Slashdot Mirror
2 Firefox Security Flaws Lead to Exploit Potential
Marthisdil points out a News.com story which reports that "Two vulnerabilities in the popular Firefox browser have been rated "extremely critical" because exploit code is now available to take advantage of them." Security firm Secunia reported the vulnerabilities (and the "extremely critical" rating is theirs), but the News.com story points out that thus far, "no known cases have yet emerged where an attacker took advantage of the public exploit code." Update: 05/09 20:20 GMT by T : Rebron of the Mozilla Foundation sends a correction; this is really the same flaw reported yesterday. He suggests that you glance at the Mozilla security alert on this hole (as well other alerts at the Mozilla Security Center), and says "The Mozilla Foundation has made changes to our update servers that will protect users from this arbitrary code execution exploit."
I smell scandel, it was bill gates who wrote the code and you know it. IT's like the SetErrors flag in windows (Fp maybe?)
i dont mean to be trolling/flaimbait, but please
:/
mod me accordingly if i am.
do we really need to see it posted here, every time
a firefox sploit is found?
gettin me all excited for nothing
http://it.slashdot.org/article.pl?sid=05/05/08/135 217&tid=154&tid=172
Exploits rise with popularity. Watch out desktop linux.
Seriously this Is getting repetitive. There are always flaws. Just update your browser and hope it doesn't become the next iexplore.
I JUST got through explaining to my parents why Firefox is a safer alternative.
Sigs are for Terrorists.
Come on, timothy. This is hardly the time to be downplaying the severity, even though we all like Firefox. There are undoubtedly people using the posted code, and they wouldn't be likely to tell News.com about it. Everyone should upgrade immediately.
Before everyone freaks out, take a look at the bug notes to get the details.
Exploitation requires the javascript bug AND a whitelisted site. The only default whitelisted site is the update.mozilla.org, and they have made changes to mitigate the problem on their end.
So unless you've whitelisted a lot of extra sites to install themes or extensions, this is not a huge risk. To be sure, disable install "Allow websites to install software" under options | web features, and if really worried, disable javascript.
Mozilla and Firefox have been recommended as alternatives to IE for security reasons. Yet, lately, it seems that there's quite a lot of security problems being uncovered in Firefox. So I'm trying to figure out how to read this.
I suspect that Firefox is somewhat more secure on the simple basis that it is not as tightly integrated with the rest of the operating system as IE is. What makes IE exploits so nasty is that they tend to become email and other exploits too.
My concern is that if Firefox gains some more ground and does become a more active target for exploits, that it may become a poster child Microsoft can use to point out that open source software's "many eyes" theory is hogwash. Maybe it is hogwash.
This sig has been temporarily disconnected or is no longer in service
What Firefox (and the rest of the suite) is a good way to upgrade the software, without installing everything as a new user would... This is something they really should fix...
It's up to MoFo to fix their software as soon as vulnerabilities are reported now. The play time is over, from now on it's going to be Browser Wars II: The Security Menace.
Bored? Browse Slashdot with a +6 modifier for Troll comme
"no known cases have yet emerged where an attacker took advantage of the public exploit code."
I appreciate this clarification. And I'm sure such a clarification will be included in the next IE bug report posted on Slashdot... Right?
PDHoss
======================================
Writers get in shape by pumping irony.
You just missed it the first 3 times.
So combine this with a poisoned DNS attack. update.mozilla.org resolves as your malware server, then you use this exploit.
Sure, it makes it a little harder to execute then, say, something like Nimda that could run free across the internet, but it's still a valid security issue.
Anyone know of a Firefox distribution that can be executed(and consequently updated just once) from a network drive or thumb drive?
:(
I ask because I have alot of extensions on each of my Firefox installations. I have Firefox on my desktop at work, my laptop, my home computer, my wife's computer, etc etc
updating one computer (and then going into safe mode to find the extension that freaked out) is not that bad. But updating 5 or 10 computers can be a pain in the butt. Can I run ONE Firefox from *someplace* on the internet that has all my extesions/addons/updates?
only thing I can think of is using Remote Desktop, but then that's not what I really want to do
I'm a Mozilla user. I don't use Firefox. I'm guessing that Mozilla is affected by this as well, but every time a security flaw is found, only Firefox is mentioned.
Mind you, they don't get laid, either.
.. two unpatched security security holes (code named timothy and CmdrTaco) in Slashdot allowing posting of dupes were disclosed.
From a news report:
Because the foundation controls all sites in the default software installation white list, it has been able to take preventative action by placing more checks in the server-side Mozilla Update code and moving the update site to another domain.
The foundation said users who have not added any additional sites to their software installation white list are no longer at risk.
So one down, the other to be fixed shortly.
Meanwhile I got a notice this morning that tomorrow's Microsoft security patch will fix one major flaw, but leave others unpatched UNTIL NEXT MONTH.
So much for "days of unpatched vulnerability" supposedly favoring Microsoft.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
Welcome to Slashdot, you must be new here.
On Saturday, the Mozilla Update team, plus some Mozilla devs, took steps which prevented all published exploits we'd found from working. On Sunday, Mozilla Update was moved to an untrusted URL; as a result, users who have not added other sites to their whitelist should now be safe from the remote code execution attack.
My server
Linux already supports automatic updates. No sense putting it at the application layer. In fact I'd go as far as to say that the application layer is the worst place for updates.
Tools/Options/Web Features/"Allow web sites to install software" - uncheck it. I don't know why this isn't unchecked by default.
It takes just a moment and an action to destroy. It takes some time and thought to create.
Red herring.
Nobody has ever said that EVERY OSS project has "many eyes" ON the project.
What has been said is that to the extent that the source code is included, and is available for perusal by those who KNOW how to do so, this is an extra safeguard since SOME people OTHER than the developers will examine the code - possibly for precisely such reason as security.
