New Mozilla Firefox 1.0.3 Exploit 596
An anonymous reader writes "News sources are reporting that a 'killer' new Firefox exploit has been revealed today by FrSIRT who warn that this 0day exploit/vulnerability (as yet unpatched) should be rated as critical. Summary of the exploit: If a user clicks anywhere on a specially crafted page, this code will automatically create and execute a malicious batch/exe file. Proof of concept code supplied by FrSIRT."
Uh oh! (Score:3, Funny)
Oh, wait.
Re:Uh oh! (Score:2, Funny)
Re:Uh oh! (Score:3, Informative)
Re:Uh oh! (Score:2, Informative)
Re:Uh oh! (Score:5, Insightful)
Re:Uh oh! (Score:5, Informative)
Might as well hit stop now. The bug isn't exploitable any more since update.mozilla.org itself has been fixed.
Re:Uh oh! (Score:5, Informative)
Know what? Whats wrong with your grandma, Alzheimer's?
Why doesn't the little red arrow (update icon) display yet?
Because you don't need to update anything. It was fixed on updates.mozilla.org. The site needs to be in your white list of sites that are allowed to install software to be vulnerable. I'm sure they will have a more permanent fix later at some point, but the current exploit no longer works. Go ahead and try it.
So, as far as I'm concerend -- it's not.
But you're a bit of a fool, so I'm not sure your opinion counts.
Re:Uh oh! (Score:3, Insightful)
This bug was a classified bugzilla item since nobody-knows-when.
So starting the stopwatches NOW would be pointless, wouldnt it?
Re:Uh oh! (Score:5, Informative)
Web Features->Allow web sites to install software
I'll switch to MS IE as it has no known serious vulns
Internet Explorer Long Share Name Buffer Overflow [secunia.com] Highly Critical
Yeah... whatever. I don't mind if you would rather use a browser with a known serious security problem, but saying that IE has no known serious issues is misinformed.
Re:Uh oh! (Score:3, Informative)
Re:Uh oh! (Score:3, Insightful)
Its too bad it has obnoxious ads, its javascript sucks, and it is proprietary though.
Re:Uh oh! (Score:3, Interesting)
Proprietary, heaven forbid!
Javascript works just fine. When you don't see a site working properly, it's the script that's the problem. Opera 6 was very stringent about adhereing to Ecmascript standards. Opera 7 relaxed that a bit, and version 8 even more.
It's very easy to make the ads away (which are not at all obnoxious or intrusive to begin with).
Simply register the software.
Re:Uh oh! (Score:3, Informative)
It's not the fault of Opera really, but the DOM doesn't match either Netscape/Moz or Exploder.. I wouldn't consider myself a "web developer" by any means, but I've done my share. Getting pages to work in IE and FF is a chore, and supporting Opera is just a waste of time.
Re:Javascript ! Will it ever go away ? (Score:5, Insightful)
Look into Firefox's chrome directory and say that again.
Has he dropped this in bugzilla as well? (Score:3, Insightful)
Re:Has he dropped this in bugzilla as well? (Score:3, Informative)
gah (Score:2, Funny)
Re:gah (Score:4, Insightful)
You mean like the F/OSS evangelists do everytime a flaw is found in Internet Explorer?
However, I do think there is an important lesson in here - a lot of open source advocates have set an unreasonable level of expectations by proclaiming the amazing magic of open source: A fantasy world where every line is thoroughly vetted by thousands of super-experts, and if the source is available that instantly disproves the existence of malicious intent (put a trojan out, mark in GPL and make the source available, and I'd bet a lot of the converted would immediately download and install blindly. There are countless OSS projects where no one but the author ever bothers looking at the code).
Re:gah (Score:3, Insightful)
Yes, they have. Almost every discussion about such things here will have a number of replies claiming just that. Of course, those people aren't worth listening to, but they still say it.
Already there. (Score:3, Insightful)
Exploit posted 07/05/2005
They noticed the Mozilla fix on 08.05.2005
IE still has multiple unpatched vulnerabilities, like it always does. Firefox gets a vulnerability and patches it the next day. I hate to call "astroturf", but the grandparent post reeks of green plastic.
