2 Firefox Security Flaws Lead to Exploit Potential

Marthisdil points out a News.com story which reports that "Two vulnerabilities in the popular Firefox browser have been rated "extremely critical" because exploit code is now available to take advantage of them." Security firm Secunia reported the vulnerabilities (and the "extremely critical" rating is theirs), but the News.com story points out that thus far, "no known cases have yet emerged where an attacker took advantage of the public exploit code." Update: 05/09 20:20 GMT by T : Rebron of the Mozilla Foundation sends a correction; this is really the same flaw reported yesterday. He suggests that you glance at the Mozilla security alert on this hole (as well other alerts at the Mozilla Security Center), and says "The Mozilla Foundation has made changes to our update servers that will protect users from this arbitrary code execution exploit."

IE

[blake3737]

I smell scandel, it was bill gates who wrote the code and you know it. IT's like the SetErrors flag in windows (Fp maybe?)

sorry..

[rootedgimp]

i dont mean to be trolling/flaimbait, but please
mod me accordingly if i am.

do we really need to see it posted here, every time
a firefox sploit is found?

gettin me all excited for nothing :/

Re:sorry..

[ViperG]

Well, I would agree, but then why does slashdot post every IE bug that comes up?

Re:sorry..

[Taladar]

Probably because lots of /. posters have to fix machines of relatives or at their work running IE.

Re:sorry..

[shmlco]

Probably because lots of /. posters now need to fix machines of their own running Firefox...

Re:sorry..

[RoLi]

You got that all wrong.

Firefox bugs get on the front page when they are exploitable in theory (this exploit here also worked only for a couple of hours because Mozilla's servers have been modified so Firefox is redirected to a non-whitelist site) while IE bugs get on the front page only when they cause serious mass infections.

Re:sorry..

[grolschie]

Well, I would agree, but then why does slashdot post every IE bug that comes up?

Because serious IE security holes are popping up every other day. The front page at /. would be choked with all the posts. But seriously, we all know that MS are notoriously slow at patching security holes, so people need to know that... <insert swiss cheese reference here>.

Re:sorry..

[ProfaneBaby]

Neither would be best, but it won't happen. Therefore, both is more fair than Windows/IE only.

Fortunately, this type of posting is actually informative - most people don't follow the mailing lists and wouldn't have known any other way. Unfortunately, it's also a great way to start flamewars.

Win one, lose one, life moves on.

Re:sorry..

[MankyD]

We hear about it every time IE has an exploit - and most people flame MS like it hasn't already gone out of style. Why should Mozilla be immune to such treatment?

...obligatory

[op12]

Welcome to Slashdot, you must be new here.

Re:sorry..

[Anonymous Coward]

Because this is Slashdot, an extremely biased site that often reports opinions as news, and where the editors do all they can to promote flaming and bashing by adding inaccurate titles to the articles they post.

The articles here _aren't_ supposed to be impartial and the user comments _aren't_ supposed to be insightful. Slashdot is all about preaching to the choir - if you want something else, I suggest you find a legimate news site.

Re:sorry..

[rizzo]

Because this is Slashdot, an extremely biased site that often reports opinions as news, and where the editors do all they can to promote flaming and bashing by adding inaccurate titles to the articles they post.

s/Slashdot/Fox News/

Re:sorry..

[Herr_Nightingale]

The posted exploit code stopped working several minutes after posted on slashdot. The exploit code won't do anything at all.
Reposting the story ad nauseum won't make it any more interesting or useful.

Re:sorry..

[tokabola]

Why don't you shut the f%*& up when you don't know what you're talking about?!

Right back at you.

There's working exploit code in the comments to this very story

I guess you missed the part where Mozilla Foundation has corrected the problem on their servers, and given instructions to take any third party websites off the whitelist? The exploit code simply has no effect if that basic precaution is followed.

While the above mentioned fixes and workarounds aren't perfect, they do eliminate the problem for now. A more thorough comprehensive fix is under development.

This is no worse than that IE exploit that was redirecting people to that scammer site in Russia (forget the name of the exploit). MS issued a "fix" which didn't address the flaw in the software at all - they basically just added that one specific scammer site to the hosts-deny list (Yes I know that's not perfectly accurate, but it's basically what they did)

BTW, nobody here is impressed with your pottymouth language.

