zero-day flaws in Firefox

[franzon]

http://news.com.com/2100-1002_3-6121608.ht...8&subj=news

An attacker could commandeer a computer running the browser simply by crafting a Web page that contains some malicious JavaScript code, Mischa Spiegelmock and Andrew Wbeelsoi said in a presentation at the ToorCon hacker conference here. The flaw affects Firefox on Windows, Apple Computer's Mac OS X and Linux, they said.

The hackers claim they know of about 30 unpatched Firefox flaws. They don't plan to disclose them, instead holding on to the bugs.

"I do hope you guys change your minds and decide to report the holes to us and take away $500 per vulnerability instead of using them for botnets," Ruderman said.

Edited October 1, 2006 by franzon

[Salgoth]

And a different quote from the same story:

"Internet Explorer, everybody knows, is not very secure. But Firefox is also fairly insecure," said Spiegelmock

Seems the only time I see something posted by franzon is when its something slamming FF. Mastertech version b?

For those wanting to do their own impartial analysis:

IE: http://secunia.com/product/11/?task=advisories

"Secunia has issued a total of 106 Secunia advisories in 2003-2006 for Microsoft Internet Explorer 6.x. Currently, 18% (19 out of 106) are marked as Unpatched with the most severe being rated Extremely critical"

Opera: http://secunia.com/product/4932/?task=advisories

"Secunia has issued a total of 15 Secunia advisories in 2003-2006 for Opera 8.x. Currently, 0% (0 out of 15) are marked as Unpatched".

Firefox: http://secunia.com/product/4227/?task=advisories

"Secunia has issued a total of 36 Secunia advisories in 2003-2006 for Mozilla Firefox 1.x. Currently, 8% (3 out of 36) are marked as Unpatched with the most severe being rated Less critical"

- bear in mind these are R E P O RT E D vulnerabilities, unfortunatelly there are always going to be unreported, and probably highly effective holes that are not openly disclosed.

[xpgeek]

And the Branch just got 4 undisclosed security fix's last night,

#353249 [Core:JavaScript Engine]-(undisclosed security fix) [All]

#354750 [Core:JavaScript Engine]-(undisclosed security fix) [All]

#354924 [Core:JavaScript Engine]-(undisclosed security fix) [All]

#354945 [Core:JavaScript Engine]-(undisclosed security fix) [All]

So I think this might be fixed already. I hope so anyway, because I can't stand using NoScript, its a good idea and all, but its sooo annoying and un-practical.

[Salgoth]

As an addendum to my earlier post perhaps I should haver trolled this over on the IE forum as Franzon did here...

"Zero Day Flaw in Internet Explorer"

Warnings grow over unpatched IE flaw

http://www.theregister.co.uk/2006/09/18/ie..._warnings_grow/

Spyware, Bots, Rootkits Flooding Through Unpatched IE Hole

http://www.eweek.com/article2/0,1759,20176...3119TX1K0000594

New Exploit Rocks IE, Downloads Scores Of Spyware, Adware

http://www.crn.com/sections/breakingnews/b...CRNBreakingNews

Porn sites exploit new IE flaw

http://news.com.com/Porn+sites+exploit+new...g=st.rc.targ_mb

[Slimy]

The open-source Firefox Web browser is critically flawed in the way it handles JavaScript, two hackers said Saturday afternoon.

An attacker could commandeer a computer running the browser simply by crafting a Web page that contains some malicious JavaScript code, Mischa Spiegelmock and Andrew Wbeelsoi said in a presentation at the ToorCon hacker conference here. The flaw affects Firefox on Windows, Apple Computer's Mac OS X and Linux, they said.

"Internet Explorer, everybody knows, is not very secure. But Firefox is also fairly insecure," said Spiegelmock, who in everyday life works at blog company SixApart. He detailed the flaw, showing a slide that displayed key parts of the attack code needed to exploit it.

The flaw is specific to Firefox's implementation of JavaScript, a 10-year old scripting language widely used on the Web. In particular, various programming tricks can cause a stack overflow error, Spiegelmock said. The implementation is a "complete mess," he said. "It is impossible to patch."

The JavaScript issue appears to be a real vulnerability, Window Snyder, Mozilla's security chief, said after watching a video of the presentation Saturday night. "What they are describing might be a variation on an old attack," she said. "We're going to do some investigating."

Snyder said she isn't happy with the disclosure and release of an exploit during the presentation. "It looks like they had enough information in their slide for an attacker to reproduce it," she said. "I think it is unfortunate because it puts users at risk, but that seems to be their goal."

At the same time, the presentation probably gives Mozilla enough data to fix the flaw, Snyder said. However, because the flaw appears to be in the part of the browser that deals with JavaScript, addressing it might be tougher than the average patch, she added. "If it is in the JavaScript virtual machine, it is not going to be a quick fix," Snyder said.

The hackers claim they know of about 30 unpatched Firefox flaws. They don't plan to disclose them, instead holding on to the bugs.

Jesse Ruderman, a Mozilla security staffer, attended the presentation and was called up on the stage with the two hackers. He attempted to persuade the presenters to responsibly disclose flaws via Mozilla's bug bounty program instead of using them for malicious purposes such as creating networks of hijacked PCs, called botnets.

