Hackers claim zero-day flaw in Firefox

An anonymous reader writes "The open-source Firefox Web browser is critically flawed in the way it handles JavaScript, two hackers said Saturday afternoon. An attacker could commandeer a computer running the browser simply by crafting a Web page that contains some malicious JavaScript code, Mischa Spiegelmock and Andrew Wbeelsoi said in a presentation at the ToorCon hacker conference here."

All security bugs are zero-day

[Zeinfeld]

The term zero-day attack has become meaningless. In the days before there were mechanisms in place for rapidly distributing updates the majority of attacks used by hackers were age-old.

Today the hackers have to work a bit harder so zero-day attacks are no longer rare. The vast majority of attacks are still from hackers who are reverse engineering the patches and distributing attacks before the patches are implemented.

If someone reports a new attack against open source code it is by definition unknown before it is reported. Therefore all bug reports with security implications are 'zero-day'.

What the idiots who released this exploit mean by 'zero day' was that they didn't allow time for the problem to be fixed before releasing the exploit.

"For the greater good of the Internet" ???

[CharonX]

From the Article
The hackers claim they know of about 30 unpatched Firefox flaws. They don't plan to disclose them, instead holding on to the bugs.

Jesse Ruderman, a Mozilla security staffer, attended the presentation and was called up on the stage with the two hackers. He attempted to persuade the presenters to responsibly disclose flaws via Mozilla's bug bounty program instead of using them for malicious purposes such as creating networks of hijacked PCs, called botnets.

"I do hope you guys change your minds and decide to report the holes to us and take away $500 per vulnerability instead of using them for botnets," Ruderman said.

The two hackers laughed off the comment. "It is a double-edged sword, but what we're doing is really for the greater good of the Internet, we're setting up communication networks for black hats," Wbeelsoi said.

First of all, guys, so you refuse to tell us what the bugs are, so we can't fix them and do this for the "greater good of the internet... setting up communication networks for black hats" WTF? What does having tens of thousands of additional zombie-machines that could DDoS or send SPAM do with the greater good of the internet. I almost hope you try to make money off the bugs (if you even know any more) so you get to know a nice prison cell and "Life without PC"(TM). Honestly, I think those guys are full of it, they probably don't know even one additional vulnerability and just try to show off how "big and powerful" they are.

Re:Proof?

[Stephen+Samuel]

Yes they did have a live exploit. The complaint is that they didn't even try to give Mozilla foundation an opportunity to patch the bug before the released it to the black-hats (along with the white hats) at the conference.

The only difference between a zero-day exploit and a normal exploit is whether the person who finds the exploit allows a fix to be crafted before (s)he releases the bug that allows it.

The main difference between Open Source groups like Mozilla and Microsoft is that (responsible) open source projects will fix potential security bugs whenever they're informed of them and whether or not there is an exploit available, while Microsoft seems to have a habit of holding off on fixing a bug unless the exploit is blatently obvious and/or there is an proof of concept exploit already in existence (and sometimes even in the wild).

Given the way that these guys are touting how Firefox is vulnerable because they were able to find a bug that they refused to warn the firefox team about (like that refusal is Firefox's fault) I wouldn't be at all surprised to find that they managed to get some funding (either direct or indirect) from Microsoftl.

you are deluded

[weierstrass]

>I wouldn't be at all surprised to find that they managed to get some funding (either direct or indirect) from Microsoftl[sic].

complete bullshit and FUD.

you know nothing about these ppl, they are blackhats, they ruin things for no other reason than to piss ppl off and have a laugh at their expense.

Re:you are deluded

[causality]

you know nothing about these ppl, they are blackhats, they ruin things for no other reason than to piss ppl off and have a laugh at their expense.

This is why good security is done in layers. If your sole defense against having your user account, your root account, and possibly even your identity owned by some script kiddie is to depend on the maintainers of $PROGRAM to patch all exploitable flaws in a timely manner, this is what you call putting all of your eggs into one basket. For this, there are things like the Gentoo Hardened Project, which ensure that a mere buffer overflow alone will not grant someone access to your system (of course this is not Gentoo-specific; Gentoo has merely organized such things as PaX and Grsecurity and the toolchain in such a way that it is a relatively simple matter to use the Hardened profile). In my opinion, you're crazy not to take some kind of extra measures like this, if you are going to use a potentially hostile network on a daily basis.

Ideally, the good people who maintain Firefox can stay on top of the arms race to improve the browser's security as fast as flaws can be found. But the odds are against them -- in order to succeed, they have to find every possible security flaw; the blackhats only need to find the one thing that they missed to have a workable exploit. If you don't like being exploited, then this situation is not good. There is no such thing as absolute security, and no programmer is perfect, but precisely because programmers make mistakes, there are non-executable stacks, random memory addresses, user-space SSP protections, chroot() jail restrictions, and many other measures one can take to ensure that security does not have a single point of failure.

Re:Proof?

