New Mozilla Firefox 1.0.3 Exploit 596
An anonymous reader writes "News sources are reporting that a 'killer' new Firefox exploit has been revealed today by FrSIRT who warn that this 0day exploit/vulnerability (as yet unpatched) should be rated as critical. Summary of the exploit: If a user clicks anywhere on a specially crafted page, this code will automatically create and execute a malicious batch/exe file. Proof of concept code supplied by FrSIRT."
Has he dropped this in bugzilla as well? (Score:3, Insightful)
Nasty (Score:3, Insightful)
Re:Yup - secure... (Score:2, Insightful)
Re:I'm not too worried (Score:2, Insightful)
Explanation (Score:2, Insightful)
As long as programs are written by humans, there'll be flaws. It's a fact of software-development.
Will I have to download another 4.5MB so that I can fix this flaw?
Hasn't Slashdot ever heard of editing? (Score:1, Insightful)
Re:Uh oh! (Score:5, Insightful)
Package Manager (Score:2, Insightful)
Pretty much any modern OS distribution comes with a package manager that handles upgrading for you. Time for you to upgrade your OS perhaps.
Re:Nasty (Score:1, Insightful)
Re:Yup - secure... (Score:3, Insightful)
Current Firefox installers are not able to update a previously installed Firefox. I updated from 1.0.1 to 1.0.2 by pressing on the red arrow. The new version was fully downloaded (great for modem users, who need patches anyway?), installed, and the result was two Firefox versions installed according to Windows Add/Remove program...
The nice thing is that if you checked the mozillazine forums, people complaining about the crappy way the updater worked were told that they should have know that they had to manually download the update, uninstall the previous firefox version, and install the new one.
Yeah, how come I didn't know that clicking on update wasn't the way to update Firefox! Silly me
Re:Tried the test exploit they supplied... (Score:2, Insightful)
The exploit would still work if you whitelist the wrong site.
Re:Yup - secure... (Score:5, Insightful)
One of the advantages of IE is that when an exploit comes around you just send everyone a 300k file instead of 20MB of browser. With Firefox, you have to send them an entire browser every time 1 exploit comes out.
What Firefox needs is some sort of patching element built in to deal with patching the browser instead of forcing a complete downoad. It's not that Firefox cant do this. In fact, since most of the code is spread out across many files it should be a cakewalk to just update the affected file(s) automaticially with little to no user intervention. This would keep the file size download to a very minimum, allow it to update more frequently without waiting for a point release, and be easier to handle for people who dont know or care about security issues.
Re:gah (Score:2, Insightful)
I'd also wager that comments like "This will be fixed quickly, IE still sucks." will get modded up to +5 insightful instantly. Again. Off-topic is so relative when it comes to Slashdot, you see.
This shouldn't be a competition. (Score:5, Insightful)
Now think about it for a minute. Who are you really at war against? Security exploits and the people who would exploit them, or browsers other than the one you use and the people that use them?
This reminds me of the days when Mac zealots would get all freaked out every time PC's got faster. "OMG, this is bad news! Now there are 3GHz PCs for under 500 dollars!"
This really boils down to people rating the quality of Product A compared to the suckiness of Product B. Personally, I've been using Products A, B, and C for a long time. When there is a problem found with Product B, that really doesn't make Product A perform the task I use it for any better.
If you want to call yourself a truly knowledgeable computer user, then you have to acknowledge that Products A, B, and C all have their strengths and weaknesses and therefore have tasks their better suited for as well as tasks in which they're not the best solution.
If you look at it from the proper perspective, every time an exploit is found by good people before bad people have a chance to do harm with it then it is good for everyone.
This particular exploit also demonstrates how foolish it is to posture and sling insults. The whole time FF users slung insults at IE when exploits were found, this exploit was there lurking below the surface waiting to be found.
Let applications that are without exploit cast the first stone. Since that's never going to happen, argue your cause based on its merits.
Re:Harmless on Linux (Score:3, Insightful)
I am no linux expert, but wouldnt it be perfectly possible to make a linux version, that lets say downloads and executes a shell script that kills you user directory?
Re:gah (Score:4, Insightful)
You mean like the F/OSS evangelists do everytime a flaw is found in Internet Explorer?
However, I do think there is an important lesson in here - a lot of open source advocates have set an unreasonable level of expectations by proclaiming the amazing magic of open source: A fantasy world where every line is thoroughly vetted by thousands of super-experts, and if the source is available that instantly disproves the existence of malicious intent (put a trojan out, mark in GPL and make the source available, and I'd bet a lot of the converted would immediately download and install blindly. There are countless OSS projects where no one but the author ever bothers looking at the code).
