Code execution vulnerability found in Firefox 3.0

Code execution vulnerability found in Firefox 3.0

Summary: It's not all about world records for Firefox 3.0.Just hours after the official release of the latest refresh of Mozilla's flagship browser, an unnamed researcher has sold a critical code execution vulnerability that puts millions of Firefox3.

SHARE:
TOPICS: Browser, Security
106

Code execution vulnerability found in Firefox 3.0It's not all about world records for Firefox 3.0.

Just hours after the official release of the latest refresh of Mozilla's flagship browser, an unnamed researcher has sold a critical code execution vulnerability that puts millions of Firefox3.0 users at risk of PC takeover attacks.

According to a note from TippingPoint's Zero Day Initiative (ZDI) , a company that buys exclusive rights to software vulnerability data, the Firefox 3.0 bug also affects earlier versions of Firefox 2.0x.

Technical details are being kept under wraps until Mozilla's security team ships a patch.

According to ZDI's alert, it should be considered a high-severity risk:

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code, permitting the attacker to completely take over the vulnerable process, potentially allowing the machine running the process to be completely controlled by the attacker. TippingPoint researchers continue to see these types of "user-interaction required " browser-based vulnerabilities - such as clicking on a link in email or  inadvertently visiting a malicious web page.

It looks very much like the vulnerability researcher was hoarding this vulnerability and saving it for Firefox 3.0 final release to make the sale.

In the absence of a fix, Firefox users should practice safe browsing habits and avoid clicking on strange links that arrive via e-mail or IM messages.

There are no reports of this issue being exploited but,  if you are worried about being at risk of drive-by attacks, consider using a different browser.

Topics: Browser, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

106 comments
Log in or register to join the discussion
  • Or put your FF3 in a sandbox

    I show how to make your Firefox browser session safe and secure.

    Read [url=http://www.dtschmitz.com/dts/2008/05/is-it-safe.html]Is It Safe?[/url]

    Thanks and Be Safe.

    Dietrich T. Schmitz
    [i]Linux IT Consultant[/i]
    D T Schmitz
    • Wait!

      They just warned about following links that you aren't sure of, and now you want me to follow one?

      Good try!
      compy386
      • OK StrongBad

        nt
        D T Schmitz
      • What?

        _dietrich has been here(zdnet) for years. I'm sure a lot of
        posters here know him and can verify the link beside me.
        Arm A. Geddon
        • Thanks

          nt
          D T Schmitz
        • Sorry to hear that

          >> _dietrich has been here(zdnet) for years

          That is nothing to be proud of. Sorry _dietrich but YHBT.

          Yes, ZDNet are professional trolls.
          Sluggo Fishmonger
          • Yeh, well go have some cookies and milk

            nt
            D T Schmitz
    • Using the same logic, FF needs to implement Protected Mode

      No code is bug free so the best thing to do is limit what damage can be done when someone takes advantage of a vulnerability. AppArmor is offered for Linux, Protected Mode needs to be offered for Vista. OS X users get what they deserve: all of their personal files encrypted with 1024 bit encryption. :)
      NonZealot
      • Same Situation. Different Day. ;)

        nt
        D T Schmitz
      • Well, those OSX users will probably be OK...

        ...since many of them will have those files backed up via time machine anyway. ;)
        lostarchitect
      • Actually Leopard users might be protected against the Gpcoder trojan.

        Because Leopard implements MAC and it is enabled against a Time Machine backup the trojan might not be successful at encrypting the TM backup files.

        I can't speak for cetain about this as I don't have Leopard on my Mac. But the security document published by Apple a few weeks ago indicated root could not alter the TM backup files (for example could not successfuly perform a rm -rf on the TM backup drive). So I assume the user account cannot either.
        ye
  • RE: Code execution vulnerability found in Firefox 3.0

    please read this post:

    http://robert.accettura.com/blog/2008/06/18/zero-day-vulnerability/

    Here's the quote:

    This really isn???t very accurate. I don???t know the details of the vulnerability or even if there actually is one, but I question the marketing around the Zero Day Initiatives vulnerability report. The big news seems to be ???only 5 hours??? after the release.

    This isn???t really accurate if you think about it. It would be if Firefox 3 were a tightly controlled product that nobody could see a final version of. Reality is that the entire source code lives in CVS, there are nightly builds, and formal release candidates posted. Could someone have downloaded it after release and found a security issue? Absolutely. Is the timing a little suspicious considering everything was done out in the open? Yes.

    It wouldn???t have made any waves if a vulnerability was found in a release candidate. It would have just been patched and a new candidate posted.

    The advantage to the open source development process is the transparency through the entire process. The code in the release build isn???t remotely new or surprising. Many people had been running it for days prior to the actual release.

    Again, it???s possible it all happened in 5 hours. But I doubt someone discovered a security hole, documented it, then it was verified and confirmed in just 5 hours. Especially considering the open nature of the development process and how easy it is to check things out in advance.
    jiaz1
    • Funny isn't it ...

      ... the money NOT spent on Yahoo needs to be spent on something to try to kill competition in the IT space.
      fr0thy2
      • maybe Mozilla should do better code reviews...

        of course, i expected the knee-jerk conspiracy theories from the MS-is-always bad crowd.
        killerbunny
        • the good thing is Mozila is quick with patches...

          so just surf carefully until then
          killerbunny
        • He responded already...nt

          nt
          ItsTheBottomLine
  • RE: Code execution vulnerability found in Firefox 3.0

    "There are no reports of this issue being exploited but, if you are worried about being at risk of drive-by attacks, consider using a different browser."

    I'll continue to use IE7 with Windows Vista w/SP1 and Windows OneCare installed.
    cnfrisch
    • Good luck with that!!!

      IE's tight integration with the OS, coupled with ActiveX, have made it *the* single biggest IT security boondoggle *ever*! And that has not stopped with IE 7 and Vista, despite (once again) claims that Vista would be the "most secure Windows ever." You're walking on thin paper over a roaring fire, my friend. Noone says FF is free of vulnerabilities...but IE...I wouldn't wish that hazard on an enemy!
      Techboy_z
    • As if that's going to help you....

      All browsers have vulnerabilities, and MS holds the record for the most vulnerabilities found in a single browser. When Safari 3.0 was released early this year there were 2 vulnerabilities found during the first week after release that allowed remote code execution - and there were at least 11 prior vulnerabilities in its last beta. That's the reason they went to version 3.1 a few weeks later. IE7 has also had it's share of vulnerabilities - they very recently plugged a few of them, and they'll find more sooner or later. The fact is that most hackers are seeking vulnerabilities in IE7 because of it's market share. If you're looking for a browser that will protect you from the hackers, it isn't smart to surround yourself with the code they work most on!


      The fact that the vulnerability exists in FF2 indicated that it's not something new, just something newly discovered...it was there for years in FF2, just that no one noticed it until now.

      So lets be realistic - If this vulnerable code existed for more than 2 years and no one picked it up until now despite the sort of scrutiny that FF browsers get on a daily basis, it's not likely that anyone else with devious intent will be able to find it without some helpful hint from the discoverer. The timing of the release of this information is clearly highly suspicious. What really irks me though, is the fact that it's being played up as a flaw in FF3 when it's really a flaw in FF2 passed on to FF3.
      eMJayy
    • Vulnerability.......

      If you think you are completely safe with IE& and Vista and Onecare then sleep peacefully. But the truth is that you are probably no safer than with unpatched Firefox 3 which means you are pretty safe if you practice reasonable security. Possibly you will be 'attacked' but not likely as it frankly isn't likely to be worth a hackers trouble.
      danm50