Slashdot Mirror
Hackers claim zero-day flaw in Firefox
An anonymous reader writes "The open-source Firefox Web browser is critically flawed in the way it handles JavaScript, two hackers said Saturday afternoon. An attacker could commandeer a computer running the browser simply by crafting a Web page that contains some malicious JavaScript code, Mischa Spiegelmock and Andrew Wbeelsoi said in a presentation at the ToorCon hacker conference here."
In response, Mozilla Corporation has stated that since the hackers did not submit the hack for verification, and they may not call it a "FireFox" hack, in compliance with their Trademark policy. Further, if anyone did take over a browser with this hack, they would have to change the icon or face vague threats.
The hackers plan to release the next version of the hack under the name IceWeasel Hack, while grumbling about backports. Debian developers have been debating whether they should include the hack in Etch or not.
Have you read my journal today?
(sarcasm) Yes, our only hope is that Debian developers can patch the hole in time! (end sarcasm)
but why doesn't this story have a "from the ____ department" subheader?
What about NoScript? http://www.noscript.net/whats
For the October 1 branch nightly release, these fixes were included:
#353249 [Core:JavaScript Engine]-(undisclosed security fix) [All]
#354924 [Core:JavaScript Engine]-(undisclosed security fix) [All]
#354945 [Core:JavaScript Engine]-(undisclosed security fix) [All]
I wonder if these are related to the alleged flaws?
I'm the urban spaceman babe, but here comes the twist... I don't exist
Noscript is your friend. Been using it for a year or so now.
Yes, whitelisting sites is a pain, but Javascript is a remnant of a more innocent time and should probably be phased out anyway.
I assume this affects the 1.5.x branch, but what about the 2.x branch or the 3.x branch?
Today the hackers have to work a bit harder so zero-day attacks are no longer rare. The vast majority of attacks are still from hackers who are reverse engineering the patches and distributing attacks before the patches are implemented.
If someone reports a new attack against open source code it is by definition unknown before it is reported. Therefore all bug reports with security implications are 'zero-day'.
What the idiots who released this exploit mean by 'zero day' was that they didn't allow time for the problem to be fixed before releasing the exploit.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
And if that's not obscure enough, there's always Lynx. ;)
From the Article
The hackers claim they know of about 30 unpatched Firefox flaws. They don't plan to disclose them, instead holding on to the bugs.
Jesse Ruderman, a Mozilla security staffer, attended the presentation and was called up on the stage with the two hackers. He attempted to persuade the presenters to responsibly disclose flaws via Mozilla's bug bounty program instead of using them for malicious purposes such as creating networks of hijacked PCs, called botnets.
"I do hope you guys change your minds and decide to report the holes to us and take away $500 per vulnerability instead of using them for botnets," Ruderman said.
The two hackers laughed off the comment. "It is a double-edged sword, but what we're doing is really for the greater good of the Internet, we're setting up communication networks for black hats," Wbeelsoi said.
First of all, guys, so you refuse to tell us what the bugs are, so we can't fix them and do this for the "greater good of the internet... setting up communication networks for black hats" WTF? What does having tens of thousands of additional zombie-machines that could DDoS or send SPAM do with the greater good of the internet. I almost hope you try to make money off the bugs (if you even know any more) so you get to know a nice prison cell and "Life without PC"(TM). Honestly, I think those guys are full of it, they probably don't know even one additional vulnerability and just try to show off how "big and powerful" they are.
+++ MELON MELON MELON +++ Out of Cheese Error +++ redo from start +++
The only difference between a zero-day exploit and a normal exploit is whether the person who finds the exploit allows a fix to be crafted before (s)he releases the bug that allows it.
The main difference between Open Source groups like Mozilla and Microsoft is that (responsible) open source projects will fix potential security bugs whenever they're informed of them and whether or not there is an exploit available, while Microsoft seems to have a habit of holding off on fixing a bug unless the exploit is blatently obvious and/or there is an proof of concept exploit already in existence (and sometimes even in the wild).
Given the way that these guys are touting how Firefox is vulnerable because they were able to find a bug that they refused to warn the firefox team about (like that refusal is Firefox's fault) I wouldn't be at all surprised to find that they managed to get some funding (either direct or indirect) from Microsoftl.
