Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Mozilla Firefox 1.0.3 Exploit

Posted by CmdrTaco on from the happens-to-every-browser dept.

An anonymous reader writes "News sources are reporting that a 'killer' new Firefox exploit has been revealed today by FrSIRT who warn that this 0day exploit/vulnerability (as yet unpatched) should be rated as critical. Summary of the exploit: If a user clicks anywhere on a specially crafted page, this code will automatically create and execute a malicious batch/exe file. Proof of concept code supplied by FrSIRT."

25 of 596 comments (clear)

  1. Yup - secure... by Anonymous Coward · · Score: 5, Interesting

    Maybe it's time to accept Firefox has it's fair share of exploits?

    And the best part, is the patch management system in Firefox is so damn poor (ie. non-existant), getting these patches distributed to end-users is a real damn chore (assuming they are distributed at all).

    1. Re:Yup - secure... by Deathlizard · · Score: 5, Insightful

      Patching is something where Firefox really needs to catch up on.

      One of the advantages of IE is that when an exploit comes around you just send everyone a 300k file instead of 20MB of browser. With Firefox, you have to send them an entire browser every time 1 exploit comes out.

      What Firefox needs is some sort of patching element built in to deal with patching the browser instead of forcing a complete downoad. It's not that Firefox cant do this. In fact, since most of the code is spread out across many files it should be a cakewalk to just update the affected file(s) automaticially with little to no user intervention. This would keep the file size download to a very minimum, allow it to update more frequently without waiting for a point release, and be easier to handle for people who dont know or care about security issues.

      --
      In Soviet Russia, Trojan exploits YOU!
    2. Re:Yup - secure... by starwed · · Score: 5, Informative

      This is already being worked on and should be in 1.1. ^_^ Check out ben's blog about it.

      A quote: "Darin has figured out how to get binary patching working, and is working on a system for incremental background update download."

  2. This was reported to bugzilla some time ago! by Exter-C · · Score: 5, Informative

    This was reported to the mozilla bugzilla a while ago. https://bugzilla.mozilla.org/show_bug.cgi?id=29269 1

    1. Re:This was reported to bugzilla some time ago! by Anonymous Coward · · Score: 5, Informative

      It's a severe security-related bug, so the bug report is restricted. This is meant to stop script kiddies from scanning bugzilla for unpatched exploitable bugs. Unless you're a disciple of the full disclosure persuasion, that is the correct way. The Mozilla Foundation discloses all bugs when a patch is available to the general public.

      It's "Open Source", not "Sploitz4Free".

    2. Re:This was reported to bugzilla some time ago! by _Sprocket_ · · Score: 5, Insightful
      And yet, when Microsoft does this, somehow it's "reprehensible".

      And on the flip side - where's all the folks who defend Microsoft's practices? Shouldn't they be also standing up here and saying how responsible the Mozilla Foundation is?

      Really - why try to paint this as an "open source vs. Microsoft" issue? If anything, this is the usual "full disclosure" vs. "reponsible disclosure" vs. "no disclosure" debate. The underlying development model has little to do with it.
  3. Reported and temporarily fixed by alanjstr · · Score: 5, Informative

    Bugzilla bug 293302 has been filed. A temporary fix has been implemented on UMO.

  4. Re:Pretty serious exploit by Mathiasdm · · Score: 5, Funny

    You converted 45 % of your family to Firefox?

    --
    Join the anonymous, help develop the network: http://www.i2p2.de
  5. Tried it on my Mac... by Anonymous Coward · · Score: 5, Funny

    didn't work

  6. Stolen exploit by Anonymous Coward · · Score: 5, Informative

    They were already working on patching this, but it was stolen before they could finish and leaked to bugtraq with LIVE material in the exploit (it's not a proof of concept, folks!) and no explanation or advisory.

    Reminder: Bugzilla blocks /. referers. Copy URL and paste in new to view. (Beware Slashcode's extra spaces.)

    https://bugzilla.mozilla.org/show_bug.cgi?id=29269 1 %lt; Original security bug (probably still blocked to outsiders to prevent someone stealing it before mitigation)

    https://bugzilla.mozilla.org/show_bug.cgi?id=29330 2 %lt; Duplicate (reported after leak)

    They are going to release a 1.0.4 shortly, I gather.

