Firefox hit by drive-by download security holes

Firefox hit by drive-by download security holes

Summary: Mozilla has shipped a mega patch for Firefox to fix a total of 16 security flaws that expose Web surfers to drive-by download, data theft and local bar spoofing attacks.

SHARE:
20

Mozilla has shipped a mega patch for Firefox to fix a total of 16 security flaws that expose Web surfers to drive-by download, data theft and local bar spoofing attacks.

The latest Firefox 3.6.7 update includes fixes for nine "critical" issues that could be exploited to launch remote code execution attacks.  Two of the 16 bugs are rated "high risk" while five carry a "moderate" severity rating.

Here's the skinny on the critical fixes:

Remote code execution using malformed PNG image

OUSPG researcher Aki Helin reported a buffer overflow in Mozilla graphics code which consumes image data processed by libpng. A malformed PNG file could be created which would cause libpng to incorrectly report the size of the image to downstream consumers. When the dimensions of such images are underreported, the Mozilla code responsible for displaying the graphic will allocate too small a memory buffer to contain the image data and will wind up writing data past the end of the buffer. This could result in the execution of attacker-controlled memory.

nsTreeSelection dangling pointer remote code execution vulnerability follow Ryan Naraine on twitter

Security researcher regenrecht reported via TippingPoint's Zero Day Initiative an integer overflow vulnerability in the implementation of the XUL <tree> element's selection attribute. When the size of a new selection is sufficiently large the integer used in calculating the length of the selection can overflow, resulting in a bogus range being marked selected. When adjustSelection is then called on the bogus range the range is deleted leaving dangling references to the ranges which could be used by an attacker to call into deleted memory and run arbitrary code on a victim's computer.

[SEE: Mozilla increases flaw bounty to $3K, adds Firefox Mobile ]

nsCSSValue::Array index integer overflow

Security researcher J23 reported via TippingPoint's Zero Day Initiative that an array class used to store CSS values contained an integer overflow vulnerability. The 16 bit integer value used in allocating the size of the array could overflow, resulting in too small a memory buffer being created. When the array was later populated with CSS values data would be written past the end of the buffer potentially resulting in the execution of attacker-controlled memory.

Arbitrary code execution using SJOW and fast native function

Mozilla security researcher moz_bug_r_a4 reported that when content script which is running in a chrome context accesses a content object via SJOW, the content code can gain access to an object from the chrome scope and use that object to run arbitrary JavaScript with chrome privileges.

Plugin parameter EnsureCachedAttrParamArrays remote code execution vulnerability

Security researcher J23 reported via TippingPoint's Zero Day Initiative an error in the code used to store the names and values of plugin parameter elements. A malicious page could embed plugin content containing a very large number of parameter elements which would cause an overflow in the integer value counting them. This integer is later used in allocating a memory buffer used to store the plugin parameters. Under such conditions, too small a buffer would be created and attacker-controlled data could be written past the end of the buffer, potentially resulting in code execution.

Use-after-free error in NodeIterator

Security researcher regenrecht reported via TippingPoint's Zero Day Initiative an error in Mozilla's implementation of NodeIterator in which a malicious NodeFilter could be created which would detach nodes from the DOM tree while it was being traversed. The use of a detached and subsequently deleted node could result in the execution of attacker-controlled memory.

DOM attribute cloning remote code execution vulnerability

Security researcher regenrecht reported via TippingPoint's Zero Day Initiative an error in the DOM attribute cloning routine where under certain circumstances an event attribute node can be deleted while another object still contains a reference to it. This reference could subsequently be accessed, potentially causing the execution of attacker controlled memory.

Miscellaneous memory safety hazards

Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code.

The release comes just days after Mozilla announced it would pay a $3,000 bounty for security security vulnerabilities found in its flagship Firefox and Thunderbird software products. As reported by Dennis Fisher at Threatpost, the new bounty is a huge increase over the $500 per bug payout that Mozilla has been offering since 2004.

Topics: Browser, Hardware, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

20 comments
Log in or register to join the discussion
  • RE: Firefox hit by drive-by download security holes

    First one to update this morning! Soon as I got to my PC I checked to see if there was an update and sure enough there was. That gives me all kinds of bragging rights for being first :)
    Loverock Davidson
  • What a concept...