Free Software: Like love, it grows best when given away.
The JavaScript issue appears to be a real vulnerability, Window Snyder, Mozilla's security chief, said after watching a video of the presentation Saturday night. "What they are describing might be a variation on an old attack," she said. "We're going to do some investigating."
Snyder said she isn't happy with the disclosure and release of an exploit during the presentation. "It looks like they had enough information in their slide for an attacker to reproduce it," she said. "I think it is unfortunate because it puts users at risk, but that seems to be their goal."
>I wouldn't be at all surprised to find that they managed to get some funding (either direct or indirect) from Microsoftl[sic].
complete bullshit and FUD.
you know nothing about these ppl, they are blackhats, they ruin things for no other reason than to piss ppl off and have a laugh at their expense.
my password really is 'stinkypants'
have you guys heard about the supposed vuln in firefox disclosed at toorcon today?
n +Firefox/2100-1002_3-6121608.html
n +Firefox/2100-1002_3-6121608.html quotes me out of context in a way that makes it look like i'm trying to bribe them with $500 bug bounties :(
<Ryan> "Firefox re-entrant threading"?
<reed> http://www.toorcon.org/2006/conference.html?id=13
<Jesse_> yeah, that one
<reed> Jesse_: Did you go to that particular one?
<Jesse_> yes
<Jesse_> i also went up on stage to "debate" "disclosure" with them
<Jesse_> when i said "debate" "disclosure", i didn't mean the usual "how much time should security researchers give vendors to write and deploy patches before making the holes or exploits public" debate
<Jesse_> these guys were *against* disclosure
<Jesse_> preferring to keep the status quo of lots of vulnerabilities, large botnets (so they can be anonymous), etc. or maybe they were joking, it was hard to tell.
<Jesse_> they claim they can make $10,000 or $20,000 selling a vuln in firefox
<Jesse_> compared to $500 telling us about it
<Jesse_> selling to other blackhats, anonymously, using onion networks, of course
<dveditz> TippingPoint and iDEFENSE will pay up to $10K for IE and probably firefox vulns
. . .
<jX> http://news.com.com/Hackers+claim+zero-day+flaw+i
<jX> "...what we're doing is really for the greater good of the Internet, we're setting up communication networks for black hats," How exactly is that for the greater GOOD?
<dveditz> the black hats crusade for our freedom (and credit cards) against the evil fascist empire
<dveditz> they *earn* everything they steal by doing all the good they do keeping "the man" from owning the internet
. . .
<Jesse_> http://news.com.com/Hackers+claim+zero-day+flaw+i
<zach> Jesse_: they dragged you up on stage during their talk?
<jX> Jesse_: Yeah, doesn't reallyt make anyone look good, that article..
<Jesse_> "I do hope you guys change your minds and decide to report the holes to us and take away $500 per vulnerability instead of using them for botnets" is pretty close to the BEGINNING of a sentence i said
<Jesse_> the REST of the sentence was " or selling them to other blackhats for ten thousand dollars"
<Jesse_> with the whole sentence, it's clear that i'm hoping they'll change for ethical reasons, and that i'm not trying to bribe them
<jX> Jesse_: Yeah, but quoting you out of context makes for better copy.
<zach> Jesse_: did they actually drag you on stage during their talk as the article suggusts?
<Jesse_> zach: they left a lot of time after their slides, and asked me to come up
<Jesse_> zach: they told me before the talk that they might ask me to come up
<Jesse_> dveditz: yeah, about 20 minutes before
The more you regulate a company, the worse its products become.
The environment of a browser should be like a virtual machine. The Javascript or JavaApp running in it should be isolated from the rest of the system so that such exploits aren't possible. Mechanisms in the browser could be built in to allow you to still attach files to email in web based email sites whcih use Javascript while maintaining security.
Michael "TheZorch" Haney
thezorch@gmail.com
http://thezorch.googlepages.com/home
You couldn't "commander" my computer unless I gave my web browser administrator privileges, and why would anyone do such a foolish thing? Heh.
No, they didn't have a live exploit. The original article is here http://news.zdnet.com/2100-1009_22-6121608.html, not the site linked to by slashdot.
All they had was a video ... no code to display.