And that is exactly what is proved by such incidents. Somebody examined the source code and determined there was a problem.
They didn't have to wait on someone at Microsoft to do so.
If anything in OSS can be complained about, it's the relatively poor amount of testing that seems to get done. Things like the dual-boot bug in Fedora last year should not happen.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
Another post mentions that someone is claiming an 0-day exploit in the wild for these issues.
:)
From BT:
Firefox Remote Compromise Technical Details
Before I start, I need to say that this thing has been patched on Mozilla's server. If you take a look at any of the extension install pages on their site, you will see that the install function has a bunch of random letters and numbers after it. Even though this would probably be an easy thing to bypass, I am not going to attempt it because of the uselessness of such a bypass. A patch is already in development and so any more work going into fine-tuning this exploit would be a waist of time.
There are three core vulnerabilities being used in my example. A friend of mine (Michael Krax, http://www.mikx.de/ helped me with the research.
To understand why the example works, one must understand the basics of how Firefox works. Everything you see in firefox is essentially a webpage being rendered by a compiler. This is what the gui is made of, and this is why firefox is so easy to customize. However, it also allows for some security bugs. If one could get one of the chrome pages to request a javascript:[script] url, that individual would be given complete access to the system because chrome urls are given full rights in firefox. My example works by tricking the addon install function into displaying an icon with a javascript url.
However, this would not be enough to compromise the system. By default, the install feature only works when called from a page within update.mozilla.org or addon.mozilla.org. Therefore, another (cross site scripting) vulnerability had to be found to call the install feature from mozilla.org. This vulnerability navigates to a javascript page and displays a link (pointing to a mozilla.org page) within a frame that follows the user's cursor. After the user clicks, the link is navigated to, which fires the onload event. This is a buggy event in Firefox because with it we can now access certain parts of the window object that we shouldnt, such as the history object. After the page loads, we use the history object to navigate backwards to the javascript page. The javascript is executed again, now from update.mozilla.org because when we navigated backwards, we essentially navigated to a javascript:[script] page. Now we call the install addon feature, which displays a dialog with det
ails of the requested addon, including an image with a specified image. This image points to a javascript:[script] url, which gets executed in the context of chrome. Now we have compromised the system
Whew, that was quite a mouthful.
I am still trying to gather all the details as to how my research was leaked, but recent conversations are leading me to believe that it was a misplacement of trust, not a server compromise. However, I do not want to jump to conclusions too quickly, as this will only lead to more problems. That's all I will say about that subject, as I don't want to offend anybody.
Also, I would like to let everyone know that this is not the only vulnerability that Mikx and I have found. We still have a couple of tricks up our sleeves, and you can be sure that we will not make the same mistake twice.
If you want to see the original PoC, here is the url:
http://greyhatsecurity.org/vulntests/ffrc.htm
Paul
Greyhats Security
http://greyhatsecurity.org/
A serious exploit flaw has been found. So severe is the flaw that it spans all hardware and all software. It matters not if your computer is patched or unpatched. This exploit flaw is so serious that any computer that emits power from its power supply is vulnerable. The only security fix to this devastating exploit flaw involves pulling the power plug from the computer.
......Seriously though, there has always been a direct correlation between usability and security. Any time features are added to a piece of software to make it more usable, will make it more vulnerable and open to flaws that can be exploited. Firefox may have started out as a stripped down, no nonsense browser, but with its popularity rising, feature creep sets in and inherent flaws will be discovered and exploited.
The only way to make it 100% secure is to make sure nothing can be done to the system, and that's powered off with no automated way of powering on (i.e. it's unplugged). Once we accept that it MUST be plugged in to be usable, we need to accept the possibility of exploits. Given that, however, we can't accept defeatism, and must strive to fix it.
The typical rhetoric of "There see? product y is just as insecure as product x", and "Well at least the exploit count is 2, not 50!", only serves to distract us from the real goal of getting better and MORE secure software. Like the saying goes, "SHIT HAPPENS". Let's just learn from it and move on.
Security through obscurity is theoretically plausible, but not very practical. What may be firefox's saving grace is that it's open source and is not held as proprietary IP, controlled by a corporation out for profit, thus the evolution of the product is driven by its need to simply be better.
Perhaps microsoft will see these flaws as proof that open source doesn't work and will lower their own standards, making IE7 less secure or shipping earlier with less stability, or maybe they will take this opportunity to make IE7 that much better in the hopes of regaining popularity and claiming vindication. As long as firefox advances and closes those holes, we still have one extra viable choice. This would only result in a fundamentally more secure web surfing experience.
I'm surprised (or maybe I missed something). Why is noone asking the real questions here?
Sure, Firefox had two security flaws. Okay. HOW were those vulnerabilites found? Were they found because Firefox is an open-source program, and has the 'many eyes' advantage? Were the people who found them going through the code, evaluating and auditing it function-by-function is search of flaws?
Or were they testing against it in the traditional way, the way IE vulnerabilities were found? Or maybe a combination of the two?
The article doesn't say, but I believe this is more important to know than the current count on a Firefox/IE vulnerability pissing match. It's the best example (or counter-example) of open-source security in action that we have. If anyone can supply this information, I (and others, perhaps) will be most grateful.
If you are still using the preview release 1.0, then it tells you there are no updates to be installed... guess you're safe there...hmmmm
--"They say time is the fire in which we burn"
Can you imagine what would happen if bugs in proprietary software (I'm thinking of Windows or IE) were considered "extremely critical" as soon as an exploit was solidified in code? I mean, if "extremely critical" corresponds to "it is *possible* to exploit this bug" then what is the term to describe a bug which in fact is wreaking havoc on worldwide information infrastructure (as many Windows bugs)?