New Mozilla Firefox 1.0.3 Exploit 596
An anonymous reader writes "News sources are reporting that a 'killer' new Firefox exploit has been revealed today by FrSIRT who warn that this 0day exploit/vulnerability (as yet unpatched) should be rated as critical. Summary of the exploit: If a user clicks anywhere on a specially crafted page, this code will automatically create and execute a malicious batch/exe file. Proof of concept code supplied by FrSIRT."
This was reported to bugzilla some time ago! (Score:5, Informative)
Reported and temporarily fixed (Score:5, Informative)
Re:Yup - secure... (Score:2, Informative)
Woe is us.
Re:This was reported to bugzilla some time ago! (Score:5, Informative)
Stolen exploit (Score:5, Informative)
Reminder: Bugzilla blocks
https://bugzilla.mozilla.org/show_bug.cgi?id=2926
https://bugzilla.mozilla.org/show_bug.cgi?id=2933
They are going to release a 1.0.4 shortly, I gather.
Still more timely than most of Microsoft's advisories... despite their earlier announcement. http://www.eeye.com/html/research/upcoming/index.
Re:Has he dropped this in bugzilla as well? (Score:3, Informative)
Leaked known bug (Score:5, Informative)
Also, bugzilla.mozilla.org is claiming they've been slashdotted. Go easy on em.
Possible workaround: (Score:5, Informative)
Re:Uh oh! (Score:1, Informative)
Re:Uh oh! (Score:3, Informative)
Re:This was reported to bugzilla some time ago! (Score:5, Informative)
It's "Open Source", not "Sploitz4Free".
Re:Uh oh! (Score:2, Informative)
This isn't much of an "exploit" (Score:5, Informative)
Disable JavaScript, or disable the "Allow web sites to install software" option [Tools - Options - Web Features].
Why would anyone run routinely with "Allow web sites to install software" enabled ?
Re:Are you sure? (Score:1, Informative)
On my main system (WinXP, Firefox 1.0.3, fresh profile), the Javascript console tells me it can't find the install function.
On my other system (WinXP, Firefox 1.0.3, fresh profile), it throws an access violation error about not being allowed to access window.title. I don't see how these installations differ, but apparently, the test-exploit is quite fragile.
Re:Possible workaround: (Score:2, Informative)
Re:This isn't much of an "exploit" (Score:1, Informative)
Get some priorities! (Score:2, Informative)
Today is the day that you should brave the yellow face, go upstairs and thank your mom for letting you turn the basement into a Nethack dungeon. Not posting in the typical smarmy, "I told you so" Slashdot fashion. You never told me so. You just say it now to look 'visionary'.
Firefox is going to have bugs, it's going to break, it's going to suck sometimes. The difference between it and IE is that the Firefox devs actually *care*.
So put on a less dirty shirt, douse yourself with some of that Stetson cologne you got for Christmas about ten years ago, pick some dandelions and go tell your mom 'Happy Mother's Day'.
Re:This isn't much of an "exploit" (Score:5, Informative)
> software" enabled?
1. It's on by default
2. We naievely assumed that the whitelist of web sites allowed to install software did its damn job.
Re:Nasty (Score:5, Informative)
Why on earth the browser thinks it's necessary to allow scripts to create executeable files is beyond me.
Secunia: Extremely Critical (Score:5, Informative)
http://secunia.com/advisories/15292/ [secunia.com]
This is the first Firefox exploit that has received the rating 'Extremely Critical'.
--- Extract from Secunia's site ---
Description:
Two vulnerabilities have been discovered in Firefox, which can be exploited by malicious people to conduct cross-site scripting attacks and compromise a user's system.
1) The problem is that "IFRAME" JavaScript URLs are not properly protected from being executed in context of another URL in the history list. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an arbitrary site.
2) Input passed to the "IconURL" parameter in "InstallTrigger.install()" is not properly verified before being used. This can be exploited to execute arbitrary JavaScript code with escalated privileges via a specially crafted JavaScript URL.
Successful exploitation requires that the site is allowed to install software (default sites are "update.mozilla.org" and "addons.mozilla.org").
A combination of vulnerability 1 and 2 can be exploited to execute arbitrary code.
NOTE: Exploit code is publicly available.
The vulnerabilities have been confirmed in version 1.0.3. Other versions may also be affected.
Solution:
Disable JavaScript.
Re:Uh oh! (Score:5, Informative)
Might as well hit stop now. The bug isn't exploitable any more since update.mozilla.org itself has been fixed.
