Forgot your password?
typodupeerror
Mozilla The Internet Security

New Mozilla Firefox 1.0.3 Exploit 596

Posted by CmdrTaco
from the happens-to-every-browser dept.
An anonymous reader writes "News sources are reporting that a 'killer' new Firefox exploit has been revealed today by FrSIRT who warn that this 0day exploit/vulnerability (as yet unpatched) should be rated as critical. Summary of the exploit: If a user clicks anywhere on a specially crafted page, this code will automatically create and execute a malicious batch/exe file. Proof of concept code supplied by FrSIRT."
This discussion has been archived. No new comments can be posted.

New Mozilla Firefox 1.0.3 Exploit

Comments Filter:
  • Uh oh! (Score:3, Funny)

    by kryogen1x (838672) on Sunday May 08, 2005 @10:16AM (#12467673)
    Hey everyone let's use IE now, because it's safer than Firefox.

    Oh, wait.

    • Re:Uh oh! (Score:2, Funny)

      by tomjen (839882)
      At least firefox is safer than lynx - no one has been arested for using firefox - yet.
    • Re:Uh oh! (Score:5, Insightful)

      by ebuilder (209792) <[eric] [at] [e-builders.com]> on Sunday May 08, 2005 @10:28AM (#12467772) Homepage
      Start your stop watches and let's see how long before a patch is forthcoming. To my mind that is the real test Then compare that time to M$' response time.

      • Re:Uh oh! (Score:5, Informative)

        by Curtman (556920) on Sunday May 08, 2005 @11:35AM (#12468246)
        Start your stop watches and let's see how long before a patch is forthcoming

        Might as well hit stop now. The bug isn't exploitable any more since update.mozilla.org itself has been fixed.
      • Re:Uh oh! (Score:3, Insightful)

        by imsabbel (611519)
        Come on.
        This bug was a classified bugzilla item since nobody-knows-when.

        So starting the stopwatches NOW would be pointless, wouldnt it?
    • Re:Uh oh! (Score:3, Informative)

      by KnightMB (823876)
      Anyone actually tried this yet? I did and it did NOT work on Windows XP, Windows 2000, Linux (obvious), Windows 98, Windows 2003 Server or Windows NT 4.0? So what gives? More FUD being spread about Firefox again?
  • by wzzrd (545802) on Sunday May 08, 2005 @10:17AM (#12467681)
    Because THAT, with some documentation, would be helpfull. Still, as long as it doesn't create *nix r00tkits on the fly on my box, I'm on the safeside :)
  • gah (Score:2, Funny)

    Fantastic. Now we'll see Microsoft going "OMG DON'T USE FIREFOX YOU CAN'T EVEN CLICK ON SOMETHING SAFELY!". I guess this is at least 1 step up from "just come to the page, we'll own your PC and you don't even need a mouse".
    • Re:gah (Score:4, Insightful)

      by ergo98 (9391) on Sunday May 08, 2005 @11:02AM (#12468001) Homepage Journal
      Now we'll see Microsoft going "OMG DON'T USE FIREFOX YOU CAN'T EVEN CLICK ON SOMETHING SAFELY!".

      You mean like the F/OSS evangelists do everytime a flaw is found in Internet Explorer?

      However, I do think there is an important lesson in here - a lot of open source advocates have set an unreasonable level of expectations by proclaiming the amazing magic of open source: A fantasy world where every line is thoroughly vetted by thousands of super-experts, and if the source is available that instantly disproves the existence of malicious intent (put a trojan out, mark in GPL and make the source available, and I'd bet a lot of the converted would immediately download and install blindly. There are countless OSS projects where no one but the author ever bothers looking at the code).
    • Re:gah (Score:5, Insightful)

      by Anonymous Coward on Sunday May 08, 2005 @11:04AM (#12468017)
      I have to disagree. This sort of exploit is extremely worrying.

      At first, Mozilla fans (me included) all said "the chances of Firefox getting 0wned by exploits is very slim, Mozilla is secure by design -- IE isn't".

      By about 0.9 or 0.10 the holes started pouring in -- but it was ok: "This is simply Mozilla Foundation's bug patching contest, they are working FOR us instead of AGAINST us."

      After this it wasn't only white-hat mozilla funded security experts that started showing there was holes in the code. We changed our story again and, somewhat rightly, pointed out that "these are very theoretical and it would be very hard to use this to exploit a computer like IE can".