Tommy

Re:sorry..

[plover]

Definition of Slashdot: two guys with sticks beating a spot on the ground where a horse died 9 years ago.

After enough time has passed, people think making the drumming sound was the point all along.

Re:sorry..

[angrist]

Works for me, I visit slashdot more often than MOzilla.org.

I'd rather get a headsup here, or even better yet .... How about a firefox plugin that automatically informs me when an exploit is found?

Re:sorry..

[magefile]

Yeah - it could even put a little red "update" button on the taskbar whenever ... oh. Right.

Re:sorry..

[DarkHelmet]

Sure, like the red button that's on my browser now... oh wait.

Big difference between a plugin notifying us of a security vulnerability, and the update button telling us there's a fix.

Re:sorry..

[mcsporran]

But I actually need to know about this....I have the good fortune to admin no copies of IE.

Don't be sorry

[baadger]

The javascript privilege escalation exploit is quite a biggy so in the interest of creating awareness it isn't a bad thing. The real shameful thing about this is it is pretty much a dupe, giving little or no more information than the first submission. [slashdot.org].

News of malicious use of the exploit in the wild may have been worthy, but if anything it says the risk is now lower.

*shakes head and wonders off*

Dupe...

[RichM]

http://it.slashdot.org/article.pl?sid=05/05/08/135 217&tid=154&tid=172 [slashdot.org]

See! See!

[Anonymous Coward]

Exploits rise with popularity. Watch out desktop linux.

Re:See! See!

[ProfaneBaby]

There was another critical hole that didn't require the whitelist addition.

Yes, Firefox will be updated.
No, not everyone who runs Firefox will update.
Yes, the hole will be used to install viruses and spyware.
No, installing Firefox once is not a single solution to surfing the internet safely - you still have to update, just like Windows Update/IE.

Re:See! See!

[Master of Transhuman]

Correct.

One report says as follows:

Because the foundation controls all sites in the default software installation white list, it has been able to take preventative action by placing more checks in the server-side Mozilla Update code and moving the update site to another domain.

The foundation said users who have not added any additional sites to their software installation white list are no longer at risk.

So one down, the other to be fixed shortly.

Re:See! See!

[CaymanIslandCarpedie]

Because the Mozilla controlled sites have been fixed that is "one down"?

Are you aware that there are quite a few sites out there? I've heard there are even a few which Mozilla doesn't control!

But we'll call it fixed anyway sense who in thier right mind would ever download anything that wasn't on a Mozilla controled site ;-)

Re:See! See!

[CaymanIslandCarpedie]

Wait!!!!

I just had a scary thought!

Are my porn sites Mozilla controlled??????

Re:See! See!

[CaymanIslandCarpedie]

Hey, I'm not saying this hole will be expoited by anyone. I'm just saying its not fixed. With your "one down" comment you seemed to imply this issue was fixed. It is not at all!

Mozilla has done a server-side workaround to mitigate this issue but the Firefox (client-side app) has had nothing done to it. The issue is still 100% there. Again not saying this will effect anyone, but to say the bug has been fixed is just WRONG. The bug is in client-side code and that client-side code will need to be fixed, not just a server-side workaround.

Again, most likely nothing will come of this, but I just thought viewers who saw your original comment would be misled into thinking the client-side bug was been fixed (which is not the case).

asdasd

[securehack5]

Seriously this Is getting repetitive. There are always flaws. Just update your browser and hope it doesn't become the next iexplore.

Re:asdasd

[Dionysus]

Hmmm... this bug affects Firefox 1.0.3. Going to mozilla.org, there are no update to 1.0.3. The browser hasn't notified me that there is an update available. So where is the update? Or do you expect people to download the nightly?

Sounds familiar

[stinkyfingers]

Seriously this Is getting repetitive. There are always flaws. Just update your browser and hope it doesn't become the next iexplore.

Seriously, this is getting repetitive. There are always flaws. Just run Windows Update and hope there's a patch for Internet Explorer.

Re:Sounds familiar

[jacksonj04]

The difference is for Firefox I bet we see a patch within a week, and a fix in the trunk within 2 days.

With IE, god only knows how long it may take.

And to think...