Re:Are you sure? (Score:5, Informative)
Successful exploitation requires that the site is allowed to install software (default sites are "update.mozilla.org" and "addons.mozilla.org").
So, unless you've whitelisted the exploit site (which generally would mean it's a site you trusted enough to install an XPI from), or the Mozilla website has been compromised, the exploit won't work.
Re:Yup - secure... (Score:3, Informative)
Seems simple enough to me.
Re:Uh oh! (Score:1, Informative)
http://www.eeye.com/html/research/upcoming/index.
I do agree that the 'Firefox is more secure' meme was largely unfounded, but don't let MSFT off the hook so easily. Switch to Opera
Re:Uh oh! (Score:5, Informative)
Web Features->Allow web sites to install software
I'll switch to MS IE as it has no known serious vulns
Internet Explorer Long Share Name Buffer Overflow [secunia.com] Highly Critical
Yeah... whatever. I don't mind if you would rather use a browser with a known serious security problem, but saying that IE has no known serious issues is misinformed.
Re:Yup - secure... (Score:5, Informative)
A quote: "Darin has figured out how to get binary patching working, and is working on a system for incremental background update download."
Fixes for large sites (Score:5, Informative)
lockpref("xpinstall.enabled","false");
xpinstall.enabled seems to be the preference changed by "Allow websites to install software"
Root on Linspire (Score:2, Informative)
unlike in Windows, it also wouldn't have superuser privileges.
Linspire (or at least older versions thereof) runs as superuser.
Re:Nasty (Score:5, Informative)
Not everybody runs Windows XP (Score:2, Informative)
From a security standpoint, fully updated IE is much better than unupdated Firefox.
Unfortunately, a legit copy of the full update to IE costs at least $100 for users of Microsoft Windows 2000 operating systems.
Re:Are you sure? (Score:4, Informative)
Batch/EXE (Score:2, Informative)
Re:I'm sure everyone whill complain (Score:3, Informative)
Trusted Sites Only? (Score:3, Informative)
Re:Uh oh! (Score:3, Informative)
Re:Are you sure? (Score:3, Informative)
It looks like the script is spoofing ftp.mozilla.org somehow. I made sure that "Allow Web Sites To Install Software" was enabled in Firefox's preferences, and I even added "ftp.mozilla.org" to the whitelist of allowed sites! Still didn't work.
Here's what happens when I load the page:
1. Fx appears to contact ftp.mozilla.org and downloads the harmless XPI referenced in the "exploit" script. This takes several seconds.
2. An error appears in the JavaScript console: "Error: install is not defined". No
Either this "exploit" is B.S., or some other settings need to be in place for this to work.
Re:Uh oh! (Score:5, Informative)
Know what? Whats wrong with your grandma, Alzheimer's?
Why doesn't the little red arrow (update icon) display yet?
Because you don't need to update anything. It was fixed on updates.mozilla.org. The site needs to be in your white list of sites that are allowed to install software to be vulnerable. I'm sure they will have a more permanent fix later at some point, but the current exploit no longer works. Go ahead and try it.
So, as far as I'm concerend -- it's not.
But you're a bit of a fool, so I'm not sure your opinion counts.
Re:Are you sure? (Score:5, Informative)
Re:gah (Score:3, Informative)
Perhaps... (Score:2, Informative)
Re:Yup - secure... (Score:3, Informative)
Windows update is worse. It'll force you to reboot your whole computer, not just your browser. And you still have to click the little button on most computers.
Re:Yup - secure... (Score:3, Informative)
Re:Uh oh! (Score:3, Informative)
It's not the fault of Opera really, but the DOM doesn't match either Netscape/Moz or Exploder.. I wouldn't consider myself a "web developer" by any means, but I've done my share. Getting pages to work in IE and FF is a chore, and supporting Opera is just a waste of time.
Re:It's not that easy... (Score:3, Informative)
These are the ONLY builds they should be worried about patching (and if they could make it language independent, it would be 3 packages). Everyone else gets the source code. Let Portage figure out how to update things.
Re:Yup - secure... (Score:5, Informative)
Oh yes it will! (Score:2, Informative)
Obviously "aichpvee" didn't RTFA [whitedust.net]:
Re:gah (Score:2, Informative)
Re:Possible workaround: (Score:3, Informative)
Re:Fixes for large sites (Score:1, Informative)
lockPref("extensions.update.enabled","false");
this wont let your user update themes,xpi extensions, etc. that you've setup.