Re:Security of IE versus Firefox (Score:3, Insightful)
Re:gah (Score:5, Insightful)
At first, Mozilla fans (me included) all said "the chances of Firefox getting 0wned by exploits is very slim, Mozilla is secure by design -- IE isn't".
By about 0.9 or 0.10 the holes started pouring in -- but it was ok: "This is simply Mozilla Foundation's bug patching contest, they are working FOR us instead of AGAINST us."
After this it wasn't only white-hat mozilla funded security experts that started showing there was holes in the code. We changed our story again and, somewhat rightly, pointed out that "these are very theoretical and it would be very hard to use this to exploit a computer like IE can".
This is a really big problem. This will get exploited like crazy as it seems exceptionally easy to do. Not only that, I expect the only fix from Mozilla will be as usual, a 5MB binary installer with the files changed. This is unacceptable on a 56k modem and people just won't bother upgrading to a secure version.
Re:Yup - secure... (Score:5, Insightful)
a) Only works on Windows,
b) Makes you install the entire installer again instead of a 'diff'-style patch,
c) The installer is nearly 5MB, which means it's too big for most to download on 56k or GPRS
Another problem with the 1.0.1, 1.0.2 and 1.0.3 updates is that they all required 'staggering' based on language becuase MozFo doesn't have the sort of server infrastructure to serve millions of downloads at once.
Re:gah (Score:2, Insightful)
Look, if I am honest, i don't give a shit about IE, because I simply don't use it, so I'm not going to bash or prise it. But what you claim is outright ridiculous. This is NOT a trojan case, it is first, so you compare apples with oranges, second, it is just bug in JavaScript, concept of installing software from web site was right with whitelist protection, if it doesn't work it is bug, but not in design, but in coding. Third, you just think that many people will install this theoretical GPL-based trojan horse without questions - don't mentioning that very early adaptors of any new GPL based app is usually geeks who doesn't take security lightly - then please show me some record when such thing ever has happened.
I would like to spend mod points to mod you troll, but hey, as it is stylish now to bash open source in Slashdot now (because lot of Microsoft/Windows crowd joined recently years) and you will get certanly some mod points for saying 'i told you so, open source is unsecure and evil'. It doesn't matter that reality check shows different picture.
Linux and MacOS vulnerable, too (Score:5, Insightful)
The basic problem is that the Mozilla developers, in their futile attempt to create a "platform", put in a mechanism comparable to Active-X - a way to dynamically download executable programs. Of course, they tried to make sure this "feature" could not be used for purposes of evil. Like Microsoft, they failed.
Understand, this isn't subtle. The code uses built-in Mozilla JavaScript extensions to create a local file in a very straightforward way. It then calls "nsILocalFile::launch()" (which does exactly what you think it does) to launch it. Those are capabilities that shouldn't be in a browser's JavaScript engine at all.
Having designed in a potential security hole big enough to drive a semitrailer through, they tried to make it "secure" with the usual crap approaches - signatures, lists of trusted sites, and disabling for certain types of URLs. They failed. They forgot to make those checks for "favicon.ico" files (Mozilla's implementation of a Microsoft icon-in-the-toolbar gimmick.)
Plugging that hole is not the answer. The problem is more fundamental. "nsILocalFile::launch()" needs to be removed. Browsers have no business launching arbitrary executable programs. Period.
Re:Uh oh! (Score:3, Insightful)
Its too bad it has obnoxious ads, its javascript sucks, and it is proprietary though.
Is this a design issue that will breed more bugs? (Score:4, Insightful)
What are the important differences between this and Microsoft Internet Explorer? In MSIE some sites are in the Trusted Sites or Local Machine zones and therefore privileged. Such sites have a dangerous degree of control over the user's computer, and there have been many ways for unprivileged sites to execute code in the context of a privileged site.
Is Firefox doing something better than IE in its design, or are we going to see a whole class of bugs like this one in the future?
Re:gah (Score:3, Insightful)
Yes, they have. Almost every discussion about such things here will have a number of replies claiming just that. Of course, those people aren't worth listening to, but they still say it.