So, I dare you: try it. Try posting a trojan in an open source project. See if it ever gets accepted. See how fast it gets patched, especially once it beco
Re:gah (Score:5, Insightful)
At first, Mozilla fans (me included) all said "the chances of Firefox getting 0wned by exploits is very slim, Mozilla is secure by design -- IE isn't".
By about 0.9 or 0.10 the holes started pouring in -- but it was ok: "This is simply Mozilla Foundation's bug patching contest, they are working FOR us instead of AGAINST us."
After this it wasn't only white-hat mozilla funded security experts that started showing there was holes in the code. We changed our story again and, somewhat rightly, pointed out that "these are very theoretical and it would be very hard to use this to exploit a computer like IE can".
This is a really big problem. This will get exploited like crazy as it seems exceptionally easy to do. Not only that, I expect the only fix from Mozilla will be as usual, a 5MB binary installer with the files changed. This is unacceptable on a 56k modem and people just won't bother upgrading to a secure version.
Re:gah (Score:3, Interesting)
Re:gah (Score:3, Informative)
Pretty serious exploit (Score:2)
Re:Pretty serious exploit (Score:5, Funny)
Yup - secure... (Score:5, Interesting)
And the best part, is the patch management system in Firefox is so damn poor (ie. non-existant), getting these patches distributed to end-users is a real damn chore (assuming they are distributed at all).
Re:Yup - secure... (Score:2, Insightful)
Re:Yup - secure... (Score:2, Informative)
Woe is us.
Re:Yup - secure... (Score:3, Insightful)
Current Firefox installers are not able to update a previously installed Firefox. I updated from 1.0.1 to 1.0.2 by pressing on the red arrow. The new version was fully downloaded (great for modem users, who need patches anyway?), installed, and the result was two Firefox versions installed according to Windows Add/Remove program...
The nice thing is that if you checked the mozillazine forums, people complaining about the crappy way the updater worked were told that they
Re:Yup - secure... (Score:5, Insightful)
a) Only works on Windows,
b) Makes you install the entire installer again instead of a 'diff'-style patch,
c) The installer is nearly 5MB, which means it's too big for most to download on 56k or GPRS
Another problem with the 1.0.1, 1.0.2 and 1.0.3 updates is that they all required 'staggering' based on language becuase MozFo doesn't have the sort of server infrastructure to serve millions of downloads at once.
Re:Yup - secure... (Score:3, Insightful)
a) Only works on Windows,
So does the virus....
Re:Yup - secure... (Score:3, Informative)
Windows update is worse. It'll force you to reboot your whole computer, not just your browser. And you still have to click the little button on most computers.
Re:Yup - secure... (Score:5, Interesting)
1. No update notification
2. No red blob in a corner.
3. No dialog box telling something new is available.
The feature seems unreliable at best.
Re:Yup - secure... (Score:3, Interesting)
That's a bit harsh.
Perhaps you could simply state that "that's not what I experience". Especially since my version (1.0_RC6) told me about 1.03 the other day.
But, perhaps you should look under "Tools -> Options -> Advanced -> Software Update"
Re:Yup - secure... (Score:3, Informative)
Seems simple enough to me.
Re:Yup - secure... (Score:3, Informative)
Re:It's not that easy... (Score:3, Informative)
These are the ONLY builds they should be worried about patching (and if they could make it language independent, it would be 3 packages). Everyone else gets the source code. Let Portage figure out how to update things.
Re:Yup - secure... (Score:2)
I sure hope the patches to this *open source* browser are distributed, <sarcasm>instead of being hidden from the public like most fixes to open-source stuff<
Re:Yup - secure... (Score:5, Insightful)
One of the advantages of IE is that when an exploit comes around you just send everyone a 300k file instead of 20MB of browser. With Firefox, you have to send them an entire browser every time 1 exploit comes out.
What Firefox needs is some sort of patching element built in to deal with patching the browser instead of forcing a complete downoad. It's not that Firefox cant do this. In fact, since most of the code is spread out across many files it should be a cakewalk to just update the affected file(s) automaticially with little to no user intervention. This would keep the file size download to a very minimum, allow it to update more frequently without waiting for a point release, and be easier to handle for people who dont know or care about security issues.
Re:Yup - secure... (Score:5, Informative)
A quote: "Darin has figured out how to get binary patching working, and is working on a system for incremental background update download."