So, maybe they do, maybe they don't ... but you can't tell just from a video.
Also, what sort of drugs do you have to be on to name your kid "Window"? Brings to mind Frank Zappa naming his kid "Moon Unit".
If I were them, I'd stay away from the US. We can now use torture to get information about the other 30 exploits. Actually, if I were them, I'd also be looking over my shoulder frequently, as we can use kidnapping and special rendition, too. You know that "black hat" is just a code word for cyber-terrorist!
That is all.
Did you ever try to code a big project?
Copyright infringement is "piracy" in the same way DRM is "consumer rape"
I am not a javascript hater, it is very useful. The fact that you can transfer some of the processing to the client is a very valuable thing in my book. Considering most forms are validated at the client level I wonder how you define correctly coded web sites working 100%. I suppose however there isn't anything stopping a server from validating if the client refuses, it just means twice the coding. I just got done with a hand rolled image gallery using javascript, if you want to download every thumbnail or see just a collection of links that is fine. I recently implemented AuthCookieDBI for session based authentication. Rather than my server worrying about the headers and directing to the appropriate user section, I named the client folders after the user name. With just onblur and getElementById the client appends and passes all the information I need. I think if most users disabled javascript my work would be much harder and their experience would be less enjoyable. As far as the security issues, I think after time we will see those steadily evaporate. Right now I feel comfortable enough to risk having it on.
Yeah, right. What they are really saying is, why give away a bug for $500 when we can sell it for much more on the black market?
In fact, the public advertisement of a "zero day exploit" makes a lot of sense if you want to establish yourself as a seller of other undisclosed exploits. Publishing the exploit is a gambit. You will loose the exploit as soon as it gets fixed, but you get your name in the trade press, on Slashdot, etc. Doing so, you establish credibility as a merchant of malware. You can set up shop, and advertise 30 other previously undisclosed bugs. Now, the botnet herders, spammers and other DDOS extortionists know were to buy a new exploit if they need one.
You know, there are folks out there who would call what these hackers are doing an act of terrorism.
They are deliberately creating a network for criminals to use for communication purposes, and doping so by stealing computing power from others.
It's theft, it's immoral and these jackasses should, at the very least be locked up on conspiracy charges.
The egotistical little bastards do NOT have the right to commandeer my computer for some kind of secret club for pimply faced assholes to trade exploits and horse porn.
"Live Free or Die." Don't like it? Then keep out of the USA
The only thing they're doing by holding onto the security bugs is making the internet a more dangerous place. Yes, Firefox should have been written better in the first place. Yes, the security team should have found these already. No, none of that justifies the childish actions they're taking now.
Or perhaps they're just talking smack, trying to look like big bad grayhats because they found a single flaw. I'd like to think that.
Laws do not persuade just because they threaten. --Seneca
And "sending a couple of guys over" is what thugs do.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
Wonder how the management at SixApart feels about a having a black hat work for them who brazenly scoffs at the notion of responsible full-disclosure and releases a 0-day exploit to the public. Sort of answers the question in an earlier Slashdot post about whether companies should hire blackhats to work for them. In this case, the answer is a resounding NO. SixApart should fire this guy's ass immediately.
To be clear:
Firefox had a build switch that allowed folks to build it without branding (and do whatever they wanted to it) or build it with branding (and follow Mozilla's rules to create a consistent user experience).
Debain dev's took that build switch and broke it, so that everyone wanting to modify or adjust the debian firefox packages would have to go through and hand edit out firefox if they wanted to remove branding. They then packaged this broken thing up, and still called it firefox.
Mozilla said that was bogus, and they were right. Having that build switch makes it easier for folks to make changes to the package without worrying about branding. Redhat and others do exactly this with artwork/branding packages. We are ALL better off if such easy build time switches are available.
I've been around a while, but the debian developers are way out of line here.... You can't create some crazy messed up debian distro and call it debian, you can't create a crazy redhat distro and call it redhat, why is firefox getting all this heat? The amount of fuss they are creating is bogus and dissapointing. I read through the snide commentary and it really is depressing. Even Mozilla Foundation suggests that a non-branded version of firefox would work better for them.
