New Mozilla Firefox 1.0.3 Exploit

An anonymous reader writes "News sources are reporting that a 'killer' new Firefox exploit has been revealed today by FrSIRT who warn that this 0day exploit/vulnerability (as yet unpatched) should be rated as critical. Summary of the exploit: If a user clicks anywhere on a specially crafted page, this code will automatically create and execute a malicious batch/exe file. Proof of concept code supplied by FrSIRT."

This was reported to bugzilla some time ago!

[Exter-C]

This was reported to the mozilla bugzilla a while ago. https://bugzilla.mozilla.org/show_bug.cgi?id=29269 1

Re:This was reported to bugzilla some time ago!

It's a severe security-related bug, so the bug report is restricted. This is meant to stop script kiddies from scanning bugzilla for unpatched exploitable bugs. Unless you're a disciple of the full disclosure persuasion, that is the correct way. The Mozilla Foundation discloses all bugs when a patch is available to the general public.

It's "Open Source", not "Sploitz4Free".

Reported and temporarily fixed

[alanjstr]

Bugzilla bug 293302 has been filed. A temporary fix has been implemented on UMO.

Stolen exploit

They were already working on patching this, but it was stolen before they could finish and leaked to bugtraq with LIVE material in the exploit (it's not a proof of concept, folks!) and no explanation or advisory.

Reminder: Bugzilla blocks /. referers. Copy URL and paste in new to view. (Beware Slashcode's extra spaces.)

https://bugzilla.mozilla.org/show_bug.cgi?id=29269 1 %lt; Original security bug (probably still blocked to outsiders to prevent someone stealing it before mitigation)

https://bugzilla.mozilla.org/show_bug.cgi?id=29330 2 %lt; Duplicate (reported after leak)

They are going to release a 1.0.4 shortly, I gather.

Still more timely than most of Microsoft's advisories... despite their earlier announcement. http://www.eeye.com/html/research/upcoming/index.h tml

Leaked known bug

A^C^E, a Firefox security researcher, is claiming on Addict3D.org that this is a 0day duplicate of a leaked, known bug. He says, "I suspect that my server was compromised, and I am currently using my contacts to find the culprit and bring him to justice."

Also, bugzilla.mozilla.org is claiming they've been slashdotted. Go easy on em.

Possible workaround:

[wideangle]

Uncheck Tools > Options > Web Features > Allow web sites to install software

This isn't much of an "exploit"

[richg74]

The actual advisory page is here. The "Solutions" section says this:

Disable JavaScript, or disable the "Allow web sites to install software" option [Tools - Options - Web Features].

Why would anyone run routinely with "Allow web sites to install software" enabled ?

Re:This isn't much of an "exploit"

[cortana]

> Why would anyone run routinely with "Allow web sites to install
> software" enabled?

1. It's on by default
2. We naievely assumed that the whitelist of web sites allowed to install software did its damn job.

Re:Nasty

[cortana]

Unfortunately, the exploit could have just as easily created a file starting with #!/bin/sh, and passed 555 as the 'permissions' argument to createUnique.

Why on earth the browser thinks it's necessary to allow scripts to create executeable files is beyond me.

Secunia: Extremely Critical

[MarkByers]

Secunia have already released an advisory explaining how the exploit works:

http://secunia.com/advisories/15292/

This is the first Firefox exploit that has received the rating 'Extremely Critical'.

--- Extract from Secunia's site ---

Description:
Two vulnerabilities have been discovered in Firefox, which can be exploited by malicious people to conduct cross-site scripting attacks and compromise a user's system.

1) The problem is that "IFRAME" JavaScript URLs are not properly protected from being executed in context of another URL in the history list. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an arbitrary site.

2) Input passed to the "IconURL" parameter in "InstallTrigger.install()" is not properly verified before being used. This can be exploited to execute arbitrary JavaScript code with escalated privileges via a specially crafted JavaScript URL.

Successful exploitation requires that the site is allowed to install software (default sites are "update.mozilla.org" and "addons.mozilla.org").

A combination of vulnerability 1 and 2 can be exploited to execute arbitrary code.

NOTE: Exploit code is publicly available.

The vulnerabilities have been confirmed in version 1.0.3. Other versions may also be affected.

Solution:
Disable JavaScript.

Re:Uh oh!

[MarkByers]

In Firefox, to stop this vulnerability:

Web Features->Allow web sites to install software

I'll switch to MS IE as it has no known serious vulns

Internet Explorer Long Share Name Buffer Overflow Highly Critical

Yeah... whatever. I don't mind if you would rather use a browser with a known serious security problem, but saying that IE has no known serious issues is misinformed.

Re:Yup - secure...

[starwed]

This is already being worked on and should be in 1.1. ^_^ Check out ben's blog about it.

A quote: "Darin has figured out how to get binary patching working, and is working on a system for incremental background update download."

Fixes for large sites

[shirro]

For people running Firefox in a business or school with centrally locked down settings I think a quick fix might be to add

lockpref("xpinstall.enabled","false");

xpinstall.enabled seems to be the preference changed by "Allow websites to install software"

Re:Nasty

[cortana]

Well, in Windows it would only have administrator priviliges if the user was dumb enough to run Firefox as an administrator. ;)

Re:Are you sure?

[CTho9305]

We made some server-side changes on update.mozilla.org to mitigate the attack.