Re:This isn't much of an "exploit" (Score:5, Insightful)
Firefox is only supposed to download and install from things in the whitelist. Unfortunately, it doesn't check the site correctly, and therefore can be tricked into thinking another site is mozilla.org
So even though you "secured" your system, it's still vunerable because as long as you have anything in your whitelist (especially mozilla.org or the defaults), you're vunerable.
Once the whitelist is working again properly, this won't be an issue.
Re:Javascript ! Will it ever go away ? (Score:5, Insightful)
Look into Firefox's chrome directory and say that again.
It's not that easy... (Score:2, Insightful)
Even more useful (to an attacker) (Score:3, Insightful)
Re:Uh oh! (Score:3, Insightful)
This bug was a classified bugzilla item since nobody-knows-when.
So starting the stopwatches NOW would be pointless, wouldnt it?
Re:Javascript ! Will it ever go away ? (Score:2, Insightful)
Seriously, it's not like google uses it for gmail or anything... oh wait.
-truth
Re:This was reported to bugzilla some time ago! (Score:5, Insightful)
And on the flip side - where's all the folks who defend Microsoft's practices? Shouldn't they be also standing up here and saying how responsible the Mozilla Foundation is?
Really - why try to paint this as an "open source vs. Microsoft" issue? If anything, this is the usual "full disclosure" vs. "reponsible disclosure" vs. "no disclosure" debate. The underlying development model has little to do with it.
This is my interpretation of it... (Score:3, Insightful)
The web page first tricks Firefox into installing a trusted extension (vulnerability 1). Then it takes advantage of an vulnerability during the install process (vulnerability 2).
Separately these vulnerabilities are not that worrying, but combine them, and you have a problem.
Re:Yup - secure... (Score:3, Insightful)
a) Only works on Windows,
So does the virus....
Already there. (Score:3, Insightful)
Exploit posted 07/05/2005
They noticed the Mozilla fix on 08.05.2005
IE still has multiple unpatched vulnerabilities, like it always does. Firefox gets a vulnerability and patches it the next day. I hate to call "astroturf", but the grandparent post reeks of green plastic.
So, I dare you: try it. Try posting a trojan in an open source project. See if it ever gets accepted. See how fast it gets patched, especially once it becomes known.
In reality, the difference is like night and day -- Firefox patched in 1 day, IE patched never.
Re:Yup - secure... (Score:2, Insightful)
Re:gah (Score:2, Insightful)
Re:This was reported to bugzilla some time ago! (Score:2, Insightful)
You can view the source all you want. The bug is right there in the code. Just sift through the thousands of lines and you'll eventually find it.
Just because Mozilla keeps the specific location of security-related bugs quiet until fixed doesn't mean that the source is any less open.
Re:Linux and MacOS vulnerable, too (Score:4, Insightful)
No, it's not. This isn't anything subtle like a buffer overflow. This exploit uses standard features to download an executable (which shouldn't be allowed) and then execute it (even worse). This is a designed-in hole. It passed Mozilla's code review on April 9, 2002.
Personally, i'm all for removing extensibility of firefox, dropping support for helper applications and external view source. are you really a proponent of such things?
Yes. The Netscape/Mozilla "browser as platform" thing didn't work out. That's why Firefox exists. Firefox has legacy code from the Mozilla era, and much of it needs to come out.
Re:gah (Score:2, Insightful)
The underlying model has everything to do with it (Score:3, Insightful)
So for them, it's quite consistent to want to sit on a bug until they have a patch. After all, the code isn't open so no one else can fix it, and if it's kept quiet it's much more likely no one can exploit it until a patch is released.
Open source is the exact opposite theory, the many eyes theory. You open the entire code base to the entire world, without restriction. So anyone onw, malicious or benevolant can examine just how your stuff works. You actively encourage others to modify your work and to distribute those modifications to the world. It's all about transparancy and access.
So in this case it's rather inconsistent to keep everything hidden from the public. They are saying "there's a problem in the code we gave you, but we aren't going to tell you what it is or where it is." That sounds a lot like the Microsoft/closed source idea to me.
Also it's a particularly valid commentary on
However when an OSS patch story breaks, some of these very same people will crow on about how wonderful open source is and how fast the bug got patched because it's open. Often, however, a little investigation reveals that the bug has been known for some time, but the devs put a lid on it while the made a fix, same as MS does.
Now perhaps that's the proper strategy, you keep quiet about a bug until you have a fix, or until there's a demonstrated venurability in the wild. Maybe that's the best way to minimize damage. However, if that is the case, you can't hate on MS for doing it while praising Mozilla for the same thing.