[LaughingCoder]

Given the way that these guys are touting how Firefox is vulnerable because they were able to find a bug that they refused to warn the firefox team about (like that refusal is Firefox's fault) I wouldn't be at all surprised to find that they managed to get some funding (either direct or indirect) from Microsoftl.

Or perhaps, being black hat types, they are trying to discredit Firefox because it makes their jobs tougher than IE does. Maybe they want to drive people back to IE.

Selling bugs to the highest bidder

[louarnkoz]

The two hackers laughed off the comment. "It is a double-edged sword, but what we're doing is really for the greater good of the Internet, we're setting up communication networks for black hats," Wbeelsoi said.

Yeah, right. What they are really saying is, why give away a bug for $500 when we can sell it for much more on the black market?

In fact, the public advertisement of a "zero day exploit" makes a lot of sense if you want to establish yourself as a seller of other undisclosed exploits. Publishing the exploit is a gambit. You will loose the exploit as soon as it gets fixed, but you get your name in the trade press, on Slashdot, etc. Doing so, you establish credibility as a merchant of malware. You can set up shop, and advertise 30 other previously undisclosed bugs. Now, the botnet herders, spammers and other DDOS extortionists know were to buy a new exploit if they need one.

Re:Slightly offtopic...

[failure-man]

I am a Linux user. Yes, a Firefox exploit will not hose my box. It can certainly hose my ~/ however, possibly stealing data in the process.

Re:One of these guys works for SixApart

[dorkygeek]

[...] Spiegelmock, who in everyday life works at blog company SixApart.

This guy is simply a liability for SixApart, and should get fired immediately. Imagine what could happen if he manages to get the exploit code for this or one of the other 30 exploits they claim to have discovered into one of SixApart's blogging tools.

But what do we know, maybe they have already done so. Judging from their strange "for the greater good" believes, I wouldn't be surprised about it. I sure as hell wont advise anyone to use any of their products until they've reviewed their code to make sure it doesn't sport one of Spiegelmock's toys.

Re:Proof?

[jlarocco]

Yes they did have a live exploit. The complaint is that they didn't even try to give Mozilla foundation an opportunity to patch the bug before the released it to the black-hats (along with the white hats) at the conference.

Welcome to real life. Firefox is getting large enough to be a target. And when a piece of software is a target, people aren't going to just file a bug report when they find an exploitable bug. Look at Windows/IE. Every time you hear about a new exploit on Windows/IE, it's because it's being exploited. It'd be nice if they filed a bug report first, but you definitely can't expect it. They're black hats for a reason, you know.

Given the way that these guys are touting how Firefox is vulnerable because they were able to find a bug that they refused to warn the firefox team about (like that refusal is Firefox's fault) I wouldn't be at all surprised to find that they managed to get some funding (either direct or indirect) from Microsoftl.

That is the most ridiculous thing I've heard all week. Black hat hackers release exploits all the time without warning the software's creator. The fact you think Microsoft is involoved says a lot more about you being a Firefox Fanboy than anything else. Get a clue.

So I wrote to SixApart

Maybe you want to as well? This is absolutely retarded behavior.

From: [me]
Subject: Responsible disclosure and wreckless behavior
Date: 1 October 2006 14.23.23 GMT-04:00
To: mena@sixapart.com, ben@sixapart.com, brad@danga.com
Cc: mischa@sixapart.com

Hello,

I read this article on ZDNet describing how your employee Mischa Spiegelmock found and revealed a zero-day Firefox flaw:

http://news.zdnet.com/2100-1009_22-6121608.html

Mischa and his co-researcher Wbeelsoi refuse to reveal specific details on the flaw--or 30 others they found--to the Mozilla Foundation:

"The two hackers laughed off the comment. 'It is a double-edged sword, but what we're doing is really for the greater good of the Internet, we're setting up communication networks for black hats, Wbeelsoi said."

Considering LiveJournal's recent security flaws causing everyone to change their passwords due to browser-based flaws, do you really want someone working for you who makes the problem worse? To be sure, there is merit to the argument that revealing the flaws would allow Mozilla to continue to use a badly buggy implementation; however, there seems to be more to this.

From FireFox's IRC channel, some dialogue from Jesse Ruderman of the Mozilla foundation, who attended (via Slashdot: http://it.slashdot.org/comments.pl?sid=198519&cid= 16265621 )

" they claim they can make $10,000 or $20,000 selling a vuln in firefox
  compared to $500 telling us about it
  selling to other blackhats, anonymously, using onion networks, of course"

Is one of your employees looking to profit of vulnerabilities in Firefox? With the large number of huge enterprises using TypePad and SixApart software, do you really want to risk him embedding JavaScript code to activate this flaw in your products? If he's saving these flaws to profit from them, what's to say he won't look for the bigger payouts of actively punching holes in your products?

That's unlikely--but more likely is that your customers will hear about this and refuse to do business with you because you have an employee who is actively seeking to make the Internet a more dangerous place.

If I misunderstood anything in these articles, I apologize completely. However, what was described in the article was so outrageous that I had to write.

Best regards,
[me]