ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

Exploit code sends Mozilla scrambling to fix Firefox

By | March 26, 2009, 6:48am PDT

Summary: [ UPDATE:  Mozilla has shipped a patch for this vulnerability ] Mozilla’s security response team is scrambling to ready a patch for what appears to be a serious security flaw affecting its flagship Firefox browser. The vulnerability, released alongside proof-of-concept code on several security sites, could lead to malicious code execution attacks if a Firefox user is [...]

[ UPDATE:  Mozilla has shipped a patch for this vulnerability ]

Mozilla’s security response team is scrambling to ready a patch for what appears to be a serious security flaw affecting its flagship Firefox browser.

The vulnerability, released alongside proof-of-concept code on several security sites, could lead to malicious code execution attacks if a Firefox user is lured to a Web site rigged with exploits.  It affects all versions of the open-source browser, including the newest Firefox 3.0.7.

According to this advisory, the issue a boundary condition error.

  • An attacker can exploit this issue to execute arbitrary code within the context of the affected browser. Failed exploit attempt will result in a denial-of-service condition.

Mozilla has started an investigation of the issue, which is described in a bug report as “critical.”

  • Exploit code at the link iframes a little xml file with an xslt transform that causes a crash reliably on 3.0 branch and trunk (and presumably 1.9.1, didn’t test). Null, but it’s being called, assuming the worst for the moment.

Rob McMillan is reporting that Firefox 3.0.8 will be released sometime next week with a fix for this vulnerability.

[ UPDATE:  Mozilla has shipped a patch for this vulnerability ]

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Mozilla Firefox, Exploit Code, Mozilla Corp., Web Browsers, Security, Internet, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a member of the global research and analysis team. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

89
Comments
Add Your Opinion

Join the conversation!

Just In

RE: Exploit code sends Mozilla scrambling to fix Firefox
birumut Updated - 3rd May 2011
Great!!! thanks for sharing this information to us!
seslisohbet seslichat
View in thread
0 Votes
+ -
Not intended to be flame-bait but
marksashton 26th Mar 2009
Where are the howls of outrage that we'd see if this were IE8?
0 Votes
+ -
RE: Not intended to be flame-bait but ...
n0neXn0ne Updated - 26th Mar 2009
...does anyone use IE8?


^o^

0 Votes
+ -
Horses for ...
chrisn@... 26th Mar 2009
Yes. Me. Version 8.0.6001.18702 to be clear.
More questions ?
yes - fox, safari, maxthon and avant as well.
happy
0 Votes
+ -
I believe marksashton when he claims
GuidingLight 26th Mar 2009
Not intended to be flame-bait but ... , though you, on the other hand should really start your posts with something along the lines of

Obviouslly intended to be flame-bait, so...
0 Votes
+ -
Not me!
hardknoxfirst Updated - 26th Mar 2009
The last IE update caused mine to cease functioning. Congrats to Firefox! Rather than sit on their hands, and let crap code full of bugs sit w/o fixes like IE, Firefox decides to FIX the problem. IMO, they're the best!
0 Votes
+ -
To borrow from history
Mihi Nomen Est 27th Mar 2009
"The sun never sets on Linux/Mozilla."
0 Votes
+ -
My guess...
marksashton 26th Mar 2009
is that within a few months more people will be using IE8 than use Firefox. I bet there are already more IE8 users than Opera users. IE8 will surpass Safari soon too.
0 Votes
+ -
SO?
egoss@... 26th Mar 2009
So you like IE
Whats the point?
0 Votes
+ -
Everyone should be using IE8 now. Not only is it lightening fast....
xuniL_z 26th Mar 2009
but it left the rest of the field so far behind in it's site filtering capabilities, it is the *only* safe browser available.

If you've not downloaded IE8, do so now. It's super fast, has great new functionality the others don't have, like tab grouping by page, and it has web slices, in-private browsing and run in standards mode and use compatibility mode on the fly as needed.

Any other browser is simply not ready for the internet of today. Only IE8 is up to the task of providing the best experience for the most amount of sites with by far the best malware protection.
0 Votes
+ -
If IE8 still has IE7's look, I'll stick with Firefox...
D. W. Bierbaum 27th Mar 2009
Since I have NoScript running with my Firefox, I have as much protection as anyone running IE, and since OpenDNS filters my web requests, I don't fear socially engineered attacks quite as much.

