Slashdot Mirror
New Mozilla Firefox 1.0.3 Exploit
An anonymous reader writes "News sources are reporting that a 'killer' new Firefox exploit has been revealed today by FrSIRT who warn that this 0day exploit/vulnerability (as yet unpatched) should be rated as critical. Summary of the exploit: If a user clicks anywhere on a specially crafted page, this code will automatically create and execute a malicious batch/exe file. Proof of concept code supplied by FrSIRT."
Oh, wait.
Because THAT, with some documentation, would be helpfull. Still, as long as it doesn't create *nix r00tkits on the fly on my box, I'm on the safeside :)
Maybe it's time to accept Firefox has it's fair share of exploits?
And the best part, is the patch management system in Firefox is so damn poor (ie. non-existant), getting these patches distributed to end-users is a real damn chore (assuming they are distributed at all).
That's nasty! I'm glad that in Linux files aren't automagically executable when you give them a certain name :)
This was reported to the mozilla bugzilla a while ago. https://bugzilla.mozilla.org/show_bug.cgi?id=29269 1
I'm using Linux too, but from what I hear, a significant amount of Windows users are completely and totally failing to trigger the exploit. Have any Windows users managed to get it to actually work, yet?
Firefox had the advantage of being able to fix bugs reveled by IE expolits. This gave the illusion of it being a bulletproof browser. Now that it has caught up with IE, it has exploits of it's own which just show that it's not much better than IE (coding standard-wise).
As long as programs are written by humans, there'll be flaws. It's a fact of software-development.
Will I have to download another 4.5MB so that I can fix this flaw?
Exploit summery? Well, the weather is improving but I doubt that the exploit caused it.
Bugzilla bug 293302 has been filed. A temporary fix has been implemented on UMO.
You converted 45 % of your family to Firefox?
Join the anonymous, help develop the network: http://www.i2p2.de
didn't work
It looks like a hacker alias, but it really stands for French Security Incident Response Team. Exploit description cached here.
---- Just another spud server.
They were already working on patching this, but it was stolen before they could finish and leaked to bugtraq with LIVE material in the exploit (it's not a proof of concept, folks!) and no explanation or advisory.
/. referers. Copy URL and paste in new to view. (Beware Slashcode's extra spaces.)
9 1 %lt; Original security bug (probably still blocked to outsiders to prevent someone stealing it before mitigation)
0 2 %lt; Duplicate (reported after leak)
h tml
Reminder: Bugzilla blocks
https://bugzilla.mozilla.org/show_bug.cgi?id=2926
https://bugzilla.mozilla.org/show_bug.cgi?id=2933
They are going to release a 1.0.4 shortly, I gather.
Still more timely than most of Microsoft's advisories... despite their earlier announcement. http://www.eeye.com/html/research/upcoming/index.
A^C^E, a Firefox security researcher, is claiming on Addict3D.org that this is a 0day duplicate of a leaked, known bug. He says, "I suspect that my server was compromised, and I am currently using my contacts to find the culprit and bring him to justice."
Also, bugzilla.mozilla.org is claiming they've been slashdotted. Go easy on em.
...but Firefox keeps suggesting I run it with Wine. I don't get it, I'm not thirsty. I'd rather run it with a nice plate of steak and eggs.
My God! It's full of Voids!
...with Firefox 1.0.3 on Windows 2000, and it didn't execute anything. Anyone else try it on Windows?
Uncheck Tools > Options > Web Features > Allow web sites to install software
Just curious, I downloaded the page and loaded it up on several systems:
Win XP, Firefox 1.0.3
Win 2k, Firefox 1.0.3
FreeBSD, Firefox 1.0.3
and none of them did anything. The javascript looks like it should save a file (c:\booom.bat) and run it which should echo "malicious commands here" and wait for a keypress.
Is this truly an issue with Firefox and not some other software? If so, any ideas why it doesn't work?
Disable JavaScript, or disable the "Allow web sites to install software" option [Tools - Options - Web Features].
Why would anyone run routinely with "Allow web sites to install software" enabled ?
FrSIRT Vurnerability Alert!!
FrSIRT will go down 2 minutes after the start of a brutal Slashdotting.
the patch management system in Firefox is so damn poor (ie. non-existant)
Pretty much any modern OS distribution comes with a package manager that handles upgrading for you. Time for you to upgrade your OS perhaps.