      This is a really big problem. This will get exploited like crazy as it seems exceptionally easy to do. Not only that, I expect the only fix from Mozilla will be as usual, a 5MB binary installer with the files changed. This is unacceptable on a 56k modem and people just won't bother upgrading to a secure version.
      • Re:gah (Score:3, Interesting)

        by ssj_195 (827847)
        Excellent analysis. Wish I could mod you up, but hopefully others will take it upon themselves to do this. There is some light at the end of the tunnel, however; I gather that the installed version of Firefox spans several small-ish files, and that the next Firefox version (i.e. 1.1 onwards) will be geared towards swapping out just the files that cause the problem, alleviating the large downloads (and general inelegance) of performing a full download & re-install every time a patch is required.
      • Re:gah (Score:3, Informative)

        by yfan (793333)
        Um, let's take a minute and remember that according to the secunia advisory, ONLY sites that are allowed to install software can exploit this. And by default, that's only update.mozilla.org and addons.mozilla.org. If you are not adding untrustd sites to the list of sites that can install software to your browser, you are probably not in danger. That is not to say this doesn't need to get fixed, it totally does. But we're probably getting a little more excited/worried than there is cause for.
  • Already Firefox tends to be around 45% of traffic across my sites, so this is going to affect a lot of users.

  • Yup - secure... (Score:5, Interesting)

    by Anonymous Coward on Sunday May 08, 2005 @10:18AM (#12467692)
    Maybe it's time to accept Firefox has it's fair share of exploits?

    And the best part, is the patch management system in Firefox is so damn poor (ie. non-existant), getting these patches distributed to end-users is a real damn chore (assuming they are distributed at all).
    • Re:Yup - secure... (Score:2, Insightful)

      by tomjen (839882)
      Well from what i could see, it uses javascript, so i just turned it off.
    • Re:Yup - secure... (Score:2, Informative)

      by Ithika (703697)
      You're right, I'm gonna have real difficulty pressing those little green and red arrows in the corner of the window when the time comes for the new release. Oh boy, I'm sweating at the thought of the trials that await me! I'll probably need to lie down after that, it being so difficult and complicated and all.

      Woe is us.

      • Re:Yup - secure... (Score:3, Insightful)

        by Anonymous Coward
        You are forgetting something, though:

        Current Firefox installers are not able to update a previously installed Firefox. I updated from 1.0.1 to 1.0.2 by pressing on the red arrow. The new version was fully downloaded (great for modem users, who need patches anyway?), installed, and the result was two Firefox versions installed according to Windows Add/Remove program...

        The nice thing is that if you checked the mozillazine forums, people complaining about the crappy way the updater worked were told that they
      • Re:Yup - secure... (Score:5, Insightful)

        by aldoman (670791) on Sunday May 08, 2005 @11:10AM (#12468071) Homepage
        The problem is that it:

        a) Only works on Windows,
        b) Makes you install the entire installer again instead of a 'diff'-style patch,
        c) The installer is nearly 5MB, which means it's too big for most to download on 56k or GPRS

        Another problem with the 1.0.1, 1.0.2 and 1.0.3 updates is that they all required 'staggering' based on language becuase MozFo doesn't have the sort of server infrastructure to serve millions of downloads at once.
    • That little "updates are available" icon that shows up in the corner when updates are available - it's just a figment of your imagination. And the ease of clicking on the icon and then on "ok", why, even if the icon was real? That whole process would be far too difficult for the average computer user to deal with - if it wasn't non-existant.

      I sure hope the patches to this *open source* browser are distributed, <sarcasm>instead of being hidden from the public like most fixes to open-source stuff<
    • Re:Yup - secure... (Score:5, Insightful)

      by Deathlizard (115856) on Sunday May 08, 2005 @10:52AM (#12467924) Homepage Journal
      Patching is something where Firefox really needs to catch up on.

      One of the advantages of IE is that when an exploit comes around you just send everyone a 300k file instead of 20MB of browser. With Firefox, you have to send them an entire browser every time 1 exploit comes out.