[oskard]

I JUST got through explaining to my parents why Firefox is a safer alternative.

Re:And to think...

[bcs_metacon.ca]

Read the Firefox code and prove it to yourself, or find someone you trust and get them to do it for you. Too bad you can't read the IE code to get the same level of assurance. And do you trust Bill? :-)

Re:And to think...

[MikeFM]

Does Microsoft offer bounties to those who find, and alert them to, security problems? Not as far as I know. This, along with the opensource nature of Firefox will eventually make it mature into a more solid product than IE is likely to be unless Microsoft changes it's attitude. Security is, and always has been, a goal with Firefox. That just isn't true of IE. Also Firefox has the benefit of 20/20 hindsight with it's design as it was designed after many important types of exploits were discovered whereas IE's codebase is much older.

Overall, I think Firefox is more secure than IE and will just grow to be increasingly more secure with time. That doesn't mean it is flawless. :)

Re:And to think...

[Malc]

If these are JavaScript vulnerabilities, then won't they exist in anything that uses Gecko?

Re:And to think...

[tehshen]

No, these are XUL vulnerablilities, which are not present in Gecko, only in Mozilla/Firefox. I can make a FileSystem ActiveX in Javascript and that's IE's fault, for anoyher example.

Re:And to think...

[Anonymous Coward]

That is incorrect. Only one of the two bugs is a problem with the Firefox user interface. The other bug (cross site scripting) is a Gecko problem.

Re:And to think...

[tehshen]

Ach a fi, I stand corrected.

Re:And to think...

[mattstorer]

There is nothing in FireFox's architecture which makes it a more secure alternative to IE

except that IE is tied very tightly (I was going to say "securely," but really, it's not that secure) into Windows, whereas Firefox is not. The more levels of separation you can have between the app and the OS, the better.

the benefit of using Firefox also has to do with response times - the Moz. Foundation has been extremely quick to patch holes once detected, while critical holes in IE, if history is our guide,

Re:And to think...

[AviLazar]

Think about it - how many products does Microsoft have to maintain, versus the Mozilla Foundation?

Don't you think this is a bit of a skewed statement? MS has departments, many of them. There is probably an IE department and it's sole purpose is IE. It may not have any conversations with any other departments with the exception of "Will IE still work with the rest of Windows? It does? Great, going back to my cave."

Re:And to think...

[tokabola]

Because usually, Internet Explorer's vulnerabilities are discovered by Microsoft and announced when the patch is released!!

Actually, most IE exploits are discovered by third party security firms, such as F-prot and Secunia. It's often months between the discovery of the flaw and a solution - you just weren't told there was a problem.

Black hat hackers also have debuggers. They can find IE exploits as easily as those third party security firms. It all comes down to who finds it first - white hat or black.

T

Re:And to think...

[rsborg]

There is nothing in FireFox's architecture which makes it a more secure alternative to IE.

Three syllables: ActiveX [google.com]. If a "feature" is so bug infested that it's worse than useless, can you consider it a bug?

Re:And to think...

[Sweetshark]

XUL isnt as bug infested as ActiveX, but it is conceptionally almost as dangerous. Be prepared to see more fun stuff with XUL.

Re:And to think...

[Anonymous Coward]

No, it is not nearly as dangerous. It's like claiming Java (applets) is as dangerous as ActiveX, which is wrong as well. In both cases this is due to ActiveX not running on managed environment (VM, sandxbo), but as native code, only "protected" by possible signature... but once user trusts the code, it's free to mess with the system as it feels. Not so with XUL or applets.

Thing is: ActiveX is "broken as designed", whereas alternatives may be "broken due to bugs": in latter case it can be fixed, and exploi

Re:And to think...

[tfoss]

It's not safer than Internet Explorer, just less exploited.

And San Jose's not safer than Detroit, just less crime.

-Ted

Don't downplay it

[Anonymous Coward]

Come on, timothy. This is hardly the time to be downplaying the severity, even though we all like Firefox. There are undoubtedly people using the posted code, and they wouldn't be likely to tell News.com about it. Everyone should upgrade immediately.

Bug Details

[Talian]

Before everyone freaks out, take a look at the bug notes to get the details.

