×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

New Mozilla Firefox 1.0.3 Exploit

CmdrTaco posted more than 8 years ago | from the happens-to-every-browser dept.

Mozilla 596

An anonymous reader writes "News sources are reporting that a 'killer' new Firefox exploit has been revealed today by FrSIRT who warn that this 0day exploit/vulnerability (as yet unpatched) should be rated as critical. Summary of the exploit: If a user clicks anywhere on a specially crafted page, this code will automatically create and execute a malicious batch/exe file. Proof of concept code supplied by FrSIRT."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

596 comments

This is getting really old (-1, Offtopic)

nurb432 (527695) | more than 8 years ago | (#12467667)

Why cant these people just get a life.

Re:This is getting really old (1)

Azadre (632442) | more than 8 years ago | (#12467680)

What is wrong with a campaign to fix bugs? Their lives consist of programming: writing software AND fixing all bugs.

Re:This is getting really old (1)

tehwebguy (860335) | more than 8 years ago | (#12467740)

it's my understanding that this exploit was found by a team or individual dedicated to finding them for good, and more specifically, fixing exploits.

DOD SOURCE NOW AVAILABLE (-1, Troll)

Anonymous Coward | more than 8 years ago | (#12467671)

not! cock knockers!!!!!!

Uh oh! (3, Funny)

kryogen1x (838672) | more than 8 years ago | (#12467673)

Hey everyone let's use IE now, because it's safer than Firefox.

Oh, wait.

Re:Uh oh! (2, Funny)

tomjen (839882) | more than 8 years ago | (#12467697)

At least firefox is safer than lynx - no one has been arested for using firefox - yet.

Re:Uh oh! (0)

Anonymous Coward | more than 8 years ago | (#12467762)

Would you care to enlighten us? Links? Please?

Re:Uh oh! (5, Insightful)

ebuilder (209792) | more than 8 years ago | (#12467772)

Start your stop watches and let's see how long before a patch is forthcoming. To my mind that is the real test Then compare that time to M$' response time.

Re:Uh oh! (0)

Anonymous Coward | more than 8 years ago | (#12467785)

Microsoft's response time is still ticking on remote exploit bugs in IE...

Re:Uh oh! (0)

Anonymous Coward | more than 8 years ago | (#12467878)

Is this still funny? What year is it again?

The sky is falling! (-1, Troll)

Anonymous Coward | more than 8 years ago | (#12467674)

But, but but... how can this be? Firefox is soooooo secure!?

I'm not too worried (-1)

Mad Merlin (837387) | more than 8 years ago | (#12467676)

Posting from Konqueror on Linux, I'm pretty confident this exploit doesn't (directly) impact me, but it leads me to ask the question: How long until the Mozilla guys can patch this?

Re:I'm not too worried (0)

Anonymous Coward | more than 8 years ago | (#12467718)

This post isn't interesting at all! I mean, read it - where's the substance?

Re:I'm not too worried (0)

Anonymous Coward | more than 8 years ago | (#12467833)

Just be glad he didn't make any reference to sharks with fricking firefox exploits strapped to their heads. In that case our moderator overlords (whom I welcome by the way) would have granted him a +5 funny in double quick time!

Re:I'm not too worried (2, Insightful)

ssj_195 (827847) | more than 8 years ago | (#12467724)

I'm using Linux too, but from what I hear, a significant amount of Windows users are completely and totally failing to trigger the exploit. Have any Windows users managed to get it to actually work, yet?

Re:I'm not too worried (-1, Troll)

Anonymous Coward | more than 8 years ago | (#12467739)

Posting from Konqueror on Linux, I'm pretty confident this exploit doesn't (directly) impact me, but it leads me to ask the question: How long until the Mozilla guys can patch this?

Why do you care if this doesn't affect you?

Re:I'm not too worried (-1, Offtopic)

Anonymous Coward | more than 8 years ago | (#12467781)

We need to know just how smug this guy really is.

IE! (-1, Redundant)

Anonymous Coward | more than 8 years ago | (#12467678)

Get rid of those nasty bugs and exploits in Firefox! Switch to Internet Explorer today!