Which is why it's smart to run NoScript. A Firefox extention that blocks the execution of any scripts on a webpage without user concent. So, if you're tired of Javascript taking over your Firefox, get NoScript.
https://addons.mozilla.org/firefox/722/
Because as everyone knows, Microsoft is evil, and thus they must be behind this. :)
Breaking into people's personal computers is every bit as romantic as shooting someone in the face. The fact of the matter is that an arbitrary execution flaw will not be used to free up the flow of information, except for the flow of information about p3n1s p1lls onto every fresh patch of the `net, always provided to us graciously by zombie machines.
You want to wake up? Here's some up-waking for you: Hacking isn't about allowing "free speech" on the internet (which already exists), it's about getting big money from underground Mafias. These people aren't disclosing the flaws to Mozilla's bug bounty program simply because they think they can make more than $500 via spyware and virii.
My new blog
..until we boycott and shun enough javascript and active x and any other 'active', "we will slam unknown code on you from the web until you submit totally" site out there.
There is no fix for this. NONE
You either accept executables on web pages and assume the bulk of the websites out there will all use them (and it is getting that way now), or you don't.
We either will have a secure web, or an active web, you cannot have both.
Automated code generating tools will eventually force *multiple 0 day hacks on browsers*, possibly into the hundreds or thousands. You literally won't be able to keep up with the multitude of "emergency patches" required, and it is from a couple things primarily-buffer overflows and active scripting no matter the name of the script.
You cannot make javascript secure because of this "feature", it is *designed* to be an executable. Same with all the other looping zooming call this and bring down that AJAX candy and whatnot shyte.. And you won't get them to stop coding it until they are LIABLE FOR DAMAGES and are forced to offer consumer warranties on released code that is designed to surf the open internet, and I don't care which operating system or license you might care about either, code needs a warranty with it to make it suitable for purposes, just like every other CORPORATION has to offer with their PRODUCT. Once they are liable, they will stop coding crap using junk like javascript. MS is a coprporation that wants to make money, mozilla, the same now, opera, the same, apple, the same. That's where the bulk of the browsers used on the web come from, 99% or better. For-profit corporation, they need to be forced to offer a warranty, simple as that. Once that happens, the pressure will then switch bigtime from those companies literally saying they will not recommend their users go to pages that aren't blessed by no bad code, it will force the web designers to stop using crap that makes people vulnerable and that you are forced to use if you want to surf normally.
Sayng you can "turn off javascript" or use some patch hack is not a solution, that is just pure crap now and everyone knows it, and it never will be. There are too many sites now that require it, and the sites themselves are vulnerable to getting pwned because they use insecure active scripting directly on their web pages. See how this will never be fixable as it stands now?
There needs to be a complete revolution about this, a complete admission that the web has gone offcourse into mega-stupid-land in favor of blinking crap and eyecandy.
And before the first idiot troll reactionary numbnut claims that JS can be made secure-show us that code! Show us that exact magic code you have written in your uberleetness that will make all JS be secure, something every webmaster can go slap on right now and get rid of JS insecurity! Go ahead, you'll be rich!
The problems are we can't mod moderations "retarded"; and moderation is secret. These have always been serious slashdot problems. Metamoderation is out of context (and extremely inconvenient to put into context... you know more about the thread when you're reading it than you do when you're metamoderating.)
Slashdot improvement ideas (other than cosmetic) here.
I've fallen off your lawn, and I can't get up.
It should also be pointed out the Windows can run a browser from a sandbox, too. Just like Linux, privilege escalation exploits aren't uncommon. And just like Linux, a compromised browser is a major problem.
Determined not to be upstaged by the Mozilla developers, now that Firefox has a 0 day exploit too, Microsoft's IE team has announced that they've started working on technology that will allow their browser to have -1 day exploits.
There'll always be Idiots and Jerks, these two are the unfortunately not so rare combination of both. All in all, nothing to see here, go home.
Oh and since everyones recomended NoScript, I'd also recomend firewall tools like Sunbelt Keiro Personal Firewall (KPF), which can be configured to pop up a box every time your system attempts to run a program, very handy to stop any spyware/addware/anywhere you don't want loading on your system.