Exploitation requires the javascript bug AND a whitelisted site. The only default whitelisted site is the update.mozilla.org, and they have made changes to mitigate the problem on their end.

So unless you've whitelisted a lot of extra sites to install themes or extensions, this is not a huge risk. To be sure, disable install "Allow websites to install software" under options | web features, and if really worried, disable javascript.

Re:Bug Details - Poison DNS

[Chairboy]

So combine this with a poisoned DNS attack. update.mozilla.org resolves as your malware server, then you use this exploit.

Sure, it makes it a little harder to execute then, say, something like Nimda that could run free across the internet, but it's still a valid security issue.

Re:Bug Details

[baadger]

XPI installation isn't the most dangerous part of the IFRAME exploit. As posted in this comment [slashdot.org] by some Anonymous Coward it can steal your cookies and probably more some.

Re:Bug Details

[That's Unpossible!]

eah, I don't really see how this "exploit" is really an exploit at all. If you whitelist a site, that means you can already install an XPI from that site. Extensions can easily to "bad" things of one sort or another (delete bookmarks or hide all the GUI widgets or something). You have to go add a site to the whitelist, it isn't like it can add itself somehow.

RTFA. The site that runs the exploit does not have to be on the site you whitelisted. Part of the exploit is that it can pretend to be a site you whitelisted. The other part is that it can sneak in some javascript code where it shouldn't be able to (an icon url).

Contrary to the grandparent post, it is not enough that mozilla has updated their site. That mitigates only part of the problem, and only if you haven't whitelisted other sites.

Until 1.0.4 comes out, disable javascript.

Re:Bug Details

[Master of Transhuman]

And yet the only way to be infected by a site pretending to be a whitelisted site is to go back to that site.

Which I for one don't do every day - I get my update, then probably will never see the site again. It's not like a I desperately need every new update to every little extension (I only use two or three anyway).

Compared to the worm currently comprising 25% of Internet email which infects Windows, I find it hard to get excited over this little problem, despite the "critical" nature (being that if in

Re:Bug Details

[Red Alastor]

Just don't whitelist any website. No one will be able to pass as one of your white listed sites if you don't have any.

While waiting for 1.0.4, just save the extensions you want to download on your hard disk and use "File / Open File" to install the extension.

Problem solved.

Re:Bug Details

[stinkwinkerton]

Well... The user friendly (default) version of GMAIL uses Javascript. There is an html version but it isn't nearly as user friendly.

In other words, disabling javascript is the suck for at least one very popular, useful, website.

My recommendation is rather than just disabling javascript, use the Prefbar extension which allows you to turn off javascript, etc just by clicking a box in your toolbars and turn it back on "on the fly."

Of course, this is an extension that, to install easily, you need to instal

Re:Bug Details

[Soul-Burn666]

No need to disable javascript.
Just unmark Options -> Web Features -> Allow websites in to install software.

Re:Bug Details

[That's Unpossible!]

No need to disable javascript.

Wrong. There are two parts to this exploit. Your solution covers one half. There is still an exploit where someone can get javascript to run as part of an icon that is loaded. The mozilla.org site itself states this:

"To prevent the script injection exploit from stealing cookies or other sensitive data disable Javascript before visiting untrustworthy sites."

Re:hooray for handwaving

[Master of Transhuman]

I'd say that when a Microsoft worm consumes 25% of Internet email traffic, that gets my attention.

This little bug (which requires to go to a whitelisted site I may never visit again) really doesn't give me a hardon.

Re:Bug Details

[Master of Transhuman]

Excuse me, but nothing in the article says that EVERY site offering an extension is a problem. It says that a site CAN be a problem.

So far, NOBODY has reported actually encountering an exploit site.

That makes this bug MUCH less significant than the current Windows worm comprising 25% of all Internet email traffic.

Mozilla's Security?

[sterno]

Mozilla and Firefox have been recommended as alternatives to IE for security reasons. Yet, lately, it seems that there's quite a lot of security problems being uncovered in Firefox. So I'm trying to figure out how to read this.

I suspect that Firefox is somewhat more secure on the simple basis that it is not as tightly integrated with the rest of the operating system as IE is. What makes IE exploits so nasty is that they tend to become email and other exploits too.