I simply prefer Firefox's look and feel with the Noia 2 theme (and Skypilot Classic, if they ever get around to updating it for FF 3.x), and ForecastFox taking up the dead space in my menubar.
0 Votes
+ -
You won't like it. I mean there are a few UI changes and new menus...
xuniL_z 29th Mar 2009
The find on this page feature is now integrated to the tab area and looks much nicer with an extra option or so. the smart filtering has been rated the best of all browsers, so that means it blocks more malware sites than FF, Chrome or Safari, at least with built in filtering. Has In-Private browsing, developer tools, text size, zoom, caret browsing, language translator, In-Private filtering (stops web usage info from going to 3rd party providers who track your web usage), can reopen last browsing session and all tabs will be reproduced and tab grouping.

It's much faster than IE7.
0 Votes
+ -
Identify Yourself!
Mihi Nomen Est 27th Mar 2009
What's your Microsoft Employee ID #?
0 Votes
+ -
You First.
xuniL_z 29th Mar 2009
What is your Mozilla employee ID# ?
0 Votes
+ -
Mozilla isn't a predatory monopoly...
hasta la Vista, bah-bie 30th Mar 2009
...like Micro$haft is. Try again, Redmond shill.

~

Oh and to answer Mihi's question, he says he works in a hospital and implies ActiveX save lives.
0 Votes
+ -
Thank you, Mr. Gates!
EBathory 28th Mar 2009
Honestly, do you work for Microsoft? If you don't, they should hire you! happy
0 Votes
+ -
Well, I'm self employed, but thank you...
xuniL_z 29th Mar 2009
That was a nice compliment.

happy
0 Votes
+ -
And I have a bridge to sell xuniL_z
hasta la Vista, bah-bie 30th Mar 2009
Painted green, with purple polka dots. It's at a discount for his 'trying' to hard, too.

LOL... grin
0 Votes
+ -
Why?
mathcreative Updated - 30th Mar 2009
IE8 is better than ie7, but why should the tech savvy world care? All the major competitive browsers are faster(except firefox 3 non minefield) more standard complaint, and have greater security due to ambiguity, and their open source models. None of the features IE8 has that the other don't aren't killer features.

Plus what according to your standards make an internet browser ready for the internet?
0 Votes
+ -
Yeah, the others don't need ActiveX
hasta la Vista, bah-bie 30th Mar 2009
Hilarious shill...

They must pay you for each gushing word, don't they... LOL... grin
0 Votes
+ -
Not even....
Mihi Nomen Est 27th Mar 2009
...Microsoft.

They use Firefox but have a [boss] button
0 Votes
+ -
...does anyone use IE8?
deowll 27th Mar 2009
Me. Works great or at least as well as anything I've tried and I have firefox on one machine as well as Chrome. I don't much care for Chrome.
0 Votes
+ -
Simply install $otherbrowsername$ - $curbrowser$ is FULL of holes!!
Bruce Lang 26th Mar 2009
(nt)
0 Votes
+ -
DOS?
bmgoodman 26th Mar 2009
OK, so they crash my browser and I have to restart it. Yawwwwwn. It's the holes that let them commandeer my system that boil my blood.
0 Votes
+ -
YAWN?
KTLA 26th Mar 2009
"An attacker can exploit this issue to execute arbitrary code within the context of the affected browser. Failed exploit attempt will result in a denial-of-service condition."

Sure, if they screw up the exploit. That's a really odd thing for you to bank on.

You may not have understood this bit very well: "An attacker can exploit this issue to execute arbitrary code within the context of the affected browser"

That means the attacker now has full control of a part of your system, from which they can launch the next attack to execute code outside the browser context. (Probably with one of the many unknown/unpatched holes that exist in every browser.)
0 Votes
+ -
Or better still ...
de-void-21165590650301806002836337787023 26th Mar 2009
"That means the attacker now has full control of a part of your system, from which they can ..."

Any hacker who's just broken into your machine is most likely going to execute code that copies your most sensitive data off your box onto one that they own.