      What Firefox needs is some sort of patching element built in to deal with patching the browser instead of forcing a complete downoad. It's not that Firefox cant do this. In fact, since most of the code is spread out across many files it should be a cakewalk to just update the affected file(s) automaticially with little to no user intervention. This would keep the file size download to a very minimum, allow it to update more frequently without waiting for a point release, and be easier to handle for people who dont know or care about security issues.
  • Nasty (Score:3, Insightful)

    by bustersnyvel (562862) on Sunday May 08, 2005 @10:19AM (#12467704) Homepage
    That's nasty! I'm glad that in Linux files aren't automagically executable when you give them a certain name :)
  • by Exter-C (310390) on Sunday May 08, 2005 @10:20AM (#12467712) Homepage
    This was reported to the mozilla bugzilla a while ago. https://bugzilla.mozilla.org/show_bug.cgi?id=29269 1 [mozilla.org]
  • Explanation (Score:2, Insightful)

    by Anonymous Coward
    Firefox had the advantage of being able to fix bugs reveled by IE expolits. This gave the illusion of it being a bulletproof browser. Now that it has caught up with IE, it has exploits of it's own which just show that it's not much better than IE (coding standard-wise).
    As long as programs are written by humans, there'll be flaws. It's a fact of software-development.

    Will I have to download another 4.5MB so that I can fix this flaw?
    • I feel that the benefits that drew me ( and im sure others) to firefox was that it was feature rich and had a pop blocker before IE did out of the box.

      The fact that Im also using Linux made me move over from the Mozilla Suite.
  • Summery? (Score:3, Funny)

    by Anonymous Coward on Sunday May 08, 2005 @10:22AM (#12467736)
    Exploit summery? Well, the weather is improving but I doubt that the exploit caused it.
  • by alanjstr (131045) * on Sunday May 08, 2005 @10:23AM (#12467737) Homepage
    Bugzilla bug 293302 [mozilla.org] has been filed. A temporary fix has been implemented on UMO.
  • by Anonymous Coward on Sunday May 08, 2005 @10:25AM (#12467751)
    didn't work
  • FrSIRT's Post! (Score:3, Interesting)

    by spood (256582) on Sunday May 08, 2005 @10:25AM (#12467755) Homepage Journal
    It looks like a hacker alias, but it really stands for French Security Incident Response Team. Exploit description cached here [64.233.161.104].
  • Stolen exploit (Score:5, Informative)

    by Anonymous Coward on Sunday May 08, 2005 @10:26AM (#12467761)
    They were already working on patching this, but it was stolen before they could finish and leaked to bugtraq with LIVE material in the exploit (it's not a proof of concept, folks!) and no explanation or advisory.

    Reminder: Bugzilla blocks /. referers. Copy URL and paste in new to view. (Beware Slashcode's extra spaces.)

    https://bugzilla.mozilla.org/show_bug.cgi?id=29269 1 [mozilla.org] %lt; Original security bug (probably still blocked to outsiders to prevent someone stealing it before mitigation)

    https://bugzilla.mozilla.org/show_bug.cgi?id=29330 2 [mozilla.org] %lt; Duplicate (reported after leak)

    They are going to release a 1.0.4 shortly, I gather.

    Still more timely than most of Microsoft's advisories... despite their earlier announcement. http://www.eeye.com/html/research/upcoming/index.h tml [eeye.com]
  • Leaked known bug (Score:5, Informative)

    by Anonymous Coward on Sunday May 08, 2005 @10:27AM (#12467765)
    A^C^E, a Firefox security researcher, is claiming on Addict3D.org [addict3d.org] that this is a 0day duplicate of a leaked, known bug. He says, "I suspect that my server was compromised, and I am currently using my contacts to find the culprit and bring him to justice."

    Also, bugzilla.mozilla.org is claiming they've been slashdotted. Go easy on em.
  • by DaGoodBoy (8080) on Sunday May 08, 2005 @10:27AM (#12467767) Homepage
    ...but Firefox keeps suggesting I run it with Wine. I don't get it, I'm not thirsty. I'd rather run it with a nice plate of steak and eggs.
  • by a whoabot (706122) on Sunday May 08, 2005 @10:28AM (#12467773)
    ...with Firefox 1.0.3 on Windows 2000, and it didn't execute anything. Anyone else try it on Windows?
  • Possible workaround: (Score:5, Informative)

    by wideangle (169366) on Sunday May 08, 2005 @10:30AM (#12467784) Homepage
    Uncheck Tools > Options > Web Features > Allow web sites to install software
    • That applies only to xpi files, I believe.
    • by jesser (77961)
      This exploit has two parts: an XSS hole and a hole that lets xpi-installation-whitelisted sites execute arbitrary code. Your workaround only fixes the second part and leaves you open to an XSS hole, which is sufficient for stealing your saved passwords, cookies, secret pages on your intranet, etc. The real workaround is to disable JavaScript.
  • Are you sure? (Score:5, Interesting)

    by naelurec (552384) on Sunday May 08, 2005 @10:31AM (#12467794) Homepage
    Just curious, I downloaded the page and loaded it up on several systems:

