New Mozilla Firefox 1.0.3 Exploit 596
An anonymous reader writes "News sources are reporting that a 'killer' new Firefox exploit has been revealed today by FrSIRT who warn that this 0day exploit/vulnerability (as yet unpatched) should be rated as critical. Summary of the exploit: If a user clicks anywhere on a specially crafted page, this code will automatically create and execute a malicious batch/exe file. Proof of concept code supplied by FrSIRT."
Yup - secure... (Score:5, Interesting)
And the best part, is the patch management system in Firefox is so damn poor (ie. non-existant), getting these patches distributed to end-users is a real damn chore (assuming they are distributed at all).
FrSIRT's Post! (Score:3, Interesting)
I cant get this exploit to work... (Score:1, Interesting)
Does it work really?
Re:I'm sure everyone whill complain (Score:5, Interesting)
Tried the test exploit they supplied... (Score:3, Interesting)
Are you sure? (Score:5, Interesting)
Win XP, Firefox 1.0.3
Win 2k, Firefox 1.0.3
FreeBSD, Firefox 1.0.3
and none of them did anything. The javascript looks like it should save a file (c:\booom.bat) and run it which should echo "malicious commands here" and wait for a keypress.
Is this truly an issue with Firefox and not some other software? If so, any ideas why it doesn't work?
Re:Reported and temporarily fixed (Score:3, Interesting)
Re:Yup - secure... (Score:1, Interesting)
Why am I not surprised that Javascript is at the root of yet another security hole?
Does anybody leave this shit on anymore these days?
Re:This was reported to bugzilla some time ago! (Score:3, Interesting)
Speaking of which, is there a way to turn off referrer information in firefox? It seems to me to be a big privacy problem, and it adds almost no functionality. I really have no incentive to tell other people what sites i'm browsing, so I'd rather not.
Re:gah (Score:3, Interesting)
Re:Yup - secure... (Score:3, Interesting)
That's a bit harsh.
Perhaps you could simply state that "that's not what I experience". Especially since my version (1.0_RC6) told me about 1.03 the other day.
But, perhaps you should look under "Tools -> Options -> Advanced -> Software Update"
Exploit didn't work for me (Score:1, Interesting)
My system is GNU/Linux running Firefox 1.
Rooted? Blame user! (Score:3, Interesting)
Don't run as root unless you have to.
Re:Uh oh! (Score:1, Interesting)
Well Opera doesn't seem to have this vunerability or IE's woes
Does it affect the mozilla suite? (seamonkey) (Score:3, Interesting)
Re:Yup - secure... (Score:5, Interesting)
1. No update notification
2. No red blob in a corner.
3. No dialog box telling something new is available.
The feature seems unreliable at best.
Re:This was reported to bugzilla some time ago! (Score:3, Interesting)
And yet, when Microsoft does this, somehow it's "reprehensible".
Isn't the Open-Source model supposed to be, you know, open? The exploit is already in the wild. Blocking access to the bug doesn't do any good.
Re:Trusted Sites Only? (Score:3, Interesting)
Anyhow quoting the article:
Re:This isn't much of an "exploit" (Score:4, Interesting)
Agreed -- and even worse, the design was copied directly from Microsoft's ActiveX system!
It's a bit frustrating to see Firefox advocates continually prattle about "Security
Re:Uh oh! (Score:3, Interesting)
Proprietary, heaven forbid!
Javascript works just fine. When you don't see a site working properly, it's the script that's the problem. Opera 6 was very stringent about adhereing to Ecmascript standards. Opera 7 relaxed that a bit, and version 8 even more.
It's very easy to make the ads away (which are not at all obnoxious or intrusive to begin with).
Simply register the software.
Re:I'm sure everyone whill complain (Score:3, Interesting)
Well double dumbass on the Mozilla developers for knowing about it and not taking steps to mitigate it even without an exploit in the wild. Calling the person who released it a "jerk" just shows that you have no understanding that a security risk is severe, whether or not anybody knows about its existence. It's said time and time again, but nobody ever listens: security through obscurity is not security. The person who posted it wasn't a jerk - that's just blaming somebody else for the Mozilla developers' failures. Stop pointing the finger, fix the damn problem, and release a patch before Monday morning.
[Disclaimer: I'm a Mozilla lover, not a Mozilla hater, but lovers can still have quarrels. I've used Phoenix/Firebird/Firefox exclusively since a week after Phoenix 0.1 was made public, and I've been a heavy advocate for it from day 1.]
Re:I'm sure everyone whill complain (Score:3, Interesting)
There was nothing the Mozilla developers COULD do to mitigate it. Only when we (the Mozilla Update devs) realized exactly how the exploit depended on the Mozilla Update website could we do anything - and we spent a few hours last night working on the first level of mitigation. We've been working on a better solution most of today.
Calling the person who released it a "jerk" just shows that you have no understanding that a security risk is severe, whether or not anybody knows about its existence.
Yes, and it becomes a lot more severe once an exploit is posted for all the script kiddies to use. Do you really think we're better off now that any idiot can own a Firefox user's machine, rather than just the white hat who reported the hole (plus at most a few black hats)?
It's said time and time again, but nobody ever listens: security through obscurity is not security.
Obscurity is a valid layer of security, so long as it's not the only one. The fact that somebody felt it was wise to strip us of one layer of protection is what is annoying.
If one of the doors to your house had a broken lock, would you rather have that be a secret until you can get to the hardware store and fix it, or have someone inform the whole neighborhood? Of course you'd PREFER to not have a broken lock at all, but in the real world, things don't always go the way you want.
The person who posted it wasn't a jerk - that's just blaming somebody else for the Mozilla developers' failures. Stop pointing the finger, fix the damn problem, and release a patch before Monday morning.
Nobody blames the person who leaked it for the hole - I blame the person who leaked it for the people who get hacked as a result of the posted exploit.
Re:Yup - secure... (Score:3, Interesting)
I disagree, I think patching should be handled by the OS, not each application. The last thing I want is every application in my system to upgrade itself spontaneously according to some independently implemented mechanism and policy. I also don't think it's a good idea in general for applications to run in a context in which they are allowed to rewrite themselves. (I'm a linux user - I don't know enough about Windows to know if a robust whole-system auto update mechanism is available to non-Microsoft applications. If not, I can see why such a feature would need to be implemented out of necesity.)
I do agree that we should be using binary diffs whenever possible rather than sending whole packages. Yum is an amazing resource hog, it would be great to reduce its bandwidth usage.