DOS is the least of your worries.
0 Votes
+ -
This is silly.
jskline0@... 26th Mar 2009
First off, if you even remotely worth your salt in IT, you didn't give the user account Administrative rights. So that way, if they were able to do anything, worse case is a collapse of the browser and salty'd up the browser cache with garbage. Usually gets cleaned out after the user call the help desk and they tell the user to reboot.
If you are one of the unfortunate fools who have administrative rights on your account and they actually do run code to suck up some of your data;.. oh well. It sucks to be you right now. happy
0 Votes
+ -
Firefox runs will full rights as the user running...
logicearth@... 26th Mar 2009
The attacker could access everything the user has permission to access. Because you see, Firefox does not run in low privileged mode or in a sandbox like IE and Chrome.
0 Votes
+ -
Corrected 1st paragraphs. ..Yawn..
Joe.Smetona Updated - 26th Mar 2009
Mozilla's Windows security response team is
scrambling to ready a patch for what appears to
be a serious security flaw affecting its
flagship Firefox browser when used with
Microsoft Windows.

The vulnerability, released alongside Windows
proof-of-concept code on several security sites,
could lead to malicious code execution attacks
on a Windows System if a Firefox user is lured
to a Web site rigged with exploits. It affects
all Windows versions of the open-source browser,
including the newest Firefox 3.0.7.

**********************

Why don't they just come out and say it's all
Windows versions?

Please, correct me if I'm wrong, but there is
nothing affecting non-MS users here, is there?
As far as a possible Dos issue, that should be
addressed in a patch, but Dos would not allow
complete take over on non-MS OS's.







0 Votes
+ -
Contributr
Affects Firefox on Mac
Ryan Naraine 26th Mar 2009
It also affects Firefox on Mac OS X. See the bug report linked in the story.

_ryan
0 Votes
+ -
Thanks, that's a shame.
Joe.Smetona 26th Mar 2009
Friends of mine just bought a MAC system.

Initially, I recommended Best Buy and they
Purchased an Acer Aspire, It was DOA, so they
returned it and decided to try Apple.

I haven't seen it, but am currently helping them
convert three other PC's to Linux Mint including
a school notebook.

I don't have much experience with Apple, but
they seem to be having more issues lately.

I've been reading the report on the Conficker C
by SRI. Do you have any current numbers on the
amount of infections?

Thanks.

http://mtc.sri.com/Conficker/addendumC/

0 Votes
+ -
What?????
MGP2 26th Mar 2009
See the bug report linked in the story.

And give up that "Ready? Fire! Aim..." quality everyone finds sooooo endearing?
0 Votes
+ -
Need a hobby?
Joe.Smetona 27th Mar 2009
1. Some of us are too busy fixing Windows boxes.
2. Why bother looking when Linux isn't affected.
3. Too busy trying to figure out how to stop
Conficker "C" on Windows Vista and XP.
4. I have a day job.
0 Votes
+ -
exploit works everywhere (Linux too). Already Fixed!
Rick S._z Updated - 26th Mar 2009
the EXPLOIT isn't platform specific, although the "arbitrary code" which a criminal (and the POC) might try to run will probably target Win32.

Incidentally, they've already fixed this bug-- almost 16 hours BEFORE Ryan published this article. If attacks start to appear in the wild, they can push it out right away, without doing the usual "let it bake with testers for a few days, we'll release on Tuesday" routine.
0 Votes
+ -
Thanks.
Joe.Smetona Updated - 26th Mar 2009
I've found that these issues with Firefox and
OpenOffice programs have code which may be
typicaly used in all versions. So they wind up
being listed as a Linux Firefox version, even
though no damage can be caused. It becomes a
matter of housekeeping to correct the issue for
Linux versions.

The problem is that they wind up being a
security problem with Windows and (as Ryan
pointed out above) with MAC here.

I don't worry about Linux with these, It, so
far, has not allowed malicious code to be a
threat. It eventually will be updated, but
doesn't disrupt production or cause a security
risk.

It's similar to going an extra hundred miles
past the oil change due date with your car.
0 Votes
+ -
Joe, I disagree with you on this....
Rick S._z 26th Mar 2009
the attack vector is within mozilla core code (exactly as you surmised, common to all platform-specific builds of Firefox).
The updates were slightly different in Mozilla "1.8" versus "1.9.0" versus "1.9.1" because some files moved around and got renamed during Firefox development. (Yeah, they went back and fixed even Mozilla 1.8 == Firefox 2.)