Re:Yup - secure... (Score:3, Funny)
Re:Yup - secure... (Score:5, Informative)
Re:Yup - secure... (Score:3, Interesting)
I disagree, I think patching should be handled by the OS, not each application. The last thing I want is every application in my system to upgrade itself spontaneously according to some independently implemented mechanism and policy. I also don't think it's a good idea in general for applications to run in a context in which they are allowed to rewrite themselves. (I'm a linux user - I don't know enough about Windows to know if a robust w
Nasty (Score:3, Insightful)
Re:Nasty (Score:5, Informative)
Why on earth the browser thinks it's necessary to allow scripts to create executeable files is beyond me.
Re:Nasty (Score:5, Informative)
This was reported to bugzilla some time ago! (Score:5, Informative)
Re:This was reported to bugzilla some time ago! (Score:5, Informative)
Re:This was reported to bugzilla some time ago! (Score:2)
Copy/paste this (linking doesnt work) [mozilla.org]
Re:This was reported to bugzilla some time ago! (Score:5, Informative)
It's "Open Source", not "Sploitz4Free".
Re:This was reported to bugzilla some time ago! (Score:3, Interesting)
And yet, when Microsoft does this, somehow it's "reprehensible".
Isn't the Open-Source model supposed to be, you know, open? The exploit is already in the wild. Blocking access to the bug doesn't do any good.
Re:This was reported to bugzilla some time ago! (Score:5, Insightful)
And on the flip side - where's all the folks who defend Microsoft's practices? Shouldn't they be also standing up here and saying how responsible the Mozilla Foundation is?
Really - why try to paint this as an "open source vs. Microsoft" issue? If anything, this is the usual "full disclosure" vs. "reponsible disclosure" vs. "no disclosure" debate. The underlying development model has little to do with it.
The underlying model has everything to do with it (Score:3, Insightful)
So for them, it's quite consistent to want to sit on a bug until they have a patch. After all, the code isn't open so no one else can fix it, and if it's kept quiet it's much more likely no one can ex
Re:This was reported to bugzilla some time ago! (Score:3, Interesting)
Speaking of which, is there a way to turn off referrer information in firefox? It seems to me to be a big privacy problem, and it adds almost no functionality. I really have no incentive to tell other people what sites i'm browsing, so I'd rather not.
Explanation (Score:2, Insightful)
As long as programs are written by humans, there'll be flaws. It's a fact of software-development.
Will I have to download another 4.5MB so that I can fix this flaw?
Re:Explanation (Score:2)
The fact that Im also using Linux made me move over from the Mozilla Suite.
Summery? (Score:3, Funny)
Reported and temporarily fixed (Score:5, Informative)
Re:Reported and temporarily fixed (Score:3, Interesting)
Tried it on my Mac... (Score:5, Funny)
FrSIRT's Post! (Score:3, Interesting)
Stolen exploit (Score:5, Informative)
Reminder: Bugzilla blocks
https://bugzilla.mozilla.org/show_bug.cgi?id=2926
https://bugzilla.mozilla.org/show_bug.cgi?id=2933
They are going to release a 1.0.4 shortly, I gather.
Still more timely than most of Microsoft's advisories... despite their earlier announcement. http://www.eeye.com/html/research/upcoming/index.
Leaked known bug (Score:5, Informative)
Also, bugzilla.mozilla.org is claiming they've been slashdotted. Go easy on em.
I keep clicking on the exe files... (Score:3, Funny)
Tried the test exploit they supplied... (Score:3, Interesting)
Possible workaround: (Score:5, Informative)
Re:Possible workaround: (Score:2)
Re:Possible workaround: (Score:3, Informative)
Are you sure? (Score:5, Interesting)
Win XP, Firefox 1.0.3
Win 2k, Firefox 1.0.3
FreeBSD, Firefox 1.0.3
and none of them did anything. The javascript looks like it should save a file (c:\booom.bat) and run it which should echo "malicious commands here" and wait for a keypress.
Is this truly an issue with Firefox and not some other software? If so, any ideas why it doesn't work?
Re:Are you sure? (Score:5, Informative)
Successful exploitation requires that the site is allowed to install software (default sites are "update.mozilla.org" and "addons.mozilla.org").
