Hackers claim zero-day flaw in Firefox

An anonymous reader writes "The open-source Firefox Web browser is critically flawed in the way it handles JavaScript, two hackers said Saturday afternoon. An attacker could commandeer a computer running the browser simply by crafting a Web page that contains some malicious JavaScript code, Mischa Spiegelmock and Andrew Wbeelsoi said in a presentation at the ToorCon hacker conference here."

Impossible to patch?

What about NoScript? http://www.noscript.net/whats

Re:Impossible to patch?

[LaughingCoder]

surf there with a locked down browser.

Or better yet, use a wide open browser inside a virtual machine.

Good policies will often save you.

[failure-man]

Noscript is your friend. Been using it for a year or so now.
 
Yes, whitelisting sites is a pain, but Javascript is a remnant of a more innocent time and should probably be phased out anyway.

Re:Good policies will often save you.

[Vo0k]

Sandboxing the whole thing will help against system takeovers, but not against frauds within the browser - cross site scripting etc.

Running a sandboxed version of a scripting language within a browser should be pretty harmless if the language was available only in the sandbox and couldn't touch anything outside. Creating separate sandboxes for each website would prevent cross site scripting too.

The problem is it's impossible with Firefox. It's a very old design decision that is so deep all over the place that nothing short of redesigning and rewriting everything from scratch could help.

Essentially, Firefox is written in javascript.

There are underlying frameworks written in C++ and others, the renderer engine etc etc. But the glue that binds all these functions together is Javascript on steroids. XUL files-databases that define the looks of the UI, XUL renderer, which displays them, and thousands of lines of javascript bound to every single gadget, button, field, box, dialog. This javascript performs all the basic processing and the whole high-level work of the browser program. And it calls system/framework functions to perform the low-level work - which is strictly forbidden for a sandboxed language.

Developers of Mozilla try to prevent access to all this low-level heavyweight stuff from javascript originating from webpages while allowing it from the system files. Sandbox javascript from one source, run javascript from the other source at full privledges all the time. Can you smell how fragile this is? I'm afraid these exploits will keep popping up. There's no natural barrier of "contained sandbox environment + scripting language" vs "low-level system layer", with no trace of bindings to the system layer within the sandbox, no hook, no crack to exploit by interfacing with the outside. There's an artificial wall which limits "javascript from webpages" and allows "extended javascript from interface", where both sides are essentially the same thing.

This is the old firewalling problem - policy of "deny all, allow essential" vs "allow all, block dangerous". Except currently there is no easy way to switch from one to the other.

IRC

have you guys heard about the supposed vuln in firefox disclosed at toorcon today?
<Ryan> "Firefox re-entrant threading"?
<reed> http://www.toorcon.org/2006/conference.html?id=13
<Jesse_> yeah, that one
<reed> Jesse_: Did you go to that particular one?
<Jesse_> yes
<Jesse_> i also went up on stage to "debate" "disclosure" with them
<Jesse_> when i said "debate" "disclosure", i didn't mean the usual "how much time should security researchers give vendors to write and deploy patches before making the holes or exploits public" debate
<Jesse_> these guys were *against* disclosure
<Jesse_> preferring to keep the status quo of lots of vulnerabilities, large botnets (so they can be anonymous), etc. or maybe they were joking, it was hard to tell.
<Jesse_> they claim they can make $10,000 or $20,000 selling a vuln in firefox
<Jesse_> compared to $500 telling us about it
<Jesse_> selling to other blackhats, anonymously, using onion networks, of course
<dveditz> TippingPoint and iDEFENSE will pay up to $10K for IE and probably firefox vulns

. . .

<jX> http://news.com.com/Hackers+claim+zero-day+flaw+in +Firefox/2100-1002_3-6121608.html
<jX> "...what we're doing is really for the greater good of the Internet, we're setting up communication networks for black hats," How exactly is that for the greater GOOD?
<dveditz> the black hats crusade for our freedom (and credit cards) against the evil fascist empire
<dveditz> they *earn* everything they steal by doing all the good they do keeping "the man" from owning the internet

. . .