    Win XP, Firefox 1.0.3
    Win 2k, Firefox 1.0.3
    FreeBSD, Firefox 1.0.3

    and none of them did anything. The javascript looks like it should save a file (c:\booom.bat) and run it which should echo "malicious commands here" and wait for a keypress.

    Is this truly an issue with Firefox and not some other software? If so, any ideas why it doesn't work?
    • Re:Are you sure? (Score:5, Informative)

      by SEE (7681) on Sunday May 08, 2005 @11:36AM (#12468252) Homepage
      Reading the Secunia [secunia.com] explanation:

      Successful exploitation requires that the site is allowed to install software (default sites are "update.mozilla.org" and "addons.mozilla.org").

      So, unless you've whitelisted the exploit site (which generally would mean it's a site you trusted enough to install an XPI from), or the Mozilla website has been compromised, the exploit won't work.
    • Re:Are you sure? (Score:3, Informative)

      by John_Booty (149925)
      Doesn't work for me, either. Firefox 1.0.3, Windows XP SP2 here. I'm running Moox's build of Firefox; not sure if that affects anything.

      It looks like the script is spoofing ftp.mozilla.org somehow. I made sure that "Allow Web Sites To Install Software" was enabled in Firefox's preferences, and I even added "ftp.mozilla.org" to the whitelist of allowed sites! Still didn't work.

      Here's what happens when I load the page:

      1. Fx appears to contact ftp.mozilla.org and downloads the harmless XPI referenced in
  • by richg74 (650636) on Sunday May 08, 2005 @10:35AM (#12467816) Homepage
    The actual advisory page is here [frsirt.com]. The "Solutions" section says this:

    Disable JavaScript, or disable the "Allow web sites to install software" option [Tools - Options - Web Features].

    Why would anyone run routinely with "Allow web sites to install software" enabled ?

  • Has this already been fixed in the latest-trunk builds (aka 1.03 specific) or is this a firefox-wide bug? Also, does this affect (effect? I can never remember) other iterations, like Mozilla, Netscape, K-Melon, etc?
  • by NitsujTPU (19263) on Sunday May 08, 2005 @10:38AM (#12467830)
    FrSIRT Vurnerability Alert!!

    FrSIRT will go down 2 minutes after the start of a brutal Slashdotting.
  • by FrothyBitter (848137) on Sunday May 08, 2005 @10:55AM (#12467952)
    There's not many comments yet, but most of them have a similar theme: " Oh no, now Microsoft and Internet Explorer users can get payback for all the trash talk we've thrown at them." Then they rationalize it with, "But, MS and IE are way worse because of quantity, severity, and duration until patch."

    Now think about it for a minute. Who are you really at war against? Security exploits and the people who would exploit them, or browsers other than the one you use and the people that use them?

    This reminds me of the days when Mac zealots would get all freaked out every time PC's got faster. "OMG, this is bad news! Now there are 3GHz PCs for under 500 dollars!"

    This really boils down to people rating the quality of Product A compared to the suckiness of Product B. Personally, I've been using Products A, B, and C for a long time. When there is a problem found with Product B, that really doesn't make Product A perform the task I use it for any better.

    If you want to call yourself a truly knowledgeable computer user, then you have to acknowledge that Products A, B, and C all have their strengths and weaknesses and therefore have tasks their better suited for as well as tasks in which they're not the best solution.

    If you look at it from the proper perspective, every time an exploit is found by good people before bad people have a chance to do harm with it then it is good for everyone.

    This particular exploit also demonstrates how foolish it is to posture and sling insults. The whole time FF users slung insults at IE when exploits were found, this exploit was there lurking below the surface waiting to be found.