    Still more timely than most of Microsoft's advisories... despite their earlier announcement. http://www.eeye.com/html/research/upcoming/index.h tml

  7. Leaked known bug by Anonymous Coward · · Score: 5, Informative

    A^C^E, a Firefox security researcher, is claiming on Addict3D.org that this is a 0day duplicate of a leaked, known bug. He says, "I suspect that my server was compromised, and I am currently using my contacts to find the culprit and bring him to justice."

    Also, bugzilla.mozilla.org is claiming they've been slashdotted. Go easy on em.

  8. Re:Uh oh! by ebuilder · · Score: 5, Insightful

    Start your stop watches and let's see how long before a patch is forthcoming. To my mind that is the real test Then compare that time to M$' response time.

    --
    Eric C Williams E-Builders, LLC
  9. Possible workaround: by wideangle · · Score: 5, Informative

    Uncheck Tools > Options > Web Features > Allow web sites to install software

  10. Are you sure? by naelurec · · Score: 5, Interesting

    Just curious, I downloaded the page and loaded it up on several systems:

    Win XP, Firefox 1.0.3
    Win 2k, Firefox 1.0.3
    FreeBSD, Firefox 1.0.3

    and none of them did anything. The javascript looks like it should save a file (c:\booom.bat) and run it which should echo "malicious commands here" and wait for a keypress.

    Is this truly an issue with Firefox and not some other software? If so, any ideas why it doesn't work?

    1. Re:Are you sure? by CTho9305 · · Score: 5, Informative

      We made some server-side changes on update.mozilla.org to mitigate the attack.

      --
      My server
  11. This isn't much of an "exploit" by richg74 · · Score: 5, Informative
    The actual advisory page is here. The "Solutions" section says this:

    Disable JavaScript, or disable the "Allow web sites to install software" option [Tools - Options - Web Features].

    Why would anyone run routinely with "Allow web sites to install software" enabled ?

    1. Re:This isn't much of an "exploit" by cortana · · Score: 5, Informative

      > Why would anyone run routinely with "Allow web sites to install
      > software" enabled?

      1. It's on by default
      2. We naievely assumed that the whitelist of web sites allowed to install software did its damn job.

  12. This shouldn't be a competition. by FrothyBitter · · Score: 5, Insightful

    There's not many comments yet, but most of them have a similar theme: " Oh no, now Microsoft and Internet Explorer users can get payback for all the trash talk we've thrown at them." Then they rationalize it with, "But, MS and IE are way worse because of quantity, severity, and duration until patch."

    Now think about it for a minute. Who are you really at war against? Security exploits and the people who would exploit them, or browsers other than the one you use and the people that use them?

    This reminds me of the days when Mac zealots would get all freaked out every time PC's got faster. "OMG, this is bad news! Now there are 3GHz PCs for under 500 dollars!"

    This really boils down to people rating the quality of Product A compared to the suckiness of Product B. Personally, I've been using Products A, B, and C for a long time. When there is a problem found with Product B, that really doesn't make Product A perform the task I use it for any better.

    If you want to call yourself a truly knowledgeable computer user, then you have to acknowledge that Products A, B, and C all have their strengths and weaknesses and therefore have tasks their better suited for as well as tasks in which they're not the best solution.

    If you look at it from the proper perspective, every time an exploit is found by good people before bad people have a chance to do harm with it then it is good for everyone.

    This particular exploit also demonstrates how foolish it is to posture and sling insults. The whole time FF users slung insults at IE when exploits were found, this exploit was there lurking below the surface waiting to be found.

    Let applications that are without exploit cast the first stone. Since that's never going to happen, argue your cause based on its merits.

  13. Re:gah by Anonymous Coward · · Score: 5, Insightful

    I have to disagree. This sort of exploit is extremely worrying.

    At first, Mozilla fans (me included) all said "the chances of Firefox getting 0wned by exploits is very slim, Mozilla is secure by design -- IE isn't".

    By about 0.9 or 0.10 the holes started pouring in -- but it was ok: "This is simply Mozilla Foundation's bug patching contest, they are working FOR us instead of AGAINST us."