<Jesse_> http://news.com.com/Hackers+claim+zero-day+flaw+in +Firefox/2100-1002_3-6121608.html quotes me out of context in a way that makes it look like i'm trying to bribe them with $500 bug bounties :(
<zach> Jesse_: they dragged you up on stage during their talk?
<jX> Jesse_: Yeah, doesn't reallyt make anyone look good, that article..
<Jesse_> "I do hope you guys change your minds and decide to report the holes to us and take away $500 per vulnerability instead of using them for botnets" is pretty close to the BEGINNING of a sentence i said
<Jesse_> the REST of the sentence was " or selling them to other blackhats for ten thousand dollars"
<Jesse_> with the whole sentence, it's clear that i'm hoping they'll change for ethical reasons, and that i'm not trying to bribe them
<jX> Jesse_: Yeah, but quoting you out of context makes for better copy.
<zach> Jesse_: did they actually drag you on stage during their talk as the article suggusts?
<Jesse_> zach: they left a lot of time after their slides, and asked me to come up
<Jesse_> zach: they told me before the talk that they might ask me to come up
<Jesse_> dveditz: yeah, about 20 minutes before

Re:Proof?

[tomhudson]

Yes they did have a live exploit.

No, they didn't have a live exploit. The original article is here http://news.zdnet.com/2100-1009_22-6121608.html, not the site linked to by slashdot.

All they had was a video ... no code to display.

So, maybe they do, maybe they don't ... but you can't tell just from a video.

The JavaScript issue appears to be a real vulnerability, Window Snyder, Mozilla's security chief, said after watching a video of the presentation Saturday night.

Also, what sort of drugs do you have to be on to name your kid "Window"? Brings to mind Frank Zappa naming his kid "Moon Unit".

Re:Selling bugs to the highest bidder

[jesser]

Yeah, right. What they are really saying is, why give away a bug for $500 when we can sell it for much more on the black market?

If CNET hadn't cut off my quote mid-sentence, it would have been clear that that was what (jokingly) saying too. I was not trying to bribe them. I was trying to say that I hoped they would change their minds and report the holes to Mozilla despite the fact that they (claimed they) could make much more money exploiting the holes or selling information about the vulnerabilities on the black market.

Re:Recent fixes

[jesser]

No. Those three bugs were holes I found before ToorCon.

The real storry

[augustz]

To be clear:

Firefox had a build switch that allowed folks to build it without branding (and do whatever they wanted to it) or build it with branding (and follow Mozilla's rules to create a consistent user experience).

Debain dev's took that build switch and broke it, so that everyone wanting to modify or adjust the debian firefox packages would have to go through and hand edit out firefox if they wanted to remove branding. They then packaged this broken thing up, and still called it firefox.

Mozilla said that was bogus, and they were right. Having that build switch makes it easier for folks to make changes to the package without worrying about branding. Redhat and others do exactly this with artwork/branding packages. We are ALL better off if such easy build time switches are available.

I've been around a while, but the debian developers are way out of line here.... You can't create some crazy messed up debian distro and call it debian, you can't create a crazy redhat distro and call it redhat, why is firefox getting all this heat? The amount of fuss they are creating is bogus and dissapointing. I read through the snide commentary and it really is depressing. Even Mozilla Foundation suggests that a non-branded version of firefox would work better for them.

Re:The real storry

[thebluesgnr]

That's not the real story. In fact it's a bogus story that omits a very important detail, which is that Debian had permission from Mozilla (Gervase Markham) to use the Firefox branding the way they were using it. See the bug report for the real story: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=3 54622

No-Script

[Ice+Wewe]

...An attacker could commandeer a computer running the browser simply by crafting a Web page that contains some malicious JavaScript code...

Which is why it's smart to run NoScript. A Firefox extention that blocks the execution of any scripts on a webpage without user concent. So, if you're tired of Javascript taking over your Firefox, get NoScript.

https://addons.mozilla.org/firefox/722/

Re:Back on topic...

[symbolic]

This exploit (or one similar) was mentioned in an episode of Security Now (about 3 weeks ago, I think). A potential solution was install a plugin called noscript, which allows the user to enable javascript on a per-site basis. I've used it since I heard about it, and I believe it can play a major role in preventing the execution of any rogue javascript.