Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Mozilla Firefox 1.0.3 Exploit

Posted by CmdrTaco on from the happens-to-every-browser dept.

An anonymous reader writes "News sources are reporting that a 'killer' new Firefox exploit has been revealed today by FrSIRT who warn that this 0day exploit/vulnerability (as yet unpatched) should be rated as critical. Summary of the exploit: If a user clicks anywhere on a specially crafted page, this code will automatically create and execute a malicious batch/exe file. Proof of concept code supplied by FrSIRT."

5 of 596 comments (clear)

  1. Yup - secure... by Anonymous Coward · · Score: 5, Interesting

    Maybe it's time to accept Firefox has it's fair share of exploits?

    And the best part, is the patch management system in Firefox is so damn poor (ie. non-existant), getting these patches distributed to end-users is a real damn chore (assuming they are distributed at all).

    1. Re:Yup - secure... by Jugalator · · Score: 4, Interesting

      I'm running Firefox 1.0.2 and it displays:

      1. No update notification
      2. No red blob in a corner.
      3. No dialog box telling something new is available.

      The feature seems unreliable at best.

      --
      Beware: In C++, your friends can see your privates!
  2. Re:I'm sure everyone whill complain by ssj_195 · · Score: 4, Interesting
    And everyone will say ":oh no firefox is a security risk" whaaaa. well this isnt really the case and is overstating things just a bit. When it comes down to it firefox still has many quicker fixes and the bug is probably already fixed by now.
    Perhaps the bug is already fixed in the dev tree, but this is irrelevant if the fix takes 3 months to deploy to users. Hopefully, the fixes to the auto-update system coming up in 1.1 (where a "security fix" does not consist simply of "re-install the whole of Firefox with this new version") will make the whole deployment aspect faster. Although I have to say, Firefox 1.0.3 seemed to follow quite quickly on the heels of 1.0.2, which is encouraging! :)
  3. Are you sure? by naelurec · · Score: 5, Interesting

    Just curious, I downloaded the page and loaded it up on several systems:

    Win XP, Firefox 1.0.3
    Win 2k, Firefox 1.0.3
    FreeBSD, Firefox 1.0.3

    and none of them did anything. The javascript looks like it should save a file (c:\booom.bat) and run it which should echo "malicious commands here" and wait for a keypress.

    Is this truly an issue with Firefox and not some other software? If so, any ideas why it doesn't work?

  4. Re:This isn't much of an "exploit" by NutscrapeSucks · · Score: 3, Interesting

    The design is flawed.

    Agreed -- and even worse, the design was copied directly from Microsoft's ActiveX system!

    It's a bit frustrating to see Firefox advocates continually prattle about "Security ... activex LOL", when FF does in fact have a nearly identical feature as ActiveX. And when there's a mechanism for installing program files from webpages, people will tend to find holes in the sandbox. Hopefully this quiets the "better by design" crowd.

    --
    Whenever I hear the word 'Innovation', I reach for my pistol.