The fix was pretty easy and obvious, actually. Then they just run the build scripts for creating the Windoze, Mac, and Linux versions against the new libraries-- and some other people, from Sun and BSD and etc. run their scripts the same way to make "Solaris" and "BSD" and other versions.

Since Firefox is already running, black hat guys CAN get hold of all your Cookies without even invoking an external program. (Theft via javascript, mostly). And, if they know how to crack it, they can steal your "saved passwords" database too. If I was a Ruskie Black Hat, and I saw that your UA was Firefox on Linux, I'd probably try to also go snooping around for a Thunderbird profile, too. (The "salt" in profile names creates some protection against non-interactive snooping of the directory tree, but not enough when I've got all of mozilla's underlying functions and utilities to use in my attack, already running fully authorized as "Firefox".)

I think there is risk, even for us.
0 Votes
+ -
Real life vs. individual attack using Java, etc.
Joe.Smetona Updated - 27th Mar 2009
In theory, the browser exploit seems to provide
worthwhile attack motivation for systems that
can be globally compromised as an aggregate.

I think what you are describing is a potential
attack that is targeted as an individual system,
using some interactive tools and taking a good
measure of time to accomplish.

So, to rely on the Linux Package Updater to
complete it's mission doesn't leave much of a
window for the targeted attack.

So, I think we're safe in the big picture.
0 Votes
+ -
so since I clear my cookies and don't use thunderbird
tmsbrdrs 27th Mar 2009
That means exactly what I already knew it did. They can't really run scrypt without me authorizing it, meaning at best, they've got access to just my user profile if they know what OS I'm using. At worst, they've got access to my user profile and maybe a little porn.
0 Votes
+ -
24,400 archived emails.
Joe.Smetona Updated - 27th Mar 2009
I use Gmail and encourage others to do the same.

Web based gmail is perfect. I write filters,
use labels and get 1 or two spam emails in my
inbox in a year.

With 24,400 emails, I'm only using 19% of
capacity.

Also, I've been favoring Chrome on Windows
because of reliability, sleekness and speed.

I can't wait for the Linux version.




0 Votes
+ -
Are you serious.
xuniL_z 26th Mar 2009
The same thing was said of the Mac, then it got above 5% marketshare and we are now starting to see it be targeted, successfully.

I can appreciate your feeling safe in a very obscure environment, but it's been proven to be exploitable and after all with OS X being Unix and Linux being just a derivitive of Unix, we can conclude marketshare has indeed been the factor. Most of us realized that from the beginning.

The fact is with all of the hyperbole flying about Window security, their current OS is very secure and IE8 is the most secure browser in terms of site filtering.

When was the last blog where you heard about a respectable windows network being hacked?

Professionals secure all networks of course and with modern Windows servers and clients, old issues like ActiveX exploits are a thing of the past with Vista so now admins can exploit the power of activeX controls w/o any problems at all.

No system is safe unless you are not attached to the internet and have no users.
0 Votes
+ -
Actually, it's easy.
Joe.Smetona Updated - 27th Mar 2009
With the family using Linux, there have been no
incidents in 6 years. This has been through all
the security issues and repairs with Firefox and
OpenOffice.

The only effort I put into Windows is with other
peoples' systems. It has been very, very nice
to go for such a long time without having to
deal with virus and spyware infections at home,
not to mention the maintenance/update angle
either. I don't ever think about AV.

I guess if something comes along that changes
the metrics, I'll react to it. So far though,
it's a non-issue. I know there are theories
about attacks, but in real life situations, life
goes on un-interrupted.

I've been reading the SRI report on the
Conficker C attack. It's set to attack Vista
as well as XP. No one knows what's going to
happen, but I've lived through a three week
company shutdown with the love-bug virus several
years ago. It is extremely disruptive and this
is so much larger (15 million infected computers
/-Wikipedia)
0 Votes
+ -
You didn't reply to my post.
xuniL_z 29th Mar 2009
I said if you enjoy security through obscurity, that is great. I just feel Windows, especially Vista (am eager to upgrade to win7 as well) has so much more to offer the end user in terms of functionality out of the box, applications and the like. To each his/her own.

The other thing you didn't reply to, was how well MS has done securing Windows and IE over the course of building Vista. Anyone that recalls XP SP1, or even to a lesser degree XP SP2, can see that Vista is clearly a major step forward for MS in security. The layered defense strategy and design of Vista has gotten great reviews from the professional, non affiliated, security industry.

