Slashdot Mirror

← Back to Stories (view on slashdot.org)

2 Firefox Security Flaws Lead to Exploit Potential

Posted by timothy on from the live-dangerously dept.

Marthisdil points out a News.com story which reports that "Two vulnerabilities in the popular Firefox browser have been rated "extremely critical" because exploit code is now available to take advantage of them." Security firm Secunia reported the vulnerabilities (and the "extremely critical" rating is theirs), but the News.com story points out that thus far, "no known cases have yet emerged where an attacker took advantage of the public exploit code." Update: 05/09 20:20 GMT by T : Rebron of the Mozilla Foundation sends a correction; this is really the same flaw reported yesterday. He suggests that you glance at the Mozilla security alert on this hole (as well other alerts at the Mozilla Security Center), and says "The Mozilla Foundation has made changes to our update servers that will protect users from this arbitrary code execution exploit."

29 of 417 comments (clear)

  1. Dupe... by RichM · · Score: 4, Informative

    http://it.slashdot.org/article.pl?sid=05/05/08/135 217&tid=154&tid=172

  2. And to think... by oskard · · Score: 5, Funny

    I JUST got through explaining to my parents why Firefox is a safer alternative.

    --
    Sigs are for Terrorists.
    1. Re:And to think... by MikeFM · · Score: 4, Informative

      Does Microsoft offer bounties to those who find, and alert them to, security problems? Not as far as I know. This, along with the opensource nature of Firefox will eventually make it mature into a more solid product than IE is likely to be unless Microsoft changes it's attitude. Security is, and always has been, a goal with Firefox. That just isn't true of IE. Also Firefox has the benefit of 20/20 hindsight with it's design as it was designed after many important types of exploits were discovered whereas IE's codebase is much older.

      Overall, I think Firefox is more secure than IE and will just grow to be increasingly more secure with time. That doesn't mean it is flawless. :)

      --
      At what price learning? At what cost wisdom? The price is a man's peace of mind, and the cost is his life.
    2. Re:And to think... by AviLazar · · Score: 4, Insightful

      Think about it - how many products does Microsoft have to maintain, versus the Mozilla Foundation?

      Don't you think this is a bit of a skewed statement? MS has departments, many of them. There is probably an IE department and it's sole purpose is IE. It may not have any conversations with any other departments with the exception of "Will IE still work with the rest of Windows? It does? Great, going back to my cave."

      --

      I mod down so you can mod up. Your welcome.
  3. Don't downplay it by Anonymous Coward · · Score: 4, Insightful

    Come on, timothy. This is hardly the time to be downplaying the severity, even though we all like Firefox. There are undoubtedly people using the posted code, and they wouldn't be likely to tell News.com about it. Everyone should upgrade immediately.

  4. Bug Details by Talian · · Score: 5, Informative

    Before everyone freaks out, take a look at the bug notes to get the details.

    Exploitation requires the javascript bug AND a whitelisted site. The only default whitelisted site is the update.mozilla.org, and they have made changes to mitigate the problem on their end.

    So unless you've whitelisted a lot of extra sites to install themes or extensions, this is not a huge risk. To be sure, disable install "Allow websites to install software" under options | web features, and if really worried, disable javascript.

    1. Re:Bug Details by That's+Unpossible! · · Score: 5, Informative

      eah, I don't really see how this "exploit" is really an exploit at all. If you whitelist a site, that means you can already install an XPI from that site. Extensions can easily to "bad" things of one sort or another (delete bookmarks or hide all the GUI widgets or something). You have to go add a site to the whitelist, it isn't like it can add itself somehow.

      RTFA. The site that runs the exploit does not have to be on the site you whitelisted. Part of the exploit is that it can pretend to be a site you whitelisted. The other part is that it can sneak in some javascript code where it shouldn't be able to (an icon url).

      Contrary to the grandparent post, it is not enough that mozilla has updated their site. That mitigates only part of the problem, and only if you haven't whitelisted other sites.

      Until 1.0.4 comes out, disable javascript.

      --
      Ironically, the word ironically is often used incorrectly.
  5. Re:sorry.. by ViperG · · Score: 5, Insightful

    Well, I would agree, but then why does slashdot post every IE bug that comes up?

    --
    Black Sky
    2D Elite Inspired Game
  6. Mozilla's Security? by sterno · · Score: 5, Insightful

    Mozilla and Firefox have been recommended as alternatives to IE for security reasons. Yet, lately, it seems that there's quite a lot of security problems being uncovered in Firefox. So I'm trying to figure out how to read this.

    I suspect that Firefox is somewhat more secure on the simple basis that it is not as tightly integrated with the rest of the operating system as IE is. What makes IE exploits so nasty is that they tend to become email and other exploits too.

    My concern is that if Firefox gains some more ground and does become a more active target for exploits, that it may become a poster child Microsoft can use to point out that open source software's "many eyes" theory is hogwash. Maybe it is hogwash.

