Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Mozilla Firefox 1.0.3 Exploit

Posted by CmdrTaco on from the happens-to-every-browser dept.

An anonymous reader writes "News sources are reporting that a 'killer' new Firefox exploit has been revealed today by FrSIRT who warn that this 0day exploit/vulnerability (as yet unpatched) should be rated as critical. Summary of the exploit: If a user clicks anywhere on a specially crafted page, this code will automatically create and execute a malicious batch/exe file. Proof of concept code supplied by FrSIRT."

23 of 596 comments (clear)

  1. Yup - secure... by Anonymous Coward · · Score: 5, Interesting

    Maybe it's time to accept Firefox has it's fair share of exploits?

    And the best part, is the patch management system in Firefox is so damn poor (ie. non-existant), getting these patches distributed to end-users is a real damn chore (assuming they are distributed at all).

    1. Re:Yup - secure... by Anonymous Coward · · Score: 1, Interesting
      > Well from what i could see, it uses javascript, so i just turned it off.

      Why am I not surprised that Javascript is at the root of yet another security hole?

      Does anybody leave this shit on anymore these days?

    2. Re:Yup - secure... by ColaMan · · Score: 2, Interesting

      Well, that's a lie.

      That's a bit harsh.
      Perhaps you could simply state that "that's not what I experience". Especially since my version (1.0_RC6) told me about 1.03 the other day.

      But, perhaps you should look under "Tools -> Options -> Advanced -> Software Update"

      --

      You are in a twisty maze of processor lines, all alike.
      There is a lot of hype here.
    3. Re:Yup - secure... by Jugalator · · Score: 4, Interesting

      I'm running Firefox 1.0.2 and it displays:

      1. No update notification
      2. No red blob in a corner.
      3. No dialog box telling something new is available.

      The feature seems unreliable at best.

      --
      Beware: In C++, your friends can see your privates!
    4. Re:Yup - secure... by j1m+5n0w · · Score: 2, Interesting
      Patching is something where Firefox really needs to catch up on.

      I disagree, I think patching should be handled by the OS, not each application. The last thing I want is every application in my system to upgrade itself spontaneously according to some independently implemented mechanism and policy. I also don't think it's a good idea in general for applications to run in a context in which they are allowed to rewrite themselves. (I'm a linux user - I don't know enough about Windows to know if a robust whole-system auto update mechanism is available to non-Microsoft applications. If not, I can see why such a feature would need to be implemented out of necesity.)

      I do agree that we should be using binary diffs whenever possible rather than sending whole packages. Yum is an amazing resource hog, it would be great to reduce its bandwidth usage.

  2. FrSIRT's Post! by spood · · Score: 2, Interesting

    It looks like a hacker alias, but it really stands for French Security Incident Response Team. Exploit description cached here.

    --
    ---- Just another spud server.
  3. I cant get this exploit to work... by Anonymous Coward · · Score: 1, Interesting

    Subj says it all. That html page after loading into firefox gives javascript error on some line according to JS console...
    Does it work really?

  4. Re:I'm sure everyone whill complain by ssj_195 · · Score: 4, Interesting
    And everyone will say ":oh no firefox is a security risk" whaaaa. well this isnt really the case and is overstating things just a bit. When it comes down to it firefox still has many quicker fixes and the bug is probably already fixed by now.
    Perhaps the bug is already fixed in the dev tree, but this is irrelevant if the fix takes 3 months to deploy to users. Hopefully, the fixes to the auto-update system coming up in 1.1 (where a "security fix" does not consist simply of "re-install the whole of Firefox with this new version") will make the whole deployment aspect faster. Although I have to say, Firefox 1.0.3 seemed to follow quite quickly on the heels of 1.0.2, which is encouraging! :)
  5. Tried the test exploit they supplied... by a+whoabot · · Score: 2, Interesting

    ...with Firefox 1.0.3 on Windows 2000, and it didn't execute anything. Anyone else try it on Windows?

  6. Are you sure? by naelurec · · Score: 5, Interesting

    Just curious, I downloaded the page and loaded it up on several systems:

    Win XP, Firefox 1.0.3
    Win 2k, Firefox 1.0.3
    FreeBSD, Firefox 1.0.3

    and none of them did anything. The javascript looks like it should save a file (c:\booom.bat) and run it which should echo "malicious commands here" and wait for a keypress.

    Is this truly an issue with Firefox and not some other software? If so, any ideas why it doesn't work?

  7. Re:Reported and temporarily fixed by baadger · · Score: 2, Interesting

    Copy and page parent link into new tab or Firefox/Mozilla users set "network.http.sendRefererHeader" in about:config to 0 and then click.

  8. Re:This was reported to bugzilla some time ago! by Hatta · · Score: 2, Interesting

    interesting - even when you go past the "cant view bugs from slashdot" stuff,

    Speaking of which, is there a way to turn off referrer information in firefox? It seems to me to be a big privacy problem, and it adds almost no functionality. I really have no incentive to tell other people what sites i'm browsing, so I'd rather not.

    --
    Give me Classic Slashdot or give me death!
  9. Re:gah by ssj_195 · · Score: 2, Interesting

    Excellent analysis. Wish I could mod you up, but hopefully others will take it upon themselves to do this. There is some light at the end of the tunnel, however; I gather that the installed version of Firefox spans several small-ish files, and that the next Firefox version (i.e. 1.1 onwards) will be geared towards swapping out just the files that cause the problem, alleviating the large downloads (and general inelegance) of performing a full download & re-install every time a patch is required.