This exploit (or one similar) was mentioned in an episode of Security Now (about 3 weeks ago, I think). A potential solution was install a plugin called noscript, which allows the user to enable javascript on a per-site basis. I've used it since I heard about it, and I believe it can play a major role in preventing the execution of any rogue javascript.
Welcome to real life. Firefox is getting large enough to be a target. And when a piece of software is a target, people aren't going to just file a bug report when they find an exploitable bug. Look at Windows/IE. Every time you hear about a new exploit on Windows/IE, it's because it's being exploited. It'd be nice if they filed a bug report first, but you definitely can't expect it. They're black hats for a reason, you know.
That is the most ridiculous thing I've heard all week. Black hat hackers release exploits all the time without warning the software's creator. The fact you think Microsoft is involoved says a lot more about you being a Firefox Fanboy than anything else. Get a clue.
Maybe not
Maybe you want to as well? This is absolutely retarded behavior.
= 16265621 )
From: [me]
Subject: Responsible disclosure and wreckless behavior
Date: 1 October 2006 14.23.23 GMT-04:00
To: mena@sixapart.com, ben@sixapart.com, brad@danga.com
Cc: mischa@sixapart.com
Hello,
I read this article on ZDNet describing how your employee Mischa Spiegelmock found and revealed a zero-day Firefox flaw:
http://news.zdnet.com/2100-1009_22-6121608.html
Mischa and his co-researcher Wbeelsoi refuse to reveal specific details on the flaw--or 30 others they found--to the Mozilla Foundation:
"The two hackers laughed off the comment. 'It is a double-edged sword, but what we're doing is really for the greater good of the Internet, we're setting up communication networks for black hats, Wbeelsoi said."
Considering LiveJournal's recent security flaws causing everyone to change their passwords due to browser-based flaws, do you really want someone working for you who makes the problem worse? To be sure, there is merit to the argument that revealing the flaws would allow Mozilla to continue to use a badly buggy implementation; however, there seems to be more to this.
From FireFox's IRC channel, some dialogue from Jesse Ruderman of the Mozilla foundation, who attended (via Slashdot: http://it.slashdot.org/comments.pl?sid=198519&cid
" they claim they can make $10,000 or $20,000 selling a vuln in firefox
compared to $500 telling us about it
selling to other blackhats, anonymously, using onion networks, of course"
Is one of your employees looking to profit of vulnerabilities in Firefox? With the large number of huge enterprises using TypePad and SixApart software, do you really want to risk him embedding JavaScript code to activate this flaw in your products? If he's saving these flaws to profit from them, what's to say he won't look for the bigger payouts of actively punching holes in your products?
That's unlikely--but more likely is that your customers will hear about this and refuse to do business with you because you have an employee who is actively seeking to make the Internet a more dangerous place.
If I misunderstood anything in these articles, I apologize completely. However, what was described in the article was so outrageous that I had to write.
Best regards,
[me]
... but a compromised virtual machine can still operate a bot and spam the heck out of anybody it pleases, as well as capture any passwords you may type in and mail them back complete with appropriate URLs for your bank site, for as long as you keep the VM session running. Either of these strikes me as a good enough reason to not trust my security wholly to the VM, unless the VM has an *extremely* fine-grained permissions model. And I wouldn't want to have to be the guy who wrote that permissions model.
Help poke pirates in the eyepatch, arr.
Bigger names than yours have made the same claims in bigger forums than Slashdot. The idea is far from being novel. And it is far from being accepted as a complete truth.
Sure - source code does make bug hunting easier. It is reasonable to expect that access to source code would provide a useful tool for development of an exploit. But such access is far from required. Exploits for proprietary, closed source applications have and continue to be developed. And they are every bit as effective as ones developed with aid of access to source code. This doesn't even consider the bugaboo of having your source code "stolen" - a PR nightmare that a couple major names in the IT industry had to face not so long ago.
And we've also heard this time and time again. It will be interesting to see how it pans out. One thing to consider is that Firefox is not the only Open Source application to ever go under scrutiny. However, that may be a bit of apples-and-oranges as Firefox does represent a different type of application. The best one can do is look at the numbers today and make some judgements on the future. Firefox shouldn't be considered a silver bullet. But its track record isn't that bad.
In the UK, interfering with any electronic system for political purposes is defined as terrorism. The same definition of terrorism is used in a more recent law that criminalises speech that glorifies terrorism.