:D

Has he dropped this in bugzilla as well? (3, Insightful)

wzzrd (545802) | more than 8 years ago | (#12467681)

Because THAT, with some documentation, would be helpfull. Still, as long as it doesn't create *nix r00tkits on the fly on my box, I'm on the safeside :)

Re:Has he dropped this in bugzilla as well? (3, Informative)

Anonymous Coward | more than 8 years ago | (#12467763)

Yes, it's in Bugzilla (bug is temporarily restricted because of security concerns). There's also a dupe already. No need to add more.

gah (1, Funny)

Turn-X Alphonse (789240) | more than 8 years ago | (#12467682)

Fantastic. Now we'll see Microsoft going "OMG DON'T USE FIREFOX YOU CAN'T EVEN CLICK ON SOMETHING SAFELY!". I guess this is at least 1 step up from "just come to the page, we'll own your PC and you don't even need a mouse".

I'm sure everyone whill complain (0, Redundant)

Saven Marek (739395) | more than 8 years ago | (#12467684)

And everyone will say ":oh no firefox is a security risk" whaaaa. well this isnt really the case and is overstating things just a bit. When it comes down to it firefox still has many quicker fixes and the bug is probably already fixed by now.

So if this is the case where is the problem? a non issue if you ask me.

Re:I'm sure everyone whill complain (4, Interesting)

ssj_195 (827847) | more than 8 years ago | (#12467758)

And everyone will say ":oh no firefox is a security risk" whaaaa. well this isnt really the case and is overstating things just a bit. When it comes down to it firefox still has many quicker fixes and the bug is probably already fixed by now.
Perhaps the bug is already fixed in the dev tree, but this is irrelevant if the fix takes 3 months to deploy to users. Hopefully, the fixes to the auto-update system coming up in 1.1 (where a "security fix" does not consist simply of "re-install the whole of Firefox with this new version") will make the whole deployment aspect faster. Although I have to say, Firefox 1.0.3 seemed to follow quite quickly on the heels of 1.0.2, which is encouraging! :)

Pretty serious exploit (1)

esconsult1 (203878) | more than 8 years ago | (#12467691)

Already Firefox tends to be around 45% of traffic across my sites, so this is going to affect a lot of users.

Re:Pretty serious exploit (1)

Barryke (772876) | more than 8 years ago | (#12467731)

Already Firefox tends to be around 45% of traffic across my sites, so this is going to affect a lot of users.


1) starting up IE [found it]
2) visiting your site [found it]
3) why am i visiting? its no use. [got it]

Re:Pretty serious exploit (0)

Anonymous Coward | more than 8 years ago | (#12467814)

barrystaes: your website looks wonderful ... echt!

Re:Pretty serious exploit (0)

Anonymous Coward | more than 8 years ago | (#12467760)

So all of those users using your sites are going to be affected? Stay away from www.w3matter.com !!!

especially if you have a specially crafted page! (0)

Anonymous Coward | more than 8 years ago | (#12467812)

I cant run exe files anyhooo! hehehe

Yup - secure... (5, Interesting)

Anonymous Coward | more than 8 years ago | (#12467692)

Maybe it's time to accept Firefox has it's fair share of exploits?

And the best part, is the patch management system in Firefox is so damn poor (ie. non-existant), getting these patches distributed to end-users is a real damn chore (assuming they are distributed at all).

Re:Yup - secure... (2, Insightful)

tomjen (839882) | more than 8 years ago | (#12467716)

Well from what i could see, it uses javascript, so i just turned it off.

Re:Yup - secure... (0)

Anonymous Coward | more than 8 years ago | (#12467777)

Yay plain old HTML gmail!

Re:Yup - secure... (1, Interesting)

Anonymous Coward | more than 8 years ago | (#12467836)

> Well from what i could see, it uses javascript, so i just turned it off.

Why am I not surprised that Javascript is at the root of yet another security hole?

Does anybody leave this shit on anymore these days?