My concern is that if Firefox gains some more ground and does become a more active target for exploits, that it may become a poster child Microsoft can use to point out that open source software's "many eyes" theory is hogwash. Maybe it is hogwash.

Re:Mozilla's Security?

[garcia]

it may become a poster child Microsoft can use to point out that open source software's "many eyes" theory is hogwash. Maybe it is hogwash.

I don't run Firefox because I find it inferior to IE in rendering pages as they were intended (yes, we live in an IE world, deal with it).

As far as "many eyes" being hogwash, I can't agree. Even though these exploits were found recently work has been done to make sure that the exploits are closed quickly. Some of MSFT's holes were left open for MONTHS before anythin

Re:Mozilla's Security?

[Blkdeath]

I don't run Firefox because I find it inferior to IE in rendering pages as they were intended (yes, we live in an IE world, deal with it).

I used to think the same thing, but I stuck it out and just dealt with the incorrectly rendered pages. Of course there have always been / will always be people who think like you, but the fact is many (most) pages now render correctly in FireFox.

As alternate browsers are again being recognized as statistically significant companies and even hobbyist webmasters are starting to realize their value. If you see a site that isn't rendering correctly, contact the site owner and inform them. Your message might not turn the tide, but perhaps combined with the 5-6 they received last week yours will be enough to convince them of the advantage of compliance.

Please, though, don't send a nasty-gram espousing the virtues of open source, criticizing Microsoft (no need to even mention MS/IE) as it destroys all of our credibility.

Re:Mozilla's Security?

[Uruk]

A few points to consider when you're evaluating the security of software:

• Security issue visibility is not the same thing as security. Just because IE has more exploits publicized (or Firefox has more) doesn't actually mean they're more or less secure, it means they're getting more public attention about their security. Important difference. If someone has an objective, quantitative, and verifiable way of measuring a piece of software's security so that we can actually make these comparisons, I'd love to see it
• The more users use a piece of software, the more it will be targeted. But again, that's not the same thing as saying "the more it will be exploited"
• Most users ultimately decide based on personal experience, which typically trumps abstract reporting. Have you ever had a problem with Firefox? Have you ever had a problem with IE? I'd suspect most people who switched to Firefox did it because they actually experienced a problem with IE, not because it was more ideologically pure.

Re:Mozilla's Security?

[molo]

Its the security response that is really beneficial.. Microsoft has sat on bugs for months and months before releasing fixes. Mozilla has a transparent bug tracking system that you can access to get patches and so forth, before they even release an update. And they tend to release updates within days, not months.

-molo

Re:Mozilla's Security?

[jerw134]

Mozilla has a transparent bug tracking system

Except for the security problems, which they don't allow the public to see.

Re:Mozilla's Security?

[buhatkj]

I dunno, I just use firefox because I like it better. The tabbed browsing is awesome and it feels a little faster on my PC than IE. A little experience in network administration has showed me that the best security is physical security, and even that sucks. The web is not safe...nothing is really. "safe" is kind of a subjective and largely meaningless term anyway, without a qualifier of "more" or "less". eg. "Wearing a seatbelt is more safe than not wearing one." Either way, there's a good chance that if you crash bad enough you're toast ;-)

SO, not to get too wierd on anyone...really, it's all probably hogwash, the whole bloody pursuit of "safety and security". Take the obvious precautions yes(update your software, use a firewall...), but don't get all surprised and indignant when somebody figures out how to break them!

Re:Mozilla's Security?

[2short]

"Though I'm still not comfortable writing 'for' loops..."

Which would explain why you think writing a sufficiently full-featured, yet secure, web browser shouldn't be hard.

Re:Mozilla's Security?

[sterno]

Far be it for me to reply to an obvious troll, of course nothing is perfect. What I'm considering is what the relative security stength is between the two products. While FireFox is probably more secure than IE, it's hard to do an apples/apples comparison of it because FireFox doesn't have nearly the market share IE does.

Is there a patch out yet?

[goldspider]

When was this vulnerability first introduced? How long did/has it gone unpatched? Inquiring minds want to know.

What Firefox needs is...

[turbofisk]

What Firefox (and the rest of the suite) is a good way to upgrade the software, without installing everything as a new user would... This is something they really should fix...

Re:What Firefox needs is...