"I do hope you guys change your minds and decide to report the holes to us and take away $500 per vulnerability instead of using them for botnets," Ruderman said.

The two hackers laughed off the comment. "It is a double-edged sword, but what we're doing is really for the greater good of the Internet, we're setting up communication networks for black hats," Wbeelsoi said.

Source

[Fred Derf Veteran]

[Thread Moved from Mozilla to BPN]

[Threads Merged]

[struct]

There's no job security like being on the IE security team.

[bucko]

Can someone explain to me why every exploit recently seems to be called zero-day, I must be living under a rock.

[+Neyht Subscriber²]

It means they were disclosed to the public without the company first being notified of the vulnerability.

[Kreuger]

So we're all safe if we disable JS? I've done so with most sites anyway.

[Unholy Moley!]

Good thing for the NoScript addon.

[Barney T. Administrators]

^ I use that extension pretty religiously:

https://addons.mozilla.org/firefox/722/

Barney

[bucko]

It means they were disclosed to the public without the company first being notified of the vulnerability.

Thanks :pinch: yes I use NoScript, feel safe using it :rofl:

[xendrome]

Sorry but by other thread got closed for having the same link in it, but it doesn't have the same meaning as this thread, but alas, I got pointed here.

----OT

Hey guys, I just thought this was kind of ignorant for anyone to say. But I want to see what you guys think.

As far as I know, software always has, and can be "patched" thats the basic principle of how software works, it can be modified and upgraded etc. Unlike hardware, you get to a specific level and thats as far as it will go.

However I guess this numbskull who found a 0 day Critical Flaw in Firefox claims it' can't be patched.

Maybe it's just me, but anyone who works in the software/computer/IT field and says you can't patch software should lose their job, and be looked at by a psych doctor wink.gif Opinions?

http://news.zdnet.com/2100-1009_22-6121608.html]ZDNet Story

And quote from story

"Internet Explorer, everybody knows, is not very secure. But Firefox is also fairly insecure," said Spiegelmock, who in everyday life works at blog company SixApart. He detailed the flaw, showing a slide that displayed key parts of the attack code needed to exploit it.

The flaw is specific to Firefox's implementation of JavaScript, a 10-year old scripting language widely used on the Web. In particular, various programming tricks can cause a stack overflow error, Spiegelmock said. The implementation is a "complete mess," he said. "It is impossible to patch.""

[Inplode]

^ I use that extension pretty religiously:

https://addons.mozilla.org/firefox/722/

Barney

QFT !

[QwertyManiac]

NoScript ftw :)

[duntkno]

theres always something about security problems, get a firewall, antivirus, safe browser; but what are the actual chances, statistic numbers, that your possibly going to get hacked by one of these people?

[primexx]

The top few replies dont really make sense, the OP didnt really bash Firefox he just pointed out there are some flaws, what's wrong with that?

As to the actual content of the article...I'm safe with NoScript lol, but we are seeing more security holes in the browser. I think it has at least in part to do with the growing userbase so there's more people who wish to exploit this market.

Hope Mozilla fixes the bugs soon, somehow.

[k22]

if you don't want to install noscript, you can disable javascript manually by...

address bar

about:config

filter on "java"

double click "javascript enabled" to set the boolean value to false

just realize that things like youtube and popups that use javascript will not work

[Kreuger]

just realize that things like youtube and popups that use javascript will not work

that's why noscript is good. you can allow sites you trust. I highly doubt any trustworthy site is gonna give you malware like that unless they get hacked themselves.

[Davebo]

Not as big a deal as first made out perhaps?

http://developer.mozilla.org/devnews/index...ted-at-toorcon/

We got a chance to talk to Mischa Spiegelmock, the Toorcon speaker that reported the potential javascript security issue referenced earlier. He gave us more code to work with and also made this statement and agreed to let me post it here:

The main purpose of our talk was to be humorous.

As part of our talk we mentioned that there was a previously known Firefox vulnerability that could result in a stack overflow ending up in remote code execution. However, the code we presented did not in fact do this, and I personally have not gotten it to result in code execution, nor do I know of anyone who has.

I have not succeeded in making this code do anything more than cause a crash and eat up system resources, and I certainly haven?t used it to take over anyone else?s computer and execute arbitrary code.

I do not have 30 undisclosed Firefox vulnerabilities, nor did I ever make this claim. I have no undisclosed Firefox vulnerabilities. The person who was speaking with me made this claim, and I honestly have no idea if he has them or not.

I apologize to everyone involved, and I hope I have made everything as clear as possible.

Sincerely,

Mischa Spiegelmock

Even though Mischa hasn?t been able to achieve code execution, we still take this issue seriously. We will continue to investigate.

-Window Snyder

[Slimy]

^ https://www.neowin.net/forum/index.php?showtopic=500453 :)

[Fred Derf Veteran]

^ https://www.neowin.net/forum/index.php?showtopic=500453 :)

Yeah, it apparently was all a big joke. There is no zero-day exploit (at least not from this guy).

[Thread Closed]