Remote code execution exploit for Firefox 3.5 in the wild

Summary:A zero day exploit (Firefox 3.5 Heap Spray Vulnerability) affecting Mozilla's latest Firefox release has been published in the wild.

A zero day exploit (Firefox 3.5 Heap Spray Vulnerability) affecting Mozilla's latest Firefox release has been published in the wild. Through an error in the processing of JavaScript code in 'font tags' malicious attackers could achieve arbitrary code execution and install malware on the affected hosts.

There's no indication of its use on a global scale just yet, however due to the fact that the PoC is now public, it shouldn't take long before cybercriminals embed it within the diverse exploits set of their web malware exploitation kits, allowing it to scale.

More details on the mitigation and the exploit itself:

"Mozilla Firefox is prone to a remote code-execution vulnerability.  Successful exploits may allow an attacker to execute arbitrary code in the context of the user running the affected application. Failed attempts will likely result in denial-of-service conditions. The issue affects Firefox 3.5; other versions may also be vulnerable.

NOTE: Remote code execution was confirmed in Firefox 3.5 running on Microsoft Windows XP SP2. A crash was observed in Firefox 3.5 on Windows XP SP3."

Additional testing courtesy of heise Security indicates the exploit crashed Firefox under Vista, and that when tested under Windows 7 RC1 a dialog abortion script appeared.

In terms of mitigation, NoScript works like charm, successfully detecting the PoC's attempt to access file://.

Topics: Security, Browser

About

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog sharing real-time threats intelligence data with the rest of the community... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.