I'll probably be modded down for this...
Wanna bet? In my experience it's the Firefox fanboys and zealots who cry that about IE every time it's mentioned on Slashdot. Firefox is the better browser, but kids, we already know that, and bashing IE doesn't make it any better.
I'd also wager that comments like "This will be fixed quickly, IE still sucks." will get modded up to +5 insightful instantly. Again. Off-topic is so relative when it comes to Slashdot, you see.
There's not many comments yet, but most of them have a similar theme: " Oh no, now Microsoft and Internet Explorer users can get payback for all the trash talk we've thrown at them." Then they rationalize it with, "But, MS and IE are way worse because of quantity, severity, and duration until patch."
Now think about it for a minute. Who are you really at war against? Security exploits and the people who would exploit them, or browsers other than the one you use and the people that use them?
This reminds me of the days when Mac zealots would get all freaked out every time PC's got faster. "OMG, this is bad news! Now there are 3GHz PCs for under 500 dollars!"
This really boils down to people rating the quality of Product A compared to the suckiness of Product B. Personally, I've been using Products A, B, and C for a long time. When there is a problem found with Product B, that really doesn't make Product A perform the task I use it for any better.
If you want to call yourself a truly knowledgeable computer user, then you have to acknowledge that Products A, B, and C all have their strengths and weaknesses and therefore have tasks their better suited for as well as tasks in which they're not the best solution.
If you look at it from the proper perspective, every time an exploit is found by good people before bad people have a chance to do harm with it then it is good for everyone.
This particular exploit also demonstrates how foolish it is to posture and sling insults. The whole time FF users slung insults at IE when exploits were found, this exploit was there lurking below the surface waiting to be found.
Let applications that are without exploit cast the first stone. Since that's never going to happen, argue your cause based on its merits.
Hm.
I am no linux expert, but wouldnt it be perfectly possible to make a linux version, that lets say downloads and executes a shell script that kills you user directory?
HI O WISE PRINCE. WHT TOOK U SO DAM LONG?
Now we'll see Microsoft going "OMG DON'T USE FIREFOX YOU CAN'T EVEN CLICK ON SOMETHING SAFELY!".
You mean like the F/OSS evangelists do everytime a flaw is found in Internet Explorer?
However, I do think there is an important lesson in here - a lot of open source advocates have set an unreasonable level of expectations by proclaiming the amazing magic of open source: A fantasy world where every line is thoroughly vetted by thousands of super-experts, and if the source is available that instantly disproves the existence of malicious intent (put a trojan out, mark in GPL and make the source available, and I'd bet a lot of the converted would immediately download and install blindly. There are countless OSS projects where no one but the author ever bothers looking at the code).
I routinely see websites exploit a fully-patched IE -- either due to some unpatched vulnerability or due to the ease of tricking the user with IE. I have yet to see a single website successfully exploit firefox. Of course, that doesn't excuse your sysadmin's incompetence, but I would say even Firefox 1.0 is a hell of a lot less vulnerable than the latest MSIE.
I have to disagree. This sort of exploit is extremely worrying.
At first, Mozilla fans (me included) all said "the chances of Firefox getting 0wned by exploits is very slim, Mozilla is secure by design -- IE isn't".
By about 0.9 or 0.10 the holes started pouring in -- but it was ok: "This is simply Mozilla Foundation's bug patching contest, they are working FOR us instead of AGAINST us."
After this it wasn't only white-hat mozilla funded security experts that started showing there was holes in the code. We changed our story again and, somewhat rightly, pointed out that "these are very theoretical and it would be very hard to use this to exploit a computer like IE can".
This is a really big problem. This will get exploited like crazy as it seems exceptionally easy to do. Not only that, I expect the only fix from Mozilla will be as usual, a 5MB binary installer with the files changed. This is unacceptable on a 56k modem and people just won't bother upgrading to a secure version.
Secunia have already released an advisory explaining how the exploit works:
http://secunia.com/advisories/15292/
This is the first Firefox exploit that has received the rating 'Extremely Critical'.
--- Extract from Secunia's site ---
Description:
Two vulnerabilities have been discovered in Firefox, which can be exploited by malicious people to conduct cross-site scripting attacks and compromise a user's system.