  10. Exploit didn't work for me by Anonymous Coward · · Score: 1, Interesting

    I tried the proof-of-concept exploit provided, but it didn't seem to work. I loaded the page, and clicked it like a mad-man.. nothing.

    My system is GNU/Linux running Firefox 1.

  11. Rooted? Blame user! by MarkByers · · Score: 2, Interesting

    If you are running your web browser as root, and you get rooted, then it is your fault.

    Don't run as root unless you have to.

    --
    I'll probably be modded down for this...
  12. Re:Uh oh! by asdf.qwerty.zxcv · · Score: 1, Interesting

    Hmmm... with all the strong support of Opera users from /. a few weeks ago about the launch of 8.0 there hasn't been a comment on Opera yet.

    Well Opera doesn't seem to have this vunerability or IE's woes

  13. Does it affect the mozilla suite? (seamonkey) by johansalk · · Score: 2, Interesting

    Well that's the essential question. If it doesn't I'd rather flee to mozilla suite than IE.

  14. Re:This was reported to bugzilla some time ago! by RzUpAnmsCwrds · · Score: 2, Interesting

    "It's a severe security-related bug, so the bug report is restricted."

    And yet, when Microsoft does this, somehow it's "reprehensible".

    Isn't the Open-Source model supposed to be, you know, open? The exploit is already in the wild. Blocking access to the bug doesn't do any good.

  15. Re:Trusted Sites Only? by sepluv · · Score: 2, Interesting
    Even when I give it authorisation and enable JS, I cannot get the exploit to work.

    Anyhow quoting the article:

    Update (08.05.2005) - The Mozilla Foundation patched (partially) this issue on the server side by adding random letters and numbers to the install function, which will prevent this exploit from working.
    --
    Joe Llywelyn Griffith Blakesley
    [This post is in the public domain (copyright-free) unless otherwise stated]
  16. Re:This isn't much of an "exploit" by NutscrapeSucks · · Score: 3, Interesting

    The design is flawed.

    Agreed -- and even worse, the design was copied directly from Microsoft's ActiveX system!

    It's a bit frustrating to see Firefox advocates continually prattle about "Security ... activex LOL", when FF does in fact have a nearly identical feature as ActiveX. And when there's a mechanism for installing program files from webpages, people will tend to find holes in the sandbox. Hopefully this quiets the "better by design" crowd.

    --
    Whenever I hear the word 'Innovation', I reach for my pistol.
  17. Re:Uh oh! by Ryosen · · Score: 2, Interesting

    >>Its too bad it has obnoxious ads, its javascript sucks, and it is proprietary though.

    Proprietary, heaven forbid!

    Javascript works just fine. When you don't see a site working properly, it's the script that's the problem. Opera 6 was very stringent about adhereing to Ecmascript standards. Opera 7 relaxed that a bit, and version 8 even more.

    It's very easy to make the ads away (which are not at all obnoxious or intrusive to begin with).

    Simply register the software.

    --

    Ryosen
    One man's "Troll, +1" is another man's "Insightful, +1".
  18. Re:I'm sure everyone whill complain by EchoMirage · · Score: 2, Interesting

    The devs were already working on it before some jerk full-disclosured w/working exploit.

    Well double dumbass on the Mozilla developers for knowing about it and not taking steps to mitigate it even without an exploit in the wild. Calling the person who released it a "jerk" just shows that you have no understanding that a security risk is severe, whether or not anybody knows about its existence. It's said time and time again, but nobody ever listens: security through obscurity is not security. The person who posted it wasn't a jerk - that's just blaming somebody else for the Mozilla developers' failures. Stop pointing the finger, fix the damn problem, and release a patch before Monday morning.

    [Disclaimer: I'm a Mozilla lover, not a Mozilla hater, but lovers can still have quarrels. I've used Phoenix/Firebird/Firefox exclusively since a week after Phoenix 0.1 was made public, and I've been a heavy advocate for it from day 1.]

  19. Re:I'm sure everyone whill complain by CTho9305 · · Score: 2, Interesting

    Well double dumbass on the Mozilla developers for knowing about it and not taking steps to mitigate it even without an exploit in the wild.
    There was nothing the Mozilla developers COULD do to mitigate it. Only when we (the Mozilla Update devs) realized exactly how the exploit depended on the Mozilla Update website could we do anything - and we spent a few hours last night working on the first level of mitigation. We've been working on a better solution most of today.

    Calling the person who released it a "jerk" just shows that you have no understanding that a security risk is severe, whether or not anybody knows about its existence.
    Yes, and it becomes a lot more severe once an exploit is posted for all the script kiddies to use. Do you really think we're better off now that any idiot can own a Firefox user's machine, rather than just the white hat who reported the hole (plus at most a few black hats)?

    It's said time and time again, but nobody ever listens: security through obscurity is not security.
    Obscurity is a valid layer of security, so long as it's not the only one. The fact that somebody felt it was wise to strip us of one layer of protection is what is annoying.

    If one of the doors to your house had a broken lock, would you rather have that be a secret until you can get to the hardware store and fix it, or have someone inform the whole neighborhood? Of course you'd PREFER to not have a broken lock at all, but in the real world, things don't always go the way you want.

    The person who posted it wasn't a jerk - that's just blaming somebody else for the Mozilla developers' failures. Stop pointing the finger, fix the damn problem, and release a patch before Monday morning.
    Nobody blames the person who leaked it for the hole - I blame the person who leaked it for the people who get hacked as a result of the posted exploit.

    --
    My server