So, unless you've whitelisted the exploit site (which generally would mean it's a site you trusted enough to install an XPI from), or the Mozilla website has been compromised, the exploit won't work.
Re:Are you sure? (Score:4, Informative)
Re:Are you sure? (Score:5, Informative)
Re:Are you sure? (Score:3, Informative)
It looks like the script is spoofing ftp.mozilla.org somehow. I made sure that "Allow Web Sites To Install Software" was enabled in Firefox's preferences, and I even added "ftp.mozilla.org" to the whitelist of allowed sites! Still didn't work.
Here's what happens when I load the page:
1. Fx appears to contact ftp.mozilla.org and downloads the harmless XPI referenced in
This isn't much of an "exploit" (Score:5, Informative)
Disable JavaScript, or disable the "Allow web sites to install software" option [Tools - Options - Web Features].
Why would anyone run routinely with "Allow web sites to install software" enabled ?
Re:This isn't much of an "exploit" (Score:5, Informative)
> software" enabled?
1. It's on by default
2. We naievely assumed that the whitelist of web sites allowed to install software did its damn job.
Re:This isn't much of an "exploit" (Score:5, Insightful)
Firefox is only supposed to download and install from things in the whitelist. Unfortunately, it doesn't check the site correctly, and therefore can be tricked into thinking another site is mozilla.org
So even though you "secured" your system, it's still vunerable because as long as you have anything in your whitelist (especially mozilla.org or the defaults), you're vunerable.
Once the whitelist is working again properly, this won't be an issue.
Re:This isn't much of an "exploit" (Score:4, Interesting)
Agreed -- and even worse, the design was copied directly from Microsoft's ActiveX system!
It's a bit frustrating to see Firefox advocates continually prattle about "Security
Has this... (Score:2)
New FrSIRT Vulnerability (Score:3, Funny)
FrSIRT will go down 2 minutes after the start of a brutal Slashdotting.
This shouldn't be a competition. (Score:5, Insightful)
Now think about it for a minute. Who are you really at war against? Security exploits and the people who would exploit them, or browsers other than the one you use and the people that use them?
This reminds me of the days when Mac zealots would get all freaked out every time PC's got faster. "OMG, this is bad news! Now there are 3GHz PCs for under 500 dollars!"
This really boils down to people rating the quality of Product A compared to the suckiness of Product B. Personally, I've been using Products A, B, and C for a long time. When there is a problem found with Product B, that really doesn't make Product A perform the task I use it for any better.
If you want to call yourself a truly knowledgeable computer user, then you have to acknowledge that Products A, B, and C all have their strengths and weaknesses and therefore have tasks their better suited for as well as tasks in which they're not the best solution.
If you look at it from the proper perspective, every time an exploit is found by good people before bad people have a chance to do harm with it then it is good for everyone.
This particular exploit also demonstrates how foolish it is to posture and sling insults. The whole time FF users slung insults at IE when exploits were found, this exploit was there lurking below the surface waiting to be found.
Let applications that are without exploit cast the first stone. Since that's never going to happen, argue your cause based on its merits.
Secunia: Extremely Critical (Score:5, Informative)
http://secunia.com/advisories/15292/ [secunia.com]
This is the first Firefox exploit that has received the rating 'Extremely Critical'.
--- Extract from Secunia's site ---
Description:
Two vulnerabilities have been discovered in Firefox, which can be exploited by malicious people to conduct cross-site scripting attacks and compromise a user's system.
1) The problem is that "IFRAME" JavaScript URLs are not properly protected from being executed in context of another URL in the history list. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an arbitrary site.
2) Input passed to the "IconURL" parameter in "InstallTrigger.install()" is not properly verified before being used. This can be exploited to execute arbitrary JavaScript code with escalated privileges via a specially crafted JavaScript URL.
Successful exploitation requires that the site is allowed to install software (default sites are "update.mozilla.org" and "addons.mozilla.org").
A combination of vulnerability 1 and 2 can be exploited to execute arbitrary code.
NOTE: Exploit code is publicly available.
The vulnerabilities have been confirmed in version 1.0.3. Other versions may also be affected.
Solution:
Disable JavaScript.