Re:Yup - secure... (2, Informative)

Ithika (703697) | more than 8 years ago | (#12467738)

You're right, I'm gonna have real difficulty pressing those little green and red arrows in the corner of the window when the time comes for the new release. Oh boy, I'm sweating at the thought of the trials that await me! I'll probably need to lie down after that, it being so difficult and complicated and all.

Woe is us.

Re:Yup - secure... (1)

Jugalator (259273) | more than 8 years ago | (#12467843)

You're right, I'm gonna have real difficulty pressing those little green and red arrows in the corner of the window when the time comes for the new release. Oh boy, I'm sweating at the thought of the trials that await me! I'll probably need to lie down after that, it being so difficult and complicated and all.

Woe is us.


You may care about this, but not the user that doesn't monitor security sites or Slashdot, and just cares if s/he can browse CNN.com properly, and so on.

Woe is them.

Re:Yup - secure... (1)

David Horn (772985) | more than 8 years ago | (#12467857)

Yeah, but even that isn't an ideal solution. It requires re-downloading and installing FireFox, and it can't even be bothered to clean up after itself. (NO - I don't like the FireFox Installer left on my desktop!)

At least with IE the patches are less than 1MB in general and don't require a whole reinstall of the browser.

Re:Yup - secure... (3, Insightful)

Anonymous Coward | more than 8 years ago | (#12467870)

You are forgetting something, though:

Current Firefox installers are not able to update a previously installed Firefox. I updated from 1.0.1 to 1.0.2 by pressing on the red arrow. The new version was fully downloaded (great for modem users, who need patches anyway?), installed, and the result was two Firefox versions installed according to Windows Add/Remove program...

The nice thing is that if you checked the mozillazine forums, people complaining about the crappy way the updater worked were told that they should have know that they had to manually download the update, uninstall the previous firefox version, and install the new one.
Yeah, how come I didn't know that clicking on update wasn't the way to update Firefox! Silly me :P

Re:Yup - secure... (1)

mytec (686565) | more than 8 years ago | (#12467879)

There's this thing called system administration across a group of networked machines. The parent poster probably understands that concept.

For your needs your response is seemingly suitable. Others need more out of Firefox in a more manged fashion to which Firefox doesn't offer very much.

Re:Yup - secure... (1)

cloudmaster (10662) | more than 8 years ago | (#12467786)

That little "updates are available" icon that shows up in the corner when updates are available - it's just a figment of your imagination. And the ease of clicking on the icon and then on "ok", why, even if the icon was real? That whole process would be far too difficult for the average computer user to deal with - if it wasn't non-existant.

I sure hope the patches to this *open source* browser are distributed, <sarcasm>instead of being hidden from the public like most fixes to open-source stuff</sarcasm>.

Package Manager (2, Insightful)

MarkByers (770551) | more than 8 years ago | (#12467838)

the patch management system in Firefox is so damn poor (ie. non-existant)

Pretty much any modern OS distribution comes with a package manager that handles upgrading for you. Time for you to upgrade your OS perhaps.

Nasty (3, Insightful)

bustersnyvel (562862) | more than 8 years ago | (#12467704)

That's nasty! I'm glad that in Linux files aren't automagically executable when you give them a certain name :)

Re:Nasty (0)

Anonymous Coward | more than 8 years ago | (#12467780)

Shell scripts without execute permission can still be executed by running "sh filename" in the same way Perl or PHP scripts can be run.

Re:Nasty (0)

Anonymous Coward | more than 8 years ago | (#12467820)

Not by this exploit! Face it, this isn't a mozilla exploit so much as a windows design problem.

Re:Nasty (1, Insightful)

Anonymous Coward | more than 8 years ago | (#12467864)

More exactly, it's a mozilla issue that exploits a windows design problem.

And cue... (1, Funny)

Anonymous Coward | more than 8 years ago | (#12467705)

...hilarious fan-boi apologism (wherein mind-crushingly tortured logic spins this awful security flaw into something that is actually a feature yet another reason why Firefox is better than IE!) in 5...4...3...2...1...

