mozilla website has been compromised, the exploit won't work.
In Firefox, to stop this vulnerability:
Web Features->Allow web sites to install software
I'll switch to MS IE as it has no known serious vulns
Internet Explorer Long Share Name Buffer Overflow Highly Critical
Yeah... whatever. I don't mind if you would rather use a browser with a known serious security problem, but saying that IE has no known serious issues is misinformed.
I'll probably be modded down for this...
This is already being worked on and should be in 1.1. ^_^ Check out ben's blog about it.
A quote: "Darin has figured out how to get binary patching working, and is working on a system for incremental background update download."
For people running Firefox in a business or school with centrally locked down settings I think a quick fix might be to add
lockpref("xpinstall.enabled","false");
xpinstall.enabled seems to be the preference changed by "Allow websites to install software"
Well, in Windows it would only have administrator priviliges if the user was dumb enough to run Firefox as an administrator. ;)
That is incorrect. The exploit works by loading a page from a trusted site (one of the mozilla.org sites on the whitelist), then taking advantage of another Firefox bug to run some javascript in the security context of the trusted site.
My server
Anyone actually tried this yet? I did and it did NOT work on Windows XP, Windows 2000, Linux (obvious), Windows 98, Windows 2003 Server or Windows NT 4.0? So what gives? More FUD being spread about Firefox again?
Are you telling me you expect a noob to know this? How is my grandmother supposed to know of this?
Know what? Whats wrong with your grandma, Alzheimer's?
Why doesn't the little red arrow (update icon) display yet?
Because you don't need to update anything. It was fixed on updates.mozilla.org. The site needs to be in your white list of sites that are allowed to install software to be vulnerable. I'm sure they will have a more permanent fix later at some point, but the current exploit no longer works. Go ahead and try it.
So, as far as I'm concerend -- it's not.
But you're a bit of a fool, so I'm not sure your opinion counts.
We made some server-side changes on update.mozilla.org to mitigate the attack.
My server
Um, let's take a minute and remember that according to the secunia advisory, ONLY sites that are allowed to install software can exploit this. And by default, that's only update.mozilla.org and addons.mozilla.org. If you are not adding untrustd sites to the list of sites that can install software to your browser, you are probably not in danger. That is not to say this doesn't need to get fixed, it totally does. But we're probably getting a little more excited/worried than there is cause for.
Mozilla provides a number of builds- Windows, MacOS X, and Linux i686, and each in a wide variety of languages.
These are the ONLY builds they should be worried about patching (and if they could make it language independent, it would be 3 packages). Everyone else gets the source code. Let Portage figure out how to update things.
Firefox 1.1 will have support for binary patches, meaning no more full application download to fix a single bug.
Why is anything anything?