[It doesn't come easy]

Firefox 1.0.3 has such a feature (I assume it is new to 1.0.3 as earlier versions wouldn't update as you indicate).

Hopefully, it is secure as well as convenient :)...

Re:What Firefox needs is...

[DoorFrame]

Which isn't due out for how many months?

It was expected

[mpontes]

With the spotlight on Firefox, it's obvious a lot more crackers and hackers are going to start looking at Mozilla Foundation's code. While previously there was little incentive for crackers to exploit vulnerabilities in MoFo's code, you can't say that now, with all the attention Firefox caught.

It's up to MoFo to fix their software as soon as vulnerabilities are reported now. The play time is over, from now on it's going to be Browser Wars II: The Security Menace.

Balanced?

[PDHoss]

"no known cases have yet emerged where an attacker took advantage of the public exploit code."

I appreciate this clarification. And I'm sure such a clarification will be included in the next IE bug report posted on Slashdot... Right?

PDHoss

Re:Balanced?

[Uruk]

Where does Slashdot say that it will provide a fair and balanced view of technology? Where does the site claim to be a source of unbiased journalistic excellence?

Isn't it incumbent upon all readers of all internet media to identify bias and understand what they're reading, and the viewpoint that it's coming from? Even when people do claim to be impartial that's necessary to do.

It's a tech site that's provided for tidbits of information, and to furnish and environment where we can all pick on each other.

Re:Balanced?

[EricTheGreen]

Indeed. I can see it now:

"Slashdot -- The Fox News Of Technology"

At least there's no rubbish about "fair and balanced" on the banner.

Re:Balanced?

[utexaspunk]

AMEN, BROTHER- this ain't the news desk, buddy, this is the nerd table in the high school cafeteria. Most of the time here is spent trying to make milk come out of eachother's noses...

Updating/Using only ONE copy of Firefox??

[Steve_Jobs_HNIC]

Anyone know of a Firefox distribution that can be executed(and consequently updated just once) from a network drive or thumb drive?

I ask because I have alot of extensions on each of my Firefox installations. I have Firefox on my desktop at work, my laptop, my home computer, my wife's computer, etc etc

updating one computer (and then going into safe mode to find the extension that freaked out) is not that bad. But updating 5 or 10 computers can be a pain in the butt. Can I run ONE Firefox from *some

Re:Updating/Using only ONE copy of Firefox??

[ssj_195]

Try Portable Firefox [johnhaller.com].

Note that all of your extensions, bookmarks, themes etc are stored in one directory (on Windows, it's in %appdata%/firefox/, or something - I do't have access to a Windows machine right now) so you just need to carry this directory around with you - no need to manually install extensions etc every time you do a new install.

Does this affect Mozilla also?

[llzackll]

I'm a Mozilla user. I don't use Firefox. I'm guessing that Mozilla is affected by this as well, but every time a security flaw is found, only Firefox is mentioned.

Re:Does this affect Mozilla also?

[CTho9305]

While the hole exists in Mozilla, Mozilla by default ships with an empty whitelist, making it non-exploitable.

LINUX USERS DON'T GET VIRUSES

[Anonymous Coward]

Mind you, they don't get laid, either.

In other news...

[Anonymous Coward]

.. two unpatched security security holes (code named timothy and CmdrTaco) in Slashdot allowing posting of dupes were disclosed.

One Vulnerability Already Fixed

[Master of Transhuman]

From a news report:

Because the foundation controls all sites in the default software installation white list, it has been able to take preventative action by placing more checks in the server-side Mozilla Update code and moving the update site to another domain.

The foundation said users who have not added any additional sites to their software installation white list are no longer at risk.

So one down, the other to be fixed shortly.

Meanwhile I got a notice this morning that tomorrow's Microsoft security patch will fix one major flaw, but leave others unpatched UNTIL NEXT MONTH.

So much for "days of unpatched vulnerability" supposedly favoring Microsoft.

On behalf of the IE programming team..

[cmburns69]

On behalf of the IE programming team, let me be the first to say "Neener neener neener!"

Re:

[account_deleted]

Comment removed based on user account deletion

Should not be exploitable any more

[CTho9305]

On Saturday, the Mozilla Update team, plus some Mozilla devs, took steps which prevented all published exploits we'd found from working. On Sunday, Mozilla Update was moved to an untrusted URL; as a result, users who have not added other sites to their whitelist should now be safe from the remote code execution attack.