1) The problem is that "IFRAME" JavaScript URLs are not properly protected from being executed in context of another URL in the history list. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an arbitrary site.
2) Input passed to the "IconURL" parameter in "InstallTrigger.install()" is not properly verified before being used. This can be exploited to execute arbitrary JavaScript code with escalated privileges via a specially crafted JavaScript URL.
Successful exploitation requires that the site is allowed to install software (default sites are "update.mozilla.org" and "addons.mozilla.org").
A combination of vulnerability 1 and 2 can be exploited to execute arbitrary code.
NOTE: Exploit code is publicly available.
The vulnerabilities have been confirmed in version 1.0.3. Other versions may also be affected.
Solution:
Disable JavaScript.
I'll probably be modded down for this...
Excellent analysis. Wish I could mod you up, but hopefully others will take it upon themselves to do this. There is some light at the end of the tunnel, however; I gather that the installed version of Firefox spans several small-ish files, and that the next Firefox version (i.e. 1.1 onwards) will be geared towards swapping out just the files that cause the problem, alleviating the large downloads (and general inelegance) of performing a full download & re-install every time a patch is required.
If you are running your web browser as root, and you get rooted, then it is your fault.
Don't run as root unless you have to.
I'll probably be modded down for this...
Hmmmm, F/OSS evangelists do that? Most them don't even care about IE bugs anymore, because they lost count.
Look, if I am honest, i don't give a shit about IE, because I simply don't use it, so I'm not going to bash or prise it. But what you claim is outright ridiculous. This is NOT a trojan case, it is first, so you compare apples with oranges, second, it is just bug in JavaScript, concept of installing software from web site was right with whitelist protection, if it doesn't work it is bug, but not in design, but in coding. Third, you just think that many people will install this theoretical GPL-based trojan horse without questions - don't mentioning that very early adaptors of any new GPL based app is usually geeks who doesn't take security lightly - then please show me some record when such thing ever has happened.
I would like to spend mod points to mod you troll, but hey, as it is stylish now to bash open source in Slashdot now (because lot of Microsoft/Windows crowd joined recently years) and you will get certanly some mod points for saying 'i told you so, open source is unsecure and evil'. It doesn't matter that reality check shows different picture.
user@ubuntubox:~$ stfu This server is going down for shutdown NOW!
For people running Firefox in a business or school with centrally locked down settings I think a quick fix might be to add
lockpref("xpinstall.enabled","false");
xpinstall.enabled seems to be the preference changed by "Allow websites to install software"
The basic problem is that the Mozilla developers, in their futile attempt to create a "platform", put in a mechanism comparable to Active-X - a way to dynamically download executable programs. Of course, they tried to make sure this "feature" could not be used for purposes of evil. Like Microsoft, they failed.
Understand, this isn't subtle. The code uses built-in Mozilla JavaScript extensions to create a local file in a very straightforward way. It then calls "nsILocalFile::launch()" (which does exactly what you think it does) to launch it. Those are capabilities that shouldn't be in a browser's JavaScript engine at all.
Having designed in a potential security hole big enough to drive a semitrailer through, they tried to make it "secure" with the usual crap approaches - signatures, lists of trusted sites, and disabling for certain types of URLs. They failed. They forgot to make those checks for "favicon.ico" files (Mozilla's implementation of a Microsoft icon-in-the-toolbar gimmick.)
Plugging that hole is not the answer. The problem is more fundamental. "nsILocalFile::launch()" needs to be removed. Browsers have no business launching arbitrary executable programs. Period.
unlike in Windows, it also wouldn't have superuser privileges.
Linspire (or at least older versions thereof) runs as superuser.
From a security standpoint, fully updated IE is much better than unupdated Firefox.
Unfortunately, a legit copy of the full update to IE costs at least $100 for users of Microsoft Windows 2000 operating systems.
In a nutshell, Firefox has the idea that some sites are privileged (namely the sites on the whitelist for installing software), it lets privileged sites have a dangerous degree of control over the user's computer, and it has at least one way for unprivileged sites to execute code in the context of a privileged site.
What are the important differences between this and Microsoft Internet Explorer? In MSIE some sites are in the Trusted Sites or Local Machine zones and therefore privileged. Such sites have a dangerous degree of control over the user's computer, and there have been many ways for unprivileged sites to execute code in the context of a privileged site.