    After this it wasn't only white-hat mozilla funded security experts that started showing there was holes in the code. We changed our story again and, somewhat rightly, pointed out that "these are very theoretical and it would be very hard to use this to exploit a computer like IE can".

    This is a really big problem. This will get exploited like crazy as it seems exceptionally easy to do. Not only that, I expect the only fix from Mozilla will be as usual, a 5MB binary installer with the files changed. This is unacceptable on a 56k modem and people just won't bother upgrading to a secure version.

  14. Re:Nasty by cortana · · Score: 5, Informative

    Unfortunately, the exploit could have just as easily created a file starting with #!/bin/sh, and passed 555 as the 'permissions' argument to createUnique.

    Why on earth the browser thinks it's necessary to allow scripts to create executeable files is beyond me.

  15. Secunia: Extremely Critical by MarkByers · · Score: 5, Informative

    Secunia have already released an advisory explaining how the exploit works:

    http://secunia.com/advisories/15292/

    This is the first Firefox exploit that has received the rating 'Extremely Critical'.

    --- Extract from Secunia's site ---

    Description:
    Two vulnerabilities have been discovered in Firefox, which can be exploited by malicious people to conduct cross-site scripting attacks and compromise a user's system.

    1) The problem is that "IFRAME" JavaScript URLs are not properly protected from being executed in context of another URL in the history list. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an arbitrary site.

    2) Input passed to the "IconURL" parameter in "InstallTrigger.install()" is not properly verified before being used. This can be exploited to execute arbitrary JavaScript code with escalated privileges via a specially crafted JavaScript URL.

    Successful exploitation requires that the site is allowed to install software (default sites are "update.mozilla.org" and "addons.mozilla.org").

    A combination of vulnerability 1 and 2 can be exploited to execute arbitrary code.

    NOTE: Exploit code is publicly available.

    The vulnerabilities have been confirmed in version 1.0.3. Other versions may also be affected.

    Solution:
    Disable JavaScript.

    --
    I'll probably be modded down for this...
  16. Re:Uh oh! by MarkByers · · Score: 5, Informative

    In Firefox, to stop this vulnerability:

    Web Features->Allow web sites to install software

    I'll switch to MS IE as it has no known serious vulns

    Internet Explorer Long Share Name Buffer Overflow Highly Critical

    Yeah... whatever. I don't mind if you would rather use a browser with a known serious security problem, but saying that IE has no known serious issues is misinformed.

    --
    I'll probably be modded down for this...
  17. Fixes for large sites by shirro · · Score: 5, Informative

    For people running Firefox in a business or school with centrally locked down settings I think a quick fix might be to add

    lockpref("xpinstall.enabled","false");

    xpinstall.enabled seems to be the preference changed by "Allow websites to install software"

  18. Linux and MacOS vulnerable, too by Animats · · Score: 5, Insightful
    This exploit will work on Linux and MacOS, too, if anybody bothers to write an attack for them.

    The basic problem is that the Mozilla developers, in their futile attempt to create a "platform", put in a mechanism comparable to Active-X - a way to dynamically download executable programs. Of course, they tried to make sure this "feature" could not be used for purposes of evil. Like Microsoft, they failed.

    Understand, this isn't subtle. The code uses built-in Mozilla JavaScript extensions to create a local file in a very straightforward way. It then calls "nsILocalFile::launch()" (which does exactly what you think it does) to launch it. Those are capabilities that shouldn't be in a browser's JavaScript engine at all.

    Having designed in a potential security hole big enough to drive a semitrailer through, they tried to make it "secure" with the usual crap approaches - signatures, lists of trusted sites, and disabling for certain types of URLs. They failed. They forgot to make those checks for "favicon.ico" files (Mozilla's implementation of a Microsoft icon-in-the-toolbar gimmick.)

    Plugging that hole is not the answer. The problem is more fundamental. "nsILocalFile::launch()" needs to be removed. Browsers have no business launching arbitrary executable programs. Period.

  19. Re:Nasty by cortana · · Score: 5, Informative

    Well, in Windows it would only have administrator priviliges if the user was dumb enough to run Firefox as an administrator. ;)