Re:Should not be exploitable any more

[Just Some Guy]

On Sunday, Mozilla Update was moved to an untrusted URL

Erm, it doesn't happen to end in .cx, does it?

Solution

[cryptocom]

Tools/Options/Web Features/"Allow web sites to install software" - uncheck it. I don't know why this isn't unchecked by default.

This isn't the problem

[SamMichaels]

Sure, MoFo can get out patches quicker and take other actions quicker because they don't have to pass through tons of quality control....but the point is that the everyday user doesn't update it.

If Firefox is going to win in the Browser Security Wars, they need to make the "critical update" thingy from the toolbar pop up, raise hell, close the browser, have someone check a disclaimer to skip it, etc. It needs to be ABSOLUTELY clear to the user that ignoring a critical update is a Bad Thing(tm).

They also

The bugtraq post...

[EvilStein]

Another post mentions that someone is claiming an 0-day exploit in the wild for these issues.

From BT:

Firefox Remote Compromise Technical Details

Before I start, I need to say that this thing has been patched on Mozilla's server. If you take a look at any of the extension install pages on their site, you will see that the install function has a bunch of random letters and numbers after it. Even though this would probably be an easy thing to bypass, I am not going to attempt it because of the uselessness of such a bypass. A patch is already in development and so any more work going into fine-tuning this exploit would be a waist of time.

There are three core vulnerabilities being used in my example. A friend of mine (Michael Krax, http://www.mikx.de/ [www.mikx.de] helped me with the research.

To understand why the example works, one must understand the basics of how Firefox works. Everything you see in firefox is essentially a webpage being rendered by a compiler. This is what the gui is made of, and this is why firefox is so easy to customize. However, it also allows for some security bugs. If one could get one of the chrome pages to request a javascript:[script] url, that individual would be given complete access to the system because chrome urls are given full rights in firefox. My example works by tricking the addon install function into displaying an icon with a javascript url.

However, this would not be enough to compromise the system. By default, the install feature only works when called from a page within update.mozilla.org or addon.mozilla.org. Therefore, another (cross site scripting) vulnerability had to be found to call the install feature from mozilla.org. This vulnerability navigates to a javascript page and displays a link (pointing to a mozilla.org page) within a frame that follows the user's cursor. After the user clicks, the link is navigated to, which fires the onload event. This is a buggy event in Firefox because with it we can now access certain parts of the window object that we shouldnt, such as the history object. After the page loads, we use the history object to navigate backwards to the javascript page. The javascript is executed again, now from update.mozilla.org because when we navigated backwards, we essentially navigated to a javascript:[script] page. Now we call the install addon feature, which displays a dialog with det
ails of the requested addon, including an image with a specified image. This image points to a javascript:[script] url, which gets executed in the context of chrome. Now we have compromised the system :)

Whew, that was quite a mouthful.

I am still trying to gather all the details as to how my research was leaked, but recent conversations are leading me to believe that it was a misplacement of trust, not a server compromise. However, I do not want to jump to conclusions too quickly, as this will only lead to more problems. That's all I will say about that subject, as I don't want to offend anybody.

Also, I would like to let everyone know that this is not the only vulnerability that Mikx and I have found. We still have a couple of tricks up our sleeves, and you can be sure that we will not make the same mistake twice.

If you want to see the original PoC, here is the url:
http://greyhatsecurity.org/vulntests/ffrc.htm [greyhatsecurity.org]

Paul
Greyhats Security
http://greyhatsecurity.org/ [greyhatsecurity.org]

In other news

[pg110404]

A serious exploit flaw has been found. So severe is the flaw that it spans all hardware and all software. It matters not if your computer is patched or unpatched. This exploit flaw is so serious that any computer that emits power from its power supply is vulnerable. The only security fix to this devastating exploit flaw involves pulling the power plug from the computer.

......Seriously though, there has always been a direct correlation between usability and security. Any time features are added to a piece of software to make it more usable, will make it more vulnerable and open to flaws that can be exploited. Firefox may have started out as a stripped down, no nonsense browser, but with its popularity rising, feature creep sets in and inherent flaws will be discovered and exploited.