Re:And cue... (-1, Offtopic)

Anonymous Coward | more than 8 years ago | (#12467822)

I take it all back :) Thanks for the sane ratings, mods - it helps restore some of my faith in slashdot :)

This was reported to bugzilla some time ago! (5, Informative)

Exter-C (310390) | more than 8 years ago | (#12467712)

This was reported to the mozilla bugzilla a while ago. https://bugzilla.mozilla.org/show_bug.cgi?id=29269 1 [mozilla.org]

Re:This was reported to bugzilla some time ago! (4, Informative)

passthecrackpipe (598773) | more than 8 years ago | (#12467743)

interesting - even when you go past the "cant view bugs from slashdot" stuff, it seems access to this bugreport has been denied. Yay open source!

Re:This was reported to bugzilla some time ago! (5, Informative)

Anonymous Coward | more than 8 years ago | (#12467799)

It's a severe security-related bug, so the bug report is restricted. This is meant to stop script kiddies from scanning bugzilla for unpatched exploitable bugs. Unless you're a disciple of the full disclosure persuasion, that is the correct way. The Mozilla Foundation discloses all bugs when a patch is available to the general public.

It's "Open Source", not "Sploitz4Free".

Re:This was reported to bugzilla some time ago! (2, Interesting)

Hatta (162192) | more than 8 years ago | (#12467841)

interesting - even when you go past the "cant view bugs from slashdot" stuff,

Speaking of which, is there a way to turn off referrer information in firefox? It seems to me to be a big privacy problem, and it adds almost no functionality. I really have no incentive to tell other people what sites i'm browsing, so I'd rather not.

article text (-1, Redundant)

Anonymous Coward | more than 8 years ago | (#12467727)

An anonymous reader writes "News sources are reporting that a 'killer' new Firefox exploit has been revealed today by FrSIRT who warn that this 0day exploit/vulnerability (as yet unpatched) should be rated as critical. Summery of the exploit: If a user clicks anywhere on a specially crafted page, this code will automatically create and execute a malicious batch/exe file. Proof of concept code supplied by FrSIRT."

Explanation (2, Insightful)

Anonymous Coward | more than 8 years ago | (#12467728)

Firefox had the advantage of being able to fix bugs reveled by IE expolits. This gave the illusion of it being a bulletproof browser. Now that it has caught up with IE, it has exploits of it's own which just show that it's not much better than IE (coding standard-wise).
As long as programs are written by humans, there'll be flaws. It's a fact of software-development.

Will I have to download another 4.5MB so that I can fix this flaw?

Re:Explanation (1)

Exter-C (310390) | more than 8 years ago | (#12467826)

I feel that the benefits that drew me ( and im sure others) to firefox was that it was feature rich and had a pop blocker before IE did out of the box.

The fact that Im also using Linux made me move over from the Mozilla Suite.

Don't worry... (1)

testednegative (843833) | more than 8 years ago | (#12467733)

... the page is /.'ed... 0day kiddies wont be able to get their hands on the exploit till tomorrow and by then Mozilla dev team has patched it.

Summery? (3, Funny)

Anonymous Coward | more than 8 years ago | (#12467736)

Exploit summery? Well, the weather is improving but I doubt that the exploit caused it.

Reported and temporarily fixed (5, Informative)

alanjstr (131045) | more than 8 years ago | (#12467737)

Bugzilla bug 293302 [mozilla.org] has been filed. A temporary fix has been implemented on UMO.

Re:Reported and temporarily fixed (2, Interesting)

baadger (764884) | more than 8 years ago | (#12467818)

Copy and page parent link into new tab or Firefox/Mozilla users set "network.http.sendRefererHeader" in about:config to 0 and then click.

the power of open source... (0)

Anonymous Coward | more than 8 years ago | (#12467748)

...at work for you.