    Paying for people to report vulnerabilities instead of treating them like pond scum for reporting them, and then publicly bashing them when they get fed up with the treatment and go public with the vulnerability.
    jasonp@...
    • RE: Firefox hit by drive-by download security holes

      @jasonp@...

      Its extortion no matter how much you sugarcoat it. And you do need to be treated like pond scum because this hurts real people and only helps the criminals who are just waiting for the pond scum to make there lives easyer
      Stan57
      • The problem with your argument...

        @Stan57 You assume everyone who goes and digs up holes is at most neutral in their scruples. Which simply isn't true. There are people with true malice digging up holes first. What generally happens is sometime later the flaw is discovered after many, many machines have been compromised. Usually more than someone who has gone public through more normal channels and been branded (self or otherwise) a "security researcher".

        Regardless, you lose both ways, but you have to pick the lesser of two evils.

        I can also tell you most individuals don't protect themselves, but what's worse is when they are part of an org with people on staff who should know better. Letting Windows XP users run with administrative rights boggles my mind (been with 2 orgs recently where this is true). No admin privileges means you knock off a whole class of exploits or severely reduce the chance anything meaningful on behalf of rogue code can be achieved - arbitrary code execution, installation of rootkits and permutations thereof, e.g., changing an .EXE on your local file system.
        betelgeuse68
    • RE: Firefox hit by drive-by download security holes

      @jasonp@...
      I'm confused! Thought linux did not have security issues???
      eargasm
      • You ARE confused.....

        @windozefreak <br><br>This is NOT about any Linux distribution Operating System. What this is about, rather, is the Firefox web browser. Evidently the $3,000 -- now $4,000 -- bounty is now motivating and encouraging the best and the brightest to locate as many vulnerabilities and exploits as possible. This is a GOOD thing; (and yes, ANY Linux distro is INHERENTLY more secure than M$ Windoze -- that's why I made the switch myself).
        nbahn
      • RE: Firefox hit by drive-by download security holes

        @windozefreak >>> Really, Firefox for Windows has to address Windows failings. The parallel versions of Firefox for Linux don't have problems. You should prove it to yourself. It's really rather boring not having virus problems for over 8 years, You don't even have the excitement of installing AV.
        Joe.Smetona
  • Tavis Ormandy and Google

    Feels that 60 days (or just 5?) should be enough to patch vulnerabilities.<br><br>Mozilla are among the "fastest patchers" - the absolute elite. Perhaps because they don't make operating systems where a rushed patch could disrupt an entire language area.<br><br>Yet <b>several of these patches concern vulnerabilities many months old</b>. Back from march 2010, to be specific.<br><br>Good thing that not every "security researcher" is as irresponsible as mr. Ormandy.

    Firefox has far too many vulnerabilities and still no sandbox. Use at your own risk.
    honeymonster
    • RE: Firefox hit by drive-by download security holes

      @honeymonster
      Why do you feel 60 days is enough? What are your qualifications to make that statement
      Stan57
      • RE: Firefox hit by drive-by download security holes

        @Stan57

        My stance is that number of days "reasonable" depends. It will vary depending on the severity of the issue, whether the vuln is being actively exploited or commonly known *and* the part of the system which will be affected by a patch.

        Patching a browser vuln. is not the same thing as patching a central component of the entire OS, like e.g. the SMB protocol. The latter will require more regression testing, and testing it will also be more involved.

        Some posters here felt that Tavis Ormandy was being very responsible when he went public with a vulnerability in Windows XP. His stated reason for doing so was that he was not able to get Microsoft to commit to a 60 days timeline.

        Given that the specific vulnerability was in a little-used (and deprecated) protocol, it was not a central OS component and 60 days seems reasonable. But that was not the issue.

        The issue was that he went public after just 4 (four!) days and his proof-of-concept code was used less than 6 days after that in actual, malicious attacks.

        He reported the issue to Microsoft a Saturday, wanting Microsoft to commit to a 60-day timeline. The following Tuesday (a patch tuesday, no less) Microsoft told him that they would be able to give him a timeline at Friday the same week. Not good enough for mr. Ormandy he went public the next day - Wednesday. A few