Is Firefox doing something better than IE in its design, or are we going to see a whole class of bugs like this one in the future?
No one ever claimed F/OSS was perfect or resulted in perfect code
Yes, they have. Almost every discussion about such things here will have a number of replies claiming just that. Of course, those people aren't worth listening to, but they still say it.
It's official. Most of you are morons.
Sounds like a windows only vulnerability. Are the Mac and Linux versions open to the hole as well?
The devs were already working on it before some jerk full-disclosured w/working exploit. It had already been marked as a bug that would block both the 1.0.4 and 1.1 releases. All this person did was cause a lot of headaches for Mozilla developers, and put many users at risk.
My server
Well that's the essential question. If it doesn't I'd rather flee to mozilla suite than IE.
The security advisory doesn't explain it too well, but it it seems to imply that this only happens with sites that you've added to your list of sites trusted to install software (in which case it isn't really much of a problem).
Joe Llywelyn Griffith Blakesley
[This post is in the public domain (copyright-free) unless otherwise stated]
" javascript. The language that has no purpose anymore."
Look into Firefox's chrome directory and say that again.
"Only the small secrets need to be protected. The big ones are kept secret by public incredulity." - Marshall McLuhan
With propietary software it's easier to implement a binary update feature, since you're the only one that gets to compile the source code. However, since Firefox is free software (you know, free as in free speech), everybody can compile it, using perhaps different optimizations (portage comes to mind), so implementing a binary update for Firefox (or any other free software for that matter) is quite difficult.
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
would be a script which downloads and installs a rootkit and/or IRC-controlled spam relay.
Seriously, it's not like google uses it for gmail or anything... oh wait.
-truth
I had a steady B+ in my AI class until I failed the Turing test...
The two sites "update.mozilla.org" and "addons.mozilla.org" are trusted by default, and the exploit only requires these default trusted sites.
The web page first tricks Firefox into installing a trusted extension (vulnerability 1). Then it takes advantage of an vulnerability during the install process (vulnerability 2).
Separately these vulnerabilities are not that worrying, but combine them, and you have a problem.
I'll probably be modded down for this...
Not a full patch, but the exploit no longer works. Look at the dates in TFA:
Exploit posted 07/05/2005
They noticed the Mozilla fix on 08.05.2005
IE still has multiple unpatched vulnerabilities, like it always does. Firefox gets a vulnerability and patches it the next day. I hate to call "astroturf", but the grandparent post reeks of green plastic.
So, I dare you: try it. Try posting a trojan in an open source project. See if it ever gets accepted. See how fast it gets patched, especially once it becomes known.
In reality, the difference is like night and day -- Firefox patched in 1 day, IE patched never.
Don't thank God, thank a doctor!
Um, let's take a minute and remember that according to the secunia advisory, ONLY sites that are allowed to install software can exploit this. And by default, that's only update.mozilla.org and addons.mozilla.org. If you are not adding untrustd sites to the list of sites that can install software to your browser, you are probably not in danger. That is not to say this doesn't need to get fixed, it totally does. But we're probably getting a little more excited/worried than there is cause for.
Perhaps you should manually download and install a release past beta. If you've been running the same version for "all these months" then you probably don't have a version current enough to include the update code. I've been getting the update notification icon since the 1.0 release, and perhaps even one of the release candidates. I've had the update icon working on Win2000, WinXP, SuSE Linux, and for a short time on a FreeBSD box.
I AM, therefore I THINK!
I would recommend that you stop letting the idiots drag you down to thier level.
"A man is but the product of his thoughts what he thinks, he becomes." -Mahatma Gandhi
Obviously "aichpvee" didn't RTFA:
The devs were already working on it before some jerk full-disclosured w/working exploit.
Well double dumbass on the Mozilla developers for knowing about it and not taking steps to mitigate it even without an exploit in the wild. Calling the person who released it a "jerk" just shows that you have no understanding that a security risk is severe, whether or not anybody knows about its existence. It's said time and time again, but nobody ever listens: security through obscurity is not security. The person who posted it wasn't a jerk - that's just blaming somebody else for the Mozilla developers' failures. Stop pointing the finger, fix the damn problem, and release a patch before Monday morning.