The only way to make it 100% secure is to make sure nothing can be done to the system, and that's powered off with no automated way of powering on (i.e. it's unplugged). Once we accept that it MUST be plugged in to be usable, we need to accept the possibility of exploits. Given that, however, we can't accept defeatism, and must strive to fix it.

The typical rhetoric of "There see? product y is just as insecure as product x", and "Well at least the exploit count is 2, not 50!", only serves to distract us from the real goal of getting better and MORE secure software. Like the saying goes, "SHIT HAPPENS". Let's just learn from it and move on.

Security through obscurity is theoretically plausible, but not very practical. What may be firefox's saving grace is that it's open source and is not held as proprietary IP, controlled by a corporation out for profit, thus the evolution of the product is driven by its need to simply be better.

Perhaps microsoft will see these flaws as proof that open source doesn't work and will lower their own standards, making IE7 less secure or shipping earlier with less stability, or maybe they will take this opportunity to make IE7 that much better in the hopes of regaining popularity and claiming vindication. As long as firefox advances and closes those holes, we still have one extra viable choice. This would only result in a fundamentally more secure web surfing experience.

Hey!

[antoy]

I'm surprised (or maybe I missed something). Why is noone asking the real questions here?

Sure, Firefox had two security flaws. Okay. HOW were those vulnerabilites found? Were they found because Firefox is an open-source program, and has the 'many eyes' advantage? Were the people who found them going through the code, evaluating and auditing it function-by-function is search of flaws?

Or were they testing against it in the traditional way, the way IE vulnerabilities were found? Or maybe a combination of the two?

The article doesn't say, but I believe this is more important to know than the current count on a Firefox/IE vulnerability pissing match. It's the best example (or counter-example) of open-source security in action that we have. If anyone can supply this information, I (and others, perhaps) will be most grateful.

Uh huh

[Myopic]

Can you imagine what would happen if bugs in proprietary software (I'm thinking of Windows or IE) were considered "extremely critical" as soon as an exploit was solidified in code? I mean, if "extremely critical" corresponds to "it is *possible* to exploit this bug" then what is the term to describe a bug which in fact is wreaking havoc on worldwide information infrastructure (as many Windows bugs)?

Re:News for Nerds?

[Anonymous Coward]

You just missed it the first 3 times.

Re:Safar!

[bcmm]

Lynx? Wget? You can download Windows builds of both.

Re:Market Share

[lewiz]

10% of all Internet users? That's a hell of a lot of people, you know.

Re:Market Share

[MankyD]

True, but compound on that the fact that not every firefox user will visit the exploit sites, (and its possible every firefox user will be vulnerable to them,) and your target group is shrinking quickly. Compare that with the payoff of just going straight for IE.

I guess that's all I was really getting it.

Re:SANS Institute declares Firefox 'Unsafe'

[dfn5]

Sadly, the Linux version of Firefox cannot be updated automatically despite the apparent need for daily updates.

What are you talking about? That's what emerge is for.

Oh, I forgot. Not everyone compiles Firefox themselves. I often have the new Firefox built on my Gentoo systems before the windows version tells me a new version is available.

Re:SANS Institute declares Firefox 'Unsafe'

[Anonymous Coward]

Linux already supports automatic updates. No sense putting it at the application layer. In fact I'd go as far as to say that the application layer is the worst place for updates.

Re:The many eyes theory does not hold true

[Master of Transhuman]

Red herring.

Nobody has ever said that EVERY OSS project has "many eyes" ON the project.

What has been said is that to the extent that the source code is included, and is available for perusal by those who KNOW how to do so, this is an extra safeguard since SOME people OTHER than the developers will examine the code - possibly for precisely such reason as security.

And that is exactly what is proved by such incidents. Somebody examined the source code and determined there was a problem.

They didn't have to wait on someone at Microsoft to do so.

If anything in OSS can be complained about, it's the relatively poor amount of testing that seems to get done. Things like the dual-boot bug in Fedora last year should not happen.

Re:You Don't Want to Click on That Link...Trust Me

[Sweetshark]

You are save (for now) from GNAA last measure with this: http://flashblock.mozdev.org/ [mozdev.org]