Hasn't Slashdot ever heard of editing? (1, Insightful)

Winkhorst (743546) | more than 8 years ago | (#12467749)

"Summery?" Really? --Support your planet or get the hell out--

Re:Hasn't Slashdot ever heard of editing? (0)

Anonymous Coward | more than 8 years ago | (#12467806)

How about: Support your planet and get the hell out

Re:Hasn't Slashdot ever heard of editing? (0)

Anonymous Coward | more than 8 years ago | (#12467848)

If I only had mod-points :\

Tried it on my Mac... (5, Funny)

Anonymous Coward | more than 8 years ago | (#12467751)

didn't work

Here we go with the Firefox Vs IE... (0, Troll)

distantbody (852269) | more than 8 years ago | (#12467752)

Firefox has rightly earnt a strong following, but in the proud tradition of the FANBOY, some firefox nuts will probably have an adverse reaction to the news that firefox has a vulnerability, and subsequently die.

FrSIRT's Post! (2, Interesting)

spood (256582) | more than 8 years ago | (#12467755)

It looks like a hacker alias, but it really stands for French Security Incident Response Team. Exploit description cached here [64.233.161.104].

I cant get this exploit to work... (1, Interesting)

Anonymous Coward | more than 8 years ago | (#12467756)

Subj says it all. That html page after loading into firefox gives javascript error on some line according to JS console...
Does it work really?

Stolen exploit (5, Informative)

Anonymous Coward | more than 8 years ago | (#12467761)

They were already working on patching this, but it was stolen before they could finish and leaked to bugtraq with LIVE material in the exploit (it's not a proof of concept, folks!) and no explanation or advisory.

Reminder: Bugzilla blocks /. referers. Copy URL and paste in new to view. (Beware Slashcode's extra spaces.)

https://bugzilla.mozilla.org/show_bug.cgi?id=29269 1 [mozilla.org] %lt; Original security bug (probably still blocked to outsiders to prevent someone stealing it before mitigation)

https://bugzilla.mozilla.org/show_bug.cgi?id=29330 2 [mozilla.org] %lt; Duplicate (reported after leak)

They are going to release a 1.0.4 shortly, I gather.

Still more timely than most of Microsoft's advisories... despite their earlier announcement. http://www.eeye.com/html/research/upcoming/index.h tml [eeye.com]

Leaked known bug (5, Informative)

Anonymous Coward | more than 8 years ago | (#12467765)

A^C^E, a Firefox security researcher, is claiming on Addict3D.org [addict3d.org] that this is a 0day duplicate of a leaked, known bug. He says, "I suspect that my server was compromised, and I am currently using my contacts to find the culprit and bring him to justice."

Also, bugzilla.mozilla.org is claiming they've been slashdotted. Go easy on em.

I keep clicking on the exe files... (2, Funny)

DaGoodBoy (8080) | more than 8 years ago | (#12467767)

...but Firefox keeps suggesting I run it with Wine. I don't get it, I'm not thirsty. I'd rather run it with a nice plate of steak and eggs.

Tried the test exploit they supplied... (2, Interesting)

a whoabot (706122) | more than 8 years ago | (#12467773)

...with Firefox 1.0.3 on Windows 2000, and it didn't execute anything. Anyone else try it on Windows?

Re:Tried the test exploit they supplied... (2, Insightful)

kbrosnan (880121) | more than 8 years ago | (#12467872)

The exploit has been largely nullified by implementing a server side change.

The exploit would still work if you whitelist the wrong site.

Harmless on Linux (1)

drigz (804660) | more than 8 years ago | (#12467775)

Well, it is harmless on Linux.

What remains is that most people who I have shown Firefox to don't click the little red bell when it appears, and so won't update to get the fix to this problem. Firefox needs to be more forceful with its updates.

Possible workaround: (5, Informative)

wideangle (169366) | more than 8 years ago | (#12467784)

Uncheck Tools > Options > Web Features > Allow web sites to install software

Re:Possible workaround: (0)

Anonymous Coward | more than 8 years ago | (#12467860)

While I've not read the advisory and I no longer subscribe to bugtraq; I can state with absolute confidence that your workaround has nothing to do with this.