Of course, that says more about the abuse of the word "terrorism" than it does about the morality of withholding exploits.
Firefox: Hackers "claim" zero-day flaw in Firefox
Biased much?
Anyone can "stand up for what they believe", but it takes a very brave individual to change what they believe. - Loundry
> It's just good that Firefox has only 10% of the market. If it ever goes over 50% we're in for a security nightmare.
Apache has more than 50% on the http-server markets. Care to tell us why it isn't a security nightmare?
That's too bad about FireFox being essentially written in JavaScript. SpiderMonkey, the JavaScript interpreter in Firefox, is BY FAR the worst programming language (in terms of speed and memory use) of them all, according to the Computer Language Shoot Out.
When you compare all the languages on CPU time, SpiderMonkey JavaScript is twice as slow as the second worst, Ruby.
When you compare all the languages on memory usage, SpiderMonkey is 1.7 times as bloated as the second worst, Smalltalk Visual Works.
When you compare all the languages on CPU time AND memory usage, SpiderMonkey is 2.1 times as bad as the second worst, Smalltalk GST.
Firefox would be much better off using Lua, which is much easier to integrate with C code than SpiderMonkey's nightmare sausage factory, much faster, much smaller, and a vastly better language design. The fact is, that good language design has a huge effect on speed and memory usage -- you can't just stick your head in the sand and pretend good language design isn't important, like the PHP and JavaScript designers originally did and still do. Bad design paints your bad implementation into a bad corner, and there it stays.
Here's how Lua and SpiderMonkey JavaScript stack up against each other. Lua TOTALLY smokes JavaScript, in every category, by a long shot. It's not even funny -- it's tragic. Face it: JavaScript is not only a horribly designed language, but SpiderMonkey is also a horrible implementation of that horribly designed language. So it's not surprise that SpiderMonkey has always had gaping security holes, to complement its horribly slow speed and extremely huge size.
-Don
Take a look and feel free: http://www.PieMenu.com
Javascript is not inherently insecure any more than java is, or flash is.
If the operations that javascript can perform are properly restricted (which they pretty much already are) and the implementation is properly sandboxed (which apparently it isn't right now on firefox) then you can ran an arbitrary javascript program without consequences.
Javascript is important to many companies business models, and if you haven't noticed already, the web has moved to using *more* javascript lately not less. People use javascript to deploy fairly thick clients, to assyncronously update a page without postbacks. Some web toolkits don't even render most html on the server, but send data to the client, and let the client handle display.
The bottom line is that businesses now widely use the web to distribute *applications* in a way that they used thin clients to distribute applications in the past. For them, the web is the new x forwarding. Using browsers sans javascript is not an option for them, so it is not going to happen.
What really needs to happen is better sandboxing. Also, sandboxing has to go further than it has in the past. One problem that javascript has is that it can use up a lot of processor time, and effectively bring the system to a halt, or at least cause usability problems in other applications. Browsers needs to regulate cpu and memory resources that javascript can use better to insure that this doesn't happen.
Here is a quote from an email from Mozilla that captures this nicely:
A couple things are important here. First, does that look like things were agreed to on a license grant? I read this as debian deciding to ignore the policy. Second, does debian have the right to sublicense their supposed grant to avoid the artwork and change the packages to other groups who want to use firefox? I doubt it, even under the debian interpretation of a grant. So you've broken the DFSG with the community who would use debian, and is going to be stuck tearing out references to firefox by hand now if they want to create works based on debian.
The choices here seem pretty clear. Fight a legal fight (that despite your "fact" you are likely to loose becuase you expressely state you are going to ignore the policy), or make a small and simple change that will avoid the whole issue together.
This is a losing debate I think for debian, because regardless of what legal technicalities you try and hang your hat on, you are going to find little support for your actions, because almost EVERY open source project actively discourages your type of activity, which is striping visual identity, changing packages, but keeping a trademarked name. I suspect debian would take the SAME position with others creating versions of debian and calling them debian.
Why then fight so hard to do something that you would make a stink about elsewhere, even if you think you can get away with it, especially given how very weak the case is to someone who has actually read the entire bug and entire email thread.
It seems time could be better spent on other things.