[Disclaimer: I'm a Mozilla lover, not a Mozilla hater, but lovers can still have quarrels. I've used Phoenix/Firebird/Firefox exclusively since a week after Phoenix 0.1 was made public, and I've been a heavy advocate for it from day 1.]
Well double dumbass on the Mozilla developers for knowing about it and not taking steps to mitigate it even without an exploit in the wild.
There was nothing the Mozilla developers COULD do to mitigate it. Only when we (the Mozilla Update devs) realized exactly how the exploit depended on the Mozilla Update website could we do anything - and we spent a few hours last night working on the first level of mitigation. We've been working on a better solution most of today.
Calling the person who released it a "jerk" just shows that you have no understanding that a security risk is severe, whether or not anybody knows about its existence.
Yes, and it becomes a lot more severe once an exploit is posted for all the script kiddies to use. Do you really think we're better off now that any idiot can own a Firefox user's machine, rather than just the white hat who reported the hole (plus at most a few black hats)?
It's said time and time again, but nobody ever listens: security through obscurity is not security.
Obscurity is a valid layer of security, so long as it's not the only one. The fact that somebody felt it was wise to strip us of one layer of protection is what is annoying.
If one of the doors to your house had a broken lock, would you rather have that be a secret until you can get to the hardware store and fix it, or have someone inform the whole neighborhood? Of course you'd PREFER to not have a broken lock at all, but in the real world, things don't always go the way you want.
The person who posted it wasn't a jerk - that's just blaming somebody else for the Mozilla developers' failures. Stop pointing the finger, fix the damn problem, and release a patch before Monday morning.
Nobody blames the person who leaked it for the hole - I blame the person who leaked it for the people who get hacked as a result of the posted exploit.
My server
There are two independent bugs which are combined in the demo exploit. The cross site scripting part does not require any whitelist privilege whatsoever. If you're using login cookies, you're vulnerable. It is entirely possible to write an exploit which orders stuff from online stores, in your name and from your IP address. Combined with the cross site scripting bug, the whitelist requirement of the remote execution bug is moot, because a site can simply inject code into one of the standard whitelisted sites. The temporary fix on UMO breaks the published exploit, but there is no reason why an exploit couldn't simply inject its own call to InstallTrigger.install into one of these sites. This is a VERY dangerous combination of bugs. There will be exploits. The only way to escape both bugs is to turn off Javascript. Turning off software installation just prevents the remote execution, not the cross site scripting.
Are you serious? Somehow you mixed up my post with the parent post and constructed some form of elaborate world where you were right and witty.
Unfortunatly, you lack the cognitive ability to figure out context and are flaming someone who is more or less on your side of this debate.
"A man is but the product of his thoughts what he thinks, he becomes." -Mahatma Gandhi
MS has always taken a "security through obsucrity" approach. They are firm advocates of keeping things closed. They believe it is best to keep things restricted to their in house and other trusted testers. They take public commentary, but only on the end result, the process and the code is shrouded in mystery.
/. since they like to periodicly run MS bug patch stories. When these run, there are always a ton of people who slam on MS for their security record, and specificly for keeping people in the dark about the bugs until patch day.
So for them, it's quite consistent to want to sit on a bug until they have a patch. After all, the code isn't open so no one else can fix it, and if it's kept quiet it's much more likely no one can exploit it until a patch is released.
Open source is the exact opposite theory, the many eyes theory. You open the entire code base to the entire world, without restriction. So anyone onw, malicious or benevolant can examine just how your stuff works. You actively encourage others to modify your work and to distribute those modifications to the world. It's all about transparancy and access.
So in this case it's rather inconsistent to keep everything hidden from the public. They are saying "there's a problem in the code we gave you, but we aren't going to tell you what it is or where it is." That sounds a lot like the Microsoft/closed source idea to me.
Also it's a particularly valid commentary on
However when an OSS patch story breaks, some of these very same people will crow on about how wonderful open source is and how fast the bug got patched because it's open. Often, however, a little investigation reveals that the bug has been known for some time, but the devs put a lid on it while the made a fix, same as MS does.
Now perhaps that's the proper strategy, you keep quiet about a bug until you have a fix, or until there's a demonstrated venurability in the wild. Maybe that's the best way to minimize damage. However, if that is the case, you can't hate on MS for doing it while praising Mozilla for the same thing.