Try disabling javascript! I've not read the advisory but turning off security problem number 1 has to be a good idea anyway.

Are you sure? (5, Interesting)

naelurec (552384) | more than 8 years ago | (#12467794)

Just curious, I downloaded the page and loaded it up on several systems:

Win XP, Firefox 1.0.3
Win 2k, Firefox 1.0.3
FreeBSD, Firefox 1.0.3

and none of them did anything. The javascript looks like it should save a file (c:\booom.bat) and run it which should echo "malicious commands here" and wait for a keypress.

Is this truly an issue with Firefox and not some other software? If so, any ideas why it doesn't work?

Re:Are you sure? (1, Informative)

Anonymous Coward | more than 8 years ago | (#12467856)

The script is supposed to inject code into the chrome by calling a (chrome-)function "install(event, extensionname, iconurl)" with a javascript iconurl which then uses its elevated privileges to create and start the batch file.

On my main system (WinXP, Firefox 1.0.3, fresh profile), the Javascript console tells me it can't find the install function.

On my other system (WinXP, Firefox 1.0.3, fresh profile), it throws an access violation error about not being allowed to access window.title. I don't see how these installations differ, but apparently, the test-exploit is quite fragile.

This isn't much of an "exploit" (5, Informative)

richg74 (650636) | more than 8 years ago | (#12467816)

The actual advisory page is here [frsirt.com]. The "Solutions" section says this:

Disable JavaScript, or disable the "Allow web sites to install software" option [Tools - Options - Web Features].

Why would anyone run routinely with "Allow web sites to install software" enabled ?

Re:This isn't much of an "exploit" (1)

Jugalator (259273) | more than 8 years ago | (#12467875)

Why would anyone run routinely with "Allow web sites to install software" enabled ?

Because it's enabled by default?

Has this... (1)

Koiu Lpoi (632570) | more than 8 years ago | (#12467829)

Has this already been fixed in the latest-trunk builds (aka 1.03 specific) or is this a firefox-wide bug? Also, does this affect (effect? I can never remember) other iterations, like Mozilla, Netscape, K-Melon, etc?

Re:Has this... (1)

Koiu Lpoi (632570) | more than 8 years ago | (#12467868)

Allright, just tested it with Firefox 1.00, seems to not be vulnerable. Looking at the page code, it appears to have something to do with how XPIs are installed. This means it is Firefox Specific. Anyone else have different versions of FF to try?

Re:Has this... (1)

yotto (590067) | more than 8 years ago | (#12467871)

*does this affect (effect? I can never remember)*

2 ways to remember affect/effect:
1) The Affect comes before the Effect, and Affect comes before Effect in the alphabet. So, you affect something, and then you see the Effect of that.
2) Special Effects in movies are not Special Affects.

So, your use of Affect is correct.

New FrSIRT Vulnerability (3, Funny)

NitsujTPU (19263) | more than 8 years ago | (#12467830)

FrSIRT Vurnerability Alert!!

FrSIRT will go down 2 minutes after the start of a brutal Slashdotting.

Let the Firefox Vs IE rant begin (1)

distantbody (852269) | more than 8 years ago | (#12467831)

Firefox has rightly earnt a strong following, but in the proud tradition of the FANBOY, some firefox nuts will probably have an adverse reaction to the news that firefox has a vulnerability, and subsequently die ;)

Firefox Just Crashed As I Read This (0)

Anonymous Coward | more than 8 years ago | (#12467837)

While I was reading the comments I highlighted some text, and firefox crashed immediately.

Security of IE versus Firefox (1)

Henry V .009 (518000) | more than 8 years ago | (#12467858)

Where I work, the computer network installs Firefox on all of the Windows boxes, and makes it hard to find IE. This is in the name of "security."

Unfortunately, IE is updated with the Automatic Windows Updates, while Firefox is only updated by us when a new Windows template is rolled out on all the computers every 6 months or so.

From a security standpoint, fully updated IE is much better than unupdated Firefox. Unfortunately, anti-Microsoft zealotry keeps people from making rational decisions on the subject.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...