Hackers claim zero-day flaw in Firefox

An anonymous reader writes "The open-source Firefox Web browser is critically flawed in the way it handles JavaScript, two hackers said Saturday afternoon. An attacker could commandeer a computer running the browser simply by crafting a Web page that contains some malicious JavaScript code, Mischa Spiegelmock and Andrew Wbeelsoi said in a presentation at the ToorCon hacker conference here."

Moo

[Chacham]

In response, Mozilla Corporation has stated that since the hackers did not submit the hack for verification, and they may not call it a "FireFox" hack, in compliance with their Trademark policy. Further, if anyone did take over a browser with this hack, they would have to change the icon or face vague threats.

The hackers plan to release the next version of the hack under the name IceWeasel Hack, while grumbling about backports. Debian developers have been debating whether they should include the hack in Etch or not.

Re:Oink

[BeeBeard]

(sarcasm) Yes, our only hope is that Debian developers can patch the hole in time! (end sarcasm)

All security bugs are zero-day

[Zeinfeld]

The term zero-day attack has become meaningless. In the days before there were mechanisms in place for rapidly distributing updates the majority of attacks used by hackers were age-old.

Today the hackers have to work a bit harder so zero-day attacks are no longer rare. The vast majority of attacks are still from hackers who are reverse engineering the patches and distributing attacks before the patches are implemented.

If someone reports a new attack against open source code it is by definition unknown before it is reported. Therefore all bug reports with security implications are 'zero-day'.

What the idiots who released this exploit mean by 'zero day' was that they didn't allow time for the problem to be fixed before releasing the exploit.

Re:Proof?

[Stephen+Samuel]

Yes they did have a live exploit. The complaint is that they didn't even try to give Mozilla foundation an opportunity to patch the bug before the released it to the black-hats (along with the white hats) at the conference.

The only difference between a zero-day exploit and a normal exploit is whether the person who finds the exploit allows a fix to be crafted before (s)he releases the bug that allows it.

The main difference between Open Source groups like Mozilla and Microsoft is that (responsible) open source projects will fix potential security bugs whenever they're informed of them and whether or not there is an exploit available, while Microsoft seems to have a habit of holding off on fixing a bug unless the exploit is blatently obvious and/or there is an proof of concept exploit already in existence (and sometimes even in the wild).

Given the way that these guys are touting how Firefox is vulnerable because they were able to find a bug that they refused to warn the firefox team about (like that refusal is Firefox's fault) I wouldn't be at all surprised to find that they managed to get some funding (either direct or indirect) from Microsoftl.

IRC

have you guys heard about the supposed vuln in firefox disclosed at toorcon today?
<Ryan> "Firefox re-entrant threading"?
<reed> http://www.toorcon.org/2006/conference.html?id=13
<Jesse_> yeah, that one
<reed> Jesse_: Did you go to that particular one?
<Jesse_> yes
<Jesse_> i also went up on stage to "debate" "disclosure" with them
<Jesse_> when i said "debate" "disclosure", i didn't mean the usual "how much time should security researchers give vendors to write and deploy patches before making the holes or exploits public" debate
<Jesse_> these guys were *against* disclosure
<Jesse_> preferring to keep the status quo of lots of vulnerabilities, large botnets (so they can be anonymous), etc. or maybe they were joking, it was hard to tell.
<Jesse_> they claim they can make $10,000 or $20,000 selling a vuln in firefox
<Jesse_> compared to $500 telling us about it
<Jesse_> selling to other blackhats, anonymously, using onion networks, of course
<dveditz> TippingPoint and iDEFENSE will pay up to $10K for IE and probably firefox vulns

. . .

<jX> http://news.com.com/Hackers+claim+zero-day+flaw+in +Firefox/2100-1002_3-6121608.html
<jX> "...what we're doing is really for the greater good of the Internet, we're setting up communication networks for black hats," How exactly is that for the greater GOOD?
<dveditz> the black hats crusade for our freedom (and credit cards) against the evil fascist empire
<dveditz> they *earn* everything they steal by doing all the good they do keeping "the man" from owning the internet

. . .

<Jesse_> http://news.com.com/Hackers+claim+zero-day+flaw+in +Firefox/2100-1002_3-6121608.html quotes me out of context in a way that makes it look like i'm trying to bribe them with $500 bug bounties :(
<zach> Jesse_: they dragged you up on stage during their talk?
<jX> Jesse_: Yeah, doesn't reallyt make anyone look good, that article..
<Jesse_> "I do hope you guys change your minds and decide to report the holes to us and take away $500 per vulnerability instead of using them for botnets" is pretty close to the BEGINNING of a sentence i said
<Jesse_> the REST of the sentence was " or selling them to other blackhats for ten thousand dollars"
<Jesse_> with the whole sentence, it's clear that i'm hoping they'll change for ethical reasons, and that i'm not trying to bribe them
<jX> Jesse_: Yeah, but quoting you out of context makes for better copy.
<zach> Jesse_: did they actually drag you on stage during their talk as the article suggusts?
<Jesse_> zach: they left a lot of time after their slides, and asked me to come up
<Jesse_> zach: they told me before the talk that they might ask me to come up
<Jesse_> dveditz: yeah, about 20 minutes before

Re:Good policies will often save you.

[Vo0k]

Sandboxing the whole thing will help against system takeovers, but not against frauds within the browser - cross site scripting etc.

Running a sandboxed version of a scripting language within a browser should be pretty harmless if the language was available only in the sandbox and couldn't touch anything outside. Creating separate sandboxes for each website would prevent cross site scripting too.

The problem is it's impossible with Firefox. It's a very old design decision that is so deep all over the place that nothing short of redesigning and rewriting everything from scratch could help.

Essentially, Firefox is written in javascript.

There are underlying frameworks written in C++ and others, the renderer engine etc etc. But the glue that binds all these functions together is Javascript on steroids. XUL files-databases that define the looks of the UI, XUL renderer, which displays them, and thousands of lines of javascript bound to every single gadget, button, field, box, dialog. This javascript performs all the basic processing and the whole high-level work of the browser program. And it calls system/framework functions to perform the low-level work - which is strictly forbidden for a sandboxed language.

Developers of Mozilla try to prevent access to all this low-level heavyweight stuff from javascript originating from webpages while allowing it from the system files. Sandbox javascript from one source, run javascript from the other source at full privledges all the time. Can you smell how fragile this is? I'm afraid these exploits will keep popping up. There's no natural barrier of "contained sandbox environment + scripting language" vs "low-level system layer", with no trace of bindings to the system layer within the sandbox, no hook, no crack to exploit by interfacing with the outside. There's an artificial wall which limits "javascript from webpages" and allows "extended javascript from interface", where both sides are essentially the same thing.

This is the old firewalling problem - policy of "deny all, allow essential" vs "allow all, block dangerous". Except currently there is no easy way to switch from one to the other.

One of these guys works for SixApart

Wonder how the management at SixApart feels about a having a black hat work for them who brazenly scoffs at the notion of responsible full-disclosure and releases a 0-day exploit to the public. Sort of answers the question in an earlier Slashdot post about whether companies should hire blackhats to work for them. In this case, the answer is a resounding NO. SixApart should fire this guy's ass immediately.

Re:One of these guys works for SixApart

[dorkygeek]

[...] Spiegelmock, who in everyday life works at blog company SixApart.

This guy is simply a liability for SixApart, and should get fired immediately. Imagine what could happen if he manages to get the exploit code for this or one of the other 30 exploits they claim to have discovered into one of SixApart's blogging tools.

But what do we know, maybe they have already done so. Judging from their strange "for the greater good" believes, I wouldn't be surprised about it. I sure as hell wont advise anyone to use any of their products until they've reviewed their code to make sure it doesn't sport one of Spiegelmock's toys.

No-Script

[Ice+Wewe]

...An attacker could commandeer a computer running the browser simply by crafting a Web page that contains some malicious JavaScript code...

Which is why it's smart to run NoScript. A Firefox extention that blocks the execution of any scripts on a webpage without user concent. So, if you're tired of Javascript taking over your Firefox, get NoScript.

https://addons.mozilla.org/firefox/722/

Redmond's response

Determined not to be upstaged by the Mozilla developers, now that Firefox has a 0 day exploit too, Microsoft's IE team has announced that they've started working on technology that will allow their browser to have -1 day exploits.

So I wrote to SixApart

Maybe you want to as well? This is absolutely retarded behavior.

From: [me]
Subject: Responsible disclosure and wreckless behavior
Date: 1 October 2006 14.23.23 GMT-04:00
To: mena@sixapart.com, ben@sixapart.com, brad@danga.com
Cc: mischa@sixapart.com

Hello,

I read this article on ZDNet describing how your employee Mischa Spiegelmock found and revealed a zero-day Firefox flaw:

http://news.zdnet.com/2100-1009_22-6121608.html

Mischa and his co-researcher Wbeelsoi refuse to reveal specific details on the flaw--or 30 others they found--to the Mozilla Foundation:

"The two hackers laughed off the comment. 'It is a double-edged sword, but what we're doing is really for the greater good of the Internet, we're setting up communication networks for black hats, Wbeelsoi said."

Considering LiveJournal's recent security flaws causing everyone to change their passwords due to browser-based flaws, do you really want someone working for you who makes the problem worse? To be sure, there is merit to the argument that revealing the flaws would allow Mozilla to continue to use a badly buggy implementation; however, there seems to be more to this.

From FireFox's IRC channel, some dialogue from Jesse Ruderman of the Mozilla foundation, who attended (via Slashdot: http://it.slashdot.org/comments.pl?sid=198519&cid= 16265621 )

" they claim they can make $10,000 or $20,000 selling a vuln in firefox
  compared to $500 telling us about it
  selling to other blackhats, anonymously, using onion networks, of course"

Is one of your employees looking to profit of vulnerabilities in Firefox? With the large number of huge enterprises using TypePad and SixApart software, do you really want to risk him embedding JavaScript code to activate this flaw in your products? If he's saving these flaws to profit from them, what's to say he won't look for the bigger payouts of actively punching holes in your products?

That's unlikely--but more likely is that your customers will hear about this and refuse to do business with you because you have an employee who is actively seeking to make the Internet a more dangerous place.

If I misunderstood anything in these articles, I apologize completely. However, what was described in the article was so outrageous that I had to write.

Best regards,
[me]