Slashdot Mirror
New Mozilla Firefox 1.0.3 Exploit
An anonymous reader writes "News sources are reporting that a 'killer' new Firefox exploit has been revealed today by FrSIRT who warn that this 0day exploit/vulnerability (as yet unpatched) should be rated as critical. Summary of the exploit: If a user clicks anywhere on a specially crafted page, this code will automatically create and execute a malicious batch/exe file. Proof of concept code supplied by FrSIRT."
Start your stop watches and let's see how long before a patch is forthcoming. To my mind that is the real test Then compare that time to M$' response time.
Eric C Williams E-Builders, LLC
Patching is something where Firefox really needs to catch up on.
One of the advantages of IE is that when an exploit comes around you just send everyone a 300k file instead of 20MB of browser. With Firefox, you have to send them an entire browser every time 1 exploit comes out.
What Firefox needs is some sort of patching element built in to deal with patching the browser instead of forcing a complete downoad. It's not that Firefox cant do this. In fact, since most of the code is spread out across many files it should be a cakewalk to just update the affected file(s) automaticially with little to no user intervention. This would keep the file size download to a very minimum, allow it to update more frequently without waiting for a point release, and be easier to handle for people who dont know or care about security issues.
In Soviet Russia, Trojan exploits YOU!
There's not many comments yet, but most of them have a similar theme: " Oh no, now Microsoft and Internet Explorer users can get payback for all the trash talk we've thrown at them." Then they rationalize it with, "But, MS and IE are way worse because of quantity, severity, and duration until patch."
Now think about it for a minute. Who are you really at war against? Security exploits and the people who would exploit them, or browsers other than the one you use and the people that use them?
This reminds me of the days when Mac zealots would get all freaked out every time PC's got faster. "OMG, this is bad news! Now there are 3GHz PCs for under 500 dollars!"
This really boils down to people rating the quality of Product A compared to the suckiness of Product B. Personally, I've been using Products A, B, and C for a long time. When there is a problem found with Product B, that really doesn't make Product A perform the task I use it for any better.
If you want to call yourself a truly knowledgeable computer user, then you have to acknowledge that Products A, B, and C all have their strengths and weaknesses and therefore have tasks their better suited for as well as tasks in which they're not the best solution.
If you look at it from the proper perspective, every time an exploit is found by good people before bad people have a chance to do harm with it then it is good for everyone.
This particular exploit also demonstrates how foolish it is to posture and sling insults. The whole time FF users slung insults at IE when exploits were found, this exploit was there lurking below the surface waiting to be found.
Let applications that are without exploit cast the first stone. Since that's never going to happen, argue your cause based on its merits.
I have to disagree. This sort of exploit is extremely worrying.
At first, Mozilla fans (me included) all said "the chances of Firefox getting 0wned by exploits is very slim, Mozilla is secure by design -- IE isn't".
By about 0.9 or 0.10 the holes started pouring in -- but it was ok: "This is simply Mozilla Foundation's bug patching contest, they are working FOR us instead of AGAINST us."
After this it wasn't only white-hat mozilla funded security experts that started showing there was holes in the code. We changed our story again and, somewhat rightly, pointed out that "these are very theoretical and it would be very hard to use this to exploit a computer like IE can".
This is a really big problem. This will get exploited like crazy as it seems exceptionally easy to do. Not only that, I expect the only fix from Mozilla will be as usual, a 5MB binary installer with the files changed. This is unacceptable on a 56k modem and people just won't bother upgrading to a secure version.
The basic problem is that the Mozilla developers, in their futile attempt to create a "platform", put in a mechanism comparable to Active-X - a way to dynamically download executable programs. Of course, they tried to make sure this "feature" could not be used for purposes of evil. Like Microsoft, they failed.
Understand, this isn't subtle. The code uses built-in Mozilla JavaScript extensions to create a local file in a very straightforward way. It then calls "nsILocalFile::launch()" (which does exactly what you think it does) to launch it. Those are capabilities that shouldn't be in a browser's JavaScript engine at all.
Having designed in a potential security hole big enough to drive a semitrailer through, they tried to make it "secure" with the usual crap approaches - signatures, lists of trusted sites, and disabling for certain types of URLs. They failed. They forgot to make those checks for "favicon.ico" files (Mozilla's implementation of a Microsoft icon-in-the-toolbar gimmick.)
Plugging that hole is not the answer. The problem is more fundamental. "nsILocalFile::launch()" needs to be removed. Browsers have no business launching arbitrary executable programs. Period.
And on the flip side - where's all the folks who defend Microsoft's practices? Shouldn't they be also standing up here and saying how responsible the Mozilla Foundation is?
Really - why try to paint this as an "open source vs. Microsoft" issue? If anything, this is the usual "full disclosure" vs. "reponsible disclosure" vs. "no disclosure" debate. The underlying development model has little to do with it.