    Let applications that are without exploit cast the first stone. Since that's never going to happen, argue your cause based on its merits.
  • by MarkByers (770551) on Sunday May 08, 2005 @11:09AM (#12468058) Homepage Journal
    Secunia have already released an advisory explaining how the exploit works:

    http://secunia.com/advisories/15292/ [secunia.com]

    This is the first Firefox exploit that has received the rating 'Extremely Critical'.

    --- Extract from Secunia's site ---

    Description:
    Two vulnerabilities have been discovered in Firefox, which can be exploited by malicious people to conduct cross-site scripting attacks and compromise a user's system.

    1) The problem is that "IFRAME" JavaScript URLs are not properly protected from being executed in context of another URL in the history list. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an arbitrary site.

    2) Input passed to the "IconURL" parameter in "InstallTrigger.install()" is not properly verified before being used. This can be exploited to execute arbitrary JavaScript code with escalated privileges via a specially crafted JavaScript URL.

    Successful exploitation requires that the site is allowed to install software (default sites are "update.mozilla.org" and "addons.mozilla.org").

    A combination of vulnerability 1 and 2 can be exploited to execute arbitrary code.

    NOTE: Exploit code is publicly available.

    The vulnerabilities have been confirmed in version 1.0.3. Other versions may also be affected.

    Solution:
    Disable JavaScript.
  • by shirro (17185) on Sunday May 08, 2005 @12:09PM (#12468520) Homepage
    For people running Firefox in a business or school with centrally locked down settings I think a quick fix might be to add

    lockpref("xpinstall.enabled","false");

    xpinstall.enabled seems to be the preference changed by "Allow websites to install software"
  • by Animats (122034) on Sunday May 08, 2005 @12:13PM (#12468552) Homepage
    This exploit will work on Linux and MacOS, too, if anybody bothers to write an attack for them.

    The basic problem is that the Mozilla developers, in their futile attempt to create a "platform", put in a mechanism comparable to Active-X - a way to dynamically download executable programs. Of course, they tried to make sure this "feature" could not be used for purposes of evil. Like Microsoft, they failed.

    Understand, this isn't subtle. The code uses built-in Mozilla JavaScript extensions to create a local file in a very straightforward way. It then calls "nsILocalFile::launch()" (which does exactly what you think it does) to launch it. Those are capabilities that shouldn't be in a browser's JavaScript engine at all.

    Having designed in a potential security hole big enough to drive a semitrailer through, they tried to make it "secure" with the usual crap approaches - signatures, lists of trusted sites, and disabling for certain types of URLs. They failed. They forgot to make those checks for "favicon.ico" files (Mozilla's implementation of a Microsoft icon-in-the-toolbar gimmick.)

    Plugging that hole is not the answer. The problem is more fundamental. "nsILocalFile::launch()" needs to be removed. Browsers have no business launching arbitrary executable programs. Period.

  • In a nutshell, Firefox has the idea that some sites are privileged (namely the sites on the whitelist for installing software), it lets privileged sites have a dangerous degree of control over the user's computer, and it has at least one way for unprivileged sites to execute code in the context of a privileged site.

    What are the important differences between this and Microsoft Internet Explorer? In MSIE some sites are in the Trusted Sites or Local Machine zones and therefore privileged. Such sites have a dangerous degree of control over the user's computer, and there have been many ways for unprivileged sites to execute code in the context of a privileged site.

    Is Firefox doing something better than IE in its design, or are we going to see a whole class of bugs like this one in the future?
  • by johansalk (818687) on Sunday May 08, 2005 @12:41PM (#12468775)
    Well that's the essential question. If it doesn't I'd rather flee to mozilla suite than IE.
  • Trusted Sites Only? (Score:3, Informative)

    by sepluv (641107) <blakesley@NoSPam.gmail.com> on Sunday May 08, 2005 @12:43PM (#12468791)
    The security advisory doesn't explain it too well, but it it seems to imply that this only happens with sites that you've added to your list of sites trusted to install software (in which case it isn't really much of a problem).
    • by sepluv (641107)
      Even when I give it authorisation and enable JS, I cannot get the exploit to work.

      Anyhow quoting the article:

      Update (08.05.2005) - The Mozilla Foundation patched (partially) this issue on the server side by adding random letters and numbers to the install function, which will prevent this exploit from working.

Facts are stubborn, but statistics are more pliable.

Working...