Also, windows is recognized as the top pick for networking clients and even their server share is still growing, in some cases ousting Unix or Linux. A well maintained and protected network with Windows application servers, server 2k3 or 2k8 domain, AD/GP, with XP or Vist clients respectively is almost unbeatable. IIS and .NET is used heavily inside the majority of networks while Linux is better for file servers and public facing web servers that don't require much more than passively serving pages.

Server 2k8 allows Vista to shine with SMB 2.0 and other new code, Vista can do network operations 20% to 75% faster. Gartner discovered that even though Vista adoption was slow, those that rolled it out were not regretting it, in fact they were praising it was very good to excellent and claimed they would recommend to peers and friends. Bad press and perception hurt Vista more than the actual problems. The lions share was of course the shortage of 3rd party drivers. I don't know what went on behind the scenes but MS had to release it, the vendors were balking at it, but in the end they wrote them and before long both 32 and 64 bit versions had an abundance of hardware compatibility.
In fact driver compatibility, or should I say availability far greater than Linux which still lacks drivers for many things.

As for security and conficker, there was a patch available last year.

All systems are Vulnerable left unpatched:
http://blogs.zdnet.com/security/?p=453


Same for home users.

I think the real test for Linux based OSes would only come if they approached a marketshare such as Windows and non Linux gurus were using it. Then we'd see how it held up to social engineering attacks or being unpatched etc.
0 Votes
+ -
You may be right
mathcreative 29th Mar 2009
you may be right that no system is secure. But as you said market share is a factor. If making an os purchase based solely on which one is less likely to get broken into I won't care whether not one system is more secure than another because it's less popular.
0 Votes
+ -
It will be fixed next week
jorjitop 26th Mar 2009
Like to see that kind of response out of Microsoft.
0 Votes
+ -
No, it's fixed ALREADY.
Rick S._z 26th Mar 2009
But the new versions will be officially "released" next week, unless horrible attacks appear in the wild, which would justify shortening the usual "Let the testers run with it for several days, to be sure it's a good fix, before we create the official release" routine.
0 Votes
+ -
Re: It will be fixed next week
ITSa341@... 26th Mar 2009
You will NEVER see that kind of response out of MS until they start seeing their own systems attacked and their secrets revealed. Until then the same Bureaucracy that slows our government and ALL large businesses will slow responses to a crawl.
That is one of the biggest advantages to open source. The code is available for ALL to inspect and help repair. Anyone can study, and create repairs for the code and then submit them to be tested, evaluated and if done correctly passed on to the community.
0 Votes
+ -
howels of outrage not needed
egoss@... Updated - 26th Mar 2009
no howels
Its just that we have come to EXPECT issues from IE
Not from the great browser we have all come to enjoy and trust
If people want to use a normally buggy software.. fine
I prefer to be an informed user that can accept an occasional flaw that will be quickly fixed...
0 Votes
+ -
More like the howls aren't needed...
D. W. Bierbaum Updated - 27th Mar 2009
MS has a tendency to leave known vulnerabilities unpatched till a big stink is raised. There are some known vulnerabilities over a year old that remain unpatched.

http://blogs.zdnet.com/security/?p=2894 is a case in point.

The Open Source community never leaves these things unpatched.
0 Votes
+ -
If this were IE8
tmsbrdrs 27th Mar 2009
This wouldn't be patched until next Patch Tuesday. The exploit was just released and they're working on it. Since the author failed to mention how long this exploit has been known about, there's no way to know if Mozilla just ignored it until people knew or if they just found out as well.

However, with their track record, I'd bet it's the latter of the two scenarios.
0 Votes
+ -
ff 'error in code!!'
susanai-22169053899661078984272886566109 28th Mar 2009
To "Not intended to be flame-bait but....' - I second your opinion. The macpac would be out in their thousands. I LOVE and fell SAFE with my WINDOWS and IE8.
0 Votes
+ -
How much did I pay for Firefox?
sporkfighter 30th Mar 2009
How much did I pay for Firefox?
0 Votes
+ -
RE: Exploit code sends Mozilla scrambling to fix Firefox
birumut Updated - 3rd May 2011
Great!!! thanks for sharing this information to us!
seslisohbet seslichat

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix