Slashdot Mirror

← Back to Stories (view on slashdot.org)

Vulnerability In Firefox Popup Blocker

Posted by kdawson on from the all-your-files dept.

cj writes in with news of a vulnerability in Firefox's stock popup blocker discovered by Michal Zalewski. The vulnerability can allow a malicious user to read files from an affected system. The attacker would "need to plant a predictably named file with exploit code on the target system. This sounds hard, but isn't," according to the article.

28 of 100 comments (clear)

  1. Anyone knows if the 2.x tree is vulnerable too? by A+beautiful+mind · · Score: 5, Informative
    From TFA:

    Vulnerable Systems:
    * Firefox version 1.5.0.9
    Can anyone test?
    --
    It takes a man to suffer ignorance and smile
    Be yourself no matter what they say
    1. Re:Anyone knows if the 2.x tree is vulnerable too? by Tony+Hoyle · · Score: 2, Interesting

      Is anyone still running 1.5.0? I thought the auto upgrade had handled that months ago.

    2. Re:Anyone knows if the 2.x tree is vulnerable too? by Richard_at_work · · Score: 2, Informative

      Im using 1.5.0.9 at the moment, no 2.0 upgrade was ever pushed out to me, and checking now manually shows no updates waiting.

    3. Re:Anyone knows if the 2.x tree is vulnerable too? by Tony+Hoyle · · Score: 5, Insightful

      Can anyone test?

      Nope, because no example exploit is given and the means of exploitation looks rather unlikely:

      "To create a popup warning, a script embedded on the page calls: window.open('file:///c:/windows/temp/xxxxxxx.htm', 'new2',''),

      with a name calculated by repeating a procedure implemented in SetUpTempFile() with a seed calculated by the server based on reported system time (p2.html?time)."

      1. It assumes that the temp file is c:/windows/temp. It isn't, unless you're running Windows 95, and only then if you've not changed it from default. That's the *system* default temp file. The *user* temp directory is inside local settings in the user specific area (much harder to find out remotely. Maybe not impossible, but you'd have to get lucky (it's not just the username as the directory name.. it has things like .000 after it).
      2. Calculating the seed to that accuracy is damned hard.

    4. Re:Anyone knows if the 2.x tree is vulnerable too? by Baron+Eekman · · Score: 2, Funny

      "proof of concept" that is; I should go to bed

    5. Re:Anyone knows if the 2.x tree is vulnerable too? by CRCulver · · Score: 2, Informative

      Did you download Firefox directly from its website? It may be that your distro turned off auto-update in packaging Firefox.

    6. Re:Anyone knows if the 2.x tree is vulnerable too? by linuxci · · Score: 2, Informative

      Firefox 2 is still an optional upgrade so is not pushed through auto-update, the 1.5 series is still supported. Once 1.5 gets closer to end of life then 2.0 will be offered.

    7. Re:Anyone knows if the 2.x tree is vulnerable too? by N7DR · · Score: 2, Interesting
      FYI, the auto-update to 2.0.x has been delayed a few times. It will happen sometime soon.

      http://wiki.mozilla.org/Major_Update_1.5.0.x_to_2. 0.0.x

    8. Re:Anyone knows if the 2.x tree is vulnerable too? by rainman_bc · · Score: 3, Informative

      Is anyone still running 1.5.0? I thought the auto upgrade had handled that months ago.

      Fedora has no plans to officially release a 2.0 for FC6:

      http://fedoraproject.org/wiki/Firefox2

      "Fedora users will be to stay with Firefox 1.5 and wait for the Firefox 3.0 update"

      That's left me a bit annoyed personally... I like the changes to FF2...

      --
      09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
    9. Re:Anyone knows if the 2.x tree is vulnerable too? by hal9000(jr) · · Score: 3, Informative

      Yep, on windows. I moved to FF2.0 when it came out, got hosed by java handling and other stuff, and jumped back to 1.5. I will wait a bit longer before I make the leap again.

    10. Re:Anyone knows if the 2.x tree is vulnerable too? by iago-vL · · Score: 2, Interesting
      For what it's worth, from Zalewski's original post,

      Firefox sometimes creates outright deterministic temporary filenames in system-wide temporary directory when opening files with external applications

      And according to him, calculating the seed isn't terribly difficult. srand() is called directly before the random file creation and is seeded with the current time, in milliseconds. That time is possible to obtain within a narrow margin using JavaScript.

      --
      http://www.skullsecurity.org/blog/
    11. Re:Anyone knows if the 2.x tree is vulnerable too? by Tony+Hoyle · · Score: 2, Interesting

      I strongly doubt it does, because you'd fall foul of vista UAC protection - no user app should go near the systemwide temp directory (that's even if you can find it... %TEMP%, GetTempFileName, etc. will always give you the user one. AFAIK you have to dig into the registry to find the system one, or be running as a system service).

      Although a bug exists (file:// bypasses some of the security checks.. fixed already apparently) the theoretical exploit as written isn't usable - probably why there's no working example

    12. Re:Anyone knows if the 2.x tree is vulnerable too? by Carnildo · · Score: 3, Interesting

      Thanks for the tip. I just checked my temp directory, and I've got stuff dating back to early 2001 in there.

      --
      "They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
    13. Re:Anyone knows if the 2.x tree is vulnerable too? by evilviper · · Score: 3, Insightful

      Also, what's with Windows never deleting anything in the user temp directories? What part of temporary does it not understand?
      As opposed to Linux, which also doesn't clear /tmp?

      Windows is slightly worse, but not by a lot.
      --
      Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
    14. Re:Anyone knows if the 2.x tree is vulnerable too? by Anonymous Coward · · Score: 3, Funny

      Bullshit.

    15. Re:Anyone knows if the 2.x tree is vulnerable too? by donaldm · · Score: 2, Informative

      When I put FC6 on my 64 bit dual core AMD laptop it came standard with Firefox 1.5 while OpenSUSE (put this on my son's PC) came with Firefox 2. To upgrade to version 2 was fairly easy since all I had to do was download the rpm then remove version 1.5 then install the rpm. Firefox 2 seems to work well and I can even install global or personal plug-ins. I have a 64 bit processor and most of my apps are 64 bits (including Firefox) have to use nspluginwrapper to add 32 bit plug-ins because some vendors (cough Flash) have not got a 64 bit addition, however once "wrapped" it works.

      I am not sure if Firefox 2 is vulnerable since I have not seen any alerts.

      --
      There ain't no such thing as proprietary standards only proprietary formats. Standards are by definition open.
  2. Re:Is this the best they can do? by ewl1217 · · Score: 2, Informative

    This only affects the 1.5.x branch, not the current 2.x stuff...

  3. Right... by CasperIV · · Score: 4, Informative

    That was quite possibly the most ignorant statement I have read on slashdot recently. I'm not particularly partial to either Firefox or IE, but exploit for exploit, your statement has no merit. What will be the deciding factor will be how fast it is patched.

    1. Re:Right... by pairo · · Score: 5, Funny

      That was quite possibly the most ignorant statement I have read on slashdot recently.
      You don't really read much of Slashdot, do you?
    2. Re:Right... by iggymanz · · Score: 2, Funny

      he meant by a non-author/non-editor

  4. Windows only? by jimbobborg · · Score: 5, Informative

    From the fine article:

    "When the user chooses to manually allow a blocked popup however, normal URL permission checks are bypassed. "

    So you have to MANUALLY disable the popup blocker on a site you don't know in order to make this work. Also, the article keeps talking about c:\whatever. It does not indicate if this is a vulnerability in a non-Windows system.

    1. Re:Windows only? by Tony+Hoyle · · Score: 5, Informative

      From the text it's hardcoded to a specific installation of Windows (not even the default config). It wouldn't work on most systems.

    2. Re:Windows only? by codepunk · · Score: 4, Funny

      You have to chmod 777 every file in the root and home file systems, log in as root, open a port for ssh, disable ip tables and or ipchains and post the user name (root of course), password and ip to a irc channel, turn off pop up blocking...yep see it effects linux also.

      That is the lamest vulnerability post I have seen in a long time...really stretching here are we not?

      --


      Got Code?
    3. Re:Windows only? by bl8n8r · · Score: 2, Funny

      Crap... where's the undo button for Xchat?

      --
      boycott slashdot February 10th - 17th check out: altSlashdot.org
  5. Fixed by Anonymous Coward · · Score: 5, Informative

    Already fixed: https://bugzilla.mozilla.org/show_bug.cgi?id=36942 7

  6. Re:bullshit by jesser · · Score: 2, Insightful

    Firefox doesn't have a "Hold Ctrl to disable pop-up blocking" feature. Maybe you're thinking of another browser or a Firefox extension?

    This vulnerability involves the "Show blocked popup" feature, which you can activate from the status bar icon indicating that a popup was blocked. If the popup is allowed in the first place, the security check works correctly.

    --
    The shareholder is always right.
  7. Lamest. Vulnerability-post. Ever. by JacksBrokenCode · · Score: 2, Insightful

    That is the lamest vulnerability post I have seen in a long time...
    You sure about that?
  8. Only 6% of my visitors are using 1.5x. by JAB+Creations · · Score: 2, Informative

    Only 6% of my users so far this year are using Firefox 1.5x compared to 68% using Firefox 2.0. There are still about 4% of users who are using IE 6 without service pack 2 on XP (or are using IE6 on older versions of Windows). Point: it's a vulnerability that hackers won't bother to exploit and Mozilla will probably patch quickly anyway.

    --
    - John
    http://www.jabcreations.com/