This is my interpretation of it... (Score:3, Insightful)
The web page first tricks Firefox into installing a trusted extension (vulnerability 1). Then it takes advantage of an vulnerability during the install process (vulnerability 2).
Separately these vulnerabilities are not that worrying, but combine them, and you have a problem.
Fixes for large sites (Score:5, Informative)
lockpref("xpinstall.enabled","false");
xpinstall.enabled seems to be the preference changed by "Allow websites to install software"
Linux and MacOS vulnerable, too (Score:5, Insightful)
The basic problem is that the Mozilla developers, in their futile attempt to create a "platform", put in a mechanism comparable to Active-X - a way to dynamically download executable programs. Of course, they tried to make sure this "feature" could not be used for purposes of evil. Like Microsoft, they failed.
Understand, this isn't subtle. The code uses built-in Mozilla JavaScript extensions to create a local file in a very straightforward way. It then calls "nsILocalFile::launch()" (which does exactly what you think it does) to launch it. Those are capabilities that shouldn't be in a browser's JavaScript engine at all.
Having designed in a potential security hole big enough to drive a semitrailer through, they tried to make it "secure" with the usual crap approaches - signatures, lists of trusted sites, and disabling for certain types of URLs. They failed. They forgot to make those checks for "favicon.ico" files (Mozilla's implementation of a Microsoft icon-in-the-toolbar gimmick.)
Plugging that hole is not the answer. The problem is more fundamental. "nsILocalFile::launch()" needs to be removed. Browsers have no business launching arbitrary executable programs. Period.
Re:Linux and MacOS vulnerable, too (Score:4, Insightful)
No, it's not. This isn't anything subtle like a buffer overflow. This exploit uses standard features to download an executable (which shouldn't be allowed) and then execute it (even worse). This is a designed-in hole. It passed Mozilla's code review on April 9, 2002.
Personally, i'm all for removing extensibility of firefox, dropping support for helper applications and external view source. are you really a proponent of such things?
Yes. The Netscape/Mozilla "browser as platform" thing didn't work out. That's why Firefox exists. Firefox has legacy code from the Mozilla era, and much of it needs to come out.
Is this a design issue that will breed more bugs? (Score:4, Insightful)
What are the important differences between this and Microsoft Internet Explorer? In MSIE some sites are in the Trusted Sites or Local Machine zones and therefore privileged. Such sites have a dangerous degree of control over the user's computer, and there have been many ways for unprivileged sites to execute code in the context of a privileged site.
Is Firefox doing something better than IE in its design, or are we going to see a whole class of bugs like this one in the future?
Does it affect the mozilla suite? (seamonkey) (Score:3, Interesting)
Trusted Sites Only? (Score:3, Informative)
Re:Trusted Sites Only? (Score:3, Interesting)
Anyhow quoting the article:
Re:This is getting really old (Score:2)
Which people?
Re:I'm not too worried (Score:2, Insightful)
Re:I'm sure everyone whill complain (Score:5, Interesting)
Re:I'm sure everyone whill complain (Score:3, Informative)
Re:I'm sure everyone whill complain (Score:3, Interesting)
Well double dumbass on the Mozilla developers for knowing about it and not taking steps to mitigate it even without an exploit in the wild. Calling the person who released it a "jerk" just shows that you have no understanding that a security risk is severe, whether or not anybody knows about its existence. It's said time and time again, but nobody ever listens: security through obscurity is not security. The person w
Re:I'm sure everyone whill complain (Score:3, Interesting)
There was nothing the Mozilla developers COULD do to mitigate it. Only when we (the Mozilla Update devs) realized exactly how the exploit depended on the Mozilla Update website could we do anything - and we spent a few hours last night working on the first level of mitigation. We've been working on a better solution most of today.
Calling the person who released it
I've been sent to correct this (Score:2)
Re:Harmless on Linux (Score:3, Insightful)
I am no linux expert, but wouldnt it be perfectly possible to make a linux version, that lets say downloads and executes a shell script that kills you user directory?
Even more useful (to an attacker) (Score:3, Insightful)
Re:Security of IE versus Firefox (Score:3, Insightful)
Rooted? Blame user! (Score:3, Interesting)
Don't run as root unless you have to.