    --
    This sig has been temporarily disconnected or is no longer in service
    1. Re:Mozilla's Security? by Uruk · · Score: 5, Insightful

      A few points to consider when you're evaluating the security of software:

      • Security issue visibility is not the same thing as security. Just because IE has more exploits publicized (or Firefox has more) doesn't actually mean they're more or less secure, it means they're getting more public attention about their security. Important difference. If someone has an objective, quantitative, and verifiable way of measuring a piece of software's security so that we can actually make these comparisons, I'd love to see it
      • The more users use a piece of software, the more it will be targeted. But again, that's not the same thing as saying "the more it will be exploited"
      • Most users ultimately decide based on personal experience, which typically trumps abstract reporting. Have you ever had a problem with Firefox? Have you ever had a problem with IE? I'd suspect most people who switched to Firefox did it because they actually experienced a problem with IE, not because it was more ideologically pure.
      --
      -- Truth goes out the door when rumor comes innuendo. -- Groucho Marx
    2. Re:Mozilla's Security? by Blkdeath · · Score: 4, Insightful
      I don't run Firefox because I find it inferior to IE in rendering pages as they were intended (yes, we live in an IE world, deal with it).

      I used to think the same thing, but I stuck it out and just dealt with the incorrectly rendered pages. Of course there have always been / will always be people who think like you, but the fact is many (most) pages now render correctly in FireFox.

      As alternate browsers are again being recognized as statistically significant companies and even hobbyist webmasters are starting to realize their value. If you see a site that isn't rendering correctly, contact the site owner and inform them. Your message might not turn the tide, but perhaps combined with the 5-6 they received last week yours will be enough to convince them of the advantage of compliance.

      Please, though, don't send a nasty-gram espousing the virtues of open source, criticizing Microsoft (no need to even mention MS/IE) as it destroys all of our credibility.

      --
      BD Phone Home!

      Shameless plug. Like you weren't expecting it.

  7. What Firefox needs is... by turbofisk · · Score: 5, Insightful

    What Firefox (and the rest of the suite) is a good way to upgrade the software, without installing everything as a new user would... This is something they really should fix...

  8. It was expected by mpontes · · Score: 5, Insightful
    With the spotlight on Firefox, it's obvious a lot more crackers and hackers are going to start looking at Mozilla Foundation's code. While previously there was little incentive for crackers to exploit vulnerabilities in MoFo's code, you can't say that now, with all the attention Firefox caught.

    It's up to MoFo to fix their software as soon as vulnerabilities are reported now. The play time is over, from now on it's going to be Browser Wars II: The Security Menace.

    --
    Bored? Browse Slashdot with a +6 modifier for Troll comme
  9. Balanced? by PDHoss · · Score: 4, Insightful

    "no known cases have yet emerged where an attacker took advantage of the public exploit code."

    I appreciate this clarification. And I'm sure such a clarification will be included in the next IE bug report posted on Slashdot... Right?

    PDHoss

    --
    ======================================
    Writers get in shape by pumping irony.
    1. Re:Balanced? by utexaspunk · · Score: 4, Funny

      AMEN, BROTHER- this ain't the news desk, buddy, this is the nerd table in the high school cafeteria. Most of the time here is spent trying to make milk come out of eachother's noses...

  10. Re:Bug Details - Poison DNS by Chairboy · · Score: 4, Insightful

    So combine this with a poisoned DNS attack. update.mozilla.org resolves as your malware server, then you use this exploit.

    Sure, it makes it a little harder to execute then, say, something like Nimda that could run free across the internet, but it's still a valid security issue.

  11. Does this affect Mozilla also? by llzackll · · Score: 5, Interesting

    I'm a Mozilla user. I don't use Firefox. I'm guessing that Mozilla is affected by this as well, but every time a security flaw is found, only Firefox is mentioned.

  12. Re:See! See! by Master+of+Transhuman · · Score: 4, Informative

    Correct.

    One report says as follows:

    Because the foundation controls all sites in the default software installation white list, it has been able to take preventative action by placing more checks in the server-side Mozilla Update code and moving the update site to another domain.

    The foundation said users who have not added any additional sites to their software installation white list are no longer at risk.

    So one down, the other to be fixed shortly.

    --
    Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
  13. LINUX USERS DON'T GET VIRUSES by Anonymous Coward · · Score: 4, Funny

    Mind you, they don't get laid, either.

  14. One Vulnerability Already Fixed by Master+of+Transhuman · · Score: 4, Informative

    From a news report:

    Because the foundation controls all sites in the default software installation white list, it has been able to take preventative action by placing more checks in the server-side Mozilla Update code and moving the update site to another domain.

    The foundation said users who have not added any additional sites to their software installation white list are no longer at risk.

    So one down, the other to be fixed shortly.

    Meanwhile I got a notice this morning that tomorrow's Microsoft security patch will fix one major flaw, but leave others unpatched UNTIL NEXT MONTH.

    So much for "days of unpatched vulnerability" supposedly favoring Microsoft.

    --
    Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
  15. ...obligatory by op12 · · Score: 4, Funny

    Welcome to Slashdot, you must be new here.

  16. Should not be exploitable any more by CTho9305 · · Score: 4, Informative

    On Saturday, the Mozilla Update team, plus some Mozilla devs, took steps which prevented all published exploits we'd found from working. On Sunday, Mozilla Update was moved to an untrusted URL; as a result, users who have not added other sites to their whitelist should now be safe from the remote code execution attack.

    --
    My server
  17. Solution by cryptocom · · Score: 5, Informative

    Tools/Options/Web Features/"Allow web sites to install software" - uncheck it. I don't know why this isn't unchecked by default.

    --
    It takes just a moment and an action to destroy. It takes some time and thought to create.
  18. Re:sorry.. by magefile · · Score: 4, Informative

    Yeah - it could even put a little red "update" button on the taskbar whenever ... oh. Right.

  19. Re:sorry.. by RoLi · · Score: 4, Informative
    You got that all wrong.

    Firefox bugs get on the front page when they are exploitable in theory (this exploit here also worked only for a couple of hours because Mozilla's servers have been modified so Firefox is redirected to a non-whitelist site) while IE bugs get on the front page only when they cause serious mass infections.

  20. The bugtraq post... by EvilStein · · Score: 4, Informative

    Another post mentions that someone is claiming an 0-day exploit in the wild for these issues.

    From BT:

    Firefox Remote Compromise Technical Details

    Before I start, I need to say that this thing has been patched on Mozilla's server. If you take a look at any of the extension install pages on their site, you will see that the install function has a bunch of random letters and numbers after it. Even though this would probably be an easy thing to bypass, I am not going to attempt it because of the uselessness of such a bypass. A patch is already in development and so any more work going into fine-tuning this exploit would be a waist of time.

    There are three core vulnerabilities being used in my example. A friend of mine (Michael Krax, http://www.mikx.de/ helped me with the research.

    To understand why the example works, one must understand the basics of how Firefox works. Everything you see in firefox is essentially a webpage being rendered by a compiler. This is what the gui is made of, and this is why firefox is so easy to customize. However, it also allows for some security bugs. If one could get one of the chrome pages to request a javascript:[script] url, that individual would be given complete access to the system because chrome urls are given full rights in firefox. My example works by tricking the addon install function into displaying an icon with a javascript url.

    However, this would not be enough to compromise the system. By default, the install feature only works when called from a page within update.mozilla.org or addon.mozilla.org. Therefore, another (cross site scripting) vulnerability had to be found to call the install feature from mozilla.org. This vulnerability navigates to a javascript page and displays a link (pointing to a mozilla.org page) within a frame that follows the user's cursor. After the user clicks, the link is navigated to, which fires the onload event. This is a buggy event in Firefox because with it we can now access certain parts of the window object that we shouldnt, such as the history object. After the page loads, we use the history object to navigate backwards to the javascript page. The javascript is executed again, now from update.mozilla.org because when we navigated backwards, we essentially navigated to a javascript:[script] page. Now we call the install addon feature, which displays a dialog with det
    ails of the requested addon, including an image with a specified image. This image points to a javascript:[script] url, which gets executed in the context of chrome. Now we have compromised the system :)

    Whew, that was quite a mouthful.

    I am still trying to gather all the details as to how my research was leaked, but recent conversations are leading me to believe that it was a misplacement of trust, not a server compromise. However, I do not want to jump to conclusions too quickly, as this will only lead to more problems. That's all I will say about that subject, as I don't want to offend anybody.

    Also, I would like to let everyone know that this is not the only vulnerability that Mikx and I have found. We still have a couple of tricks up our sleeves, and you can be sure that we will not make the same mistake twice.

    If you want to see the original PoC, here is the url:
    http://greyhatsecurity.org/vulntests/ffrc.htm

    Paul
    Greyhats Security
    http://greyhatsecurity.org/

  21. Re:See! See! by CaymanIslandCarpedie · · Score: 4, Insightful

    Hey, I'm not saying this hole will be expoited by anyone. I'm just saying its not fixed. With your "one down" comment you seemed to imply this issue was fixed. It is not at all!

    Mozilla has done a server-side workaround to mitigate this issue but the Firefox (client-side app) has had nothing done to it. The issue is still 100% there. Again not saying this will effect anyone, but to say the bug has been fixed is just WRONG. The bug is in client-side code and that client-side code will need to be fixed, not just a server-side workaround.

    Again, most likely nothing will come of this, but I just thought viewers who saw your original comment would be misled into thinking the client-side bug was been fixed (which is not the case).

    --
    "reality has a well-known liberal bias" - Steven Colbert
  22. Re:sorry.. by shmlco · · Score: 4, Funny

    Probably because lots of /. posters now need to fix machines of their own running Firefox...

    --
    Any sect, cult, or religion will legislate its creed into law if it acquires the political power to do so.
  23. Uh huh by Myopic · · Score: 4, Insightful

    Can you imagine what would happen if bugs in proprietary software (I'm thinking of Windows or IE) were considered "extremely critical" as soon as an exploit was solidified in code? I mean, if "extremely critical" corresponds to "it is *possible* to exploit this bug" then what is the term to describe a bug which in fact is wreaking havoc on worldwide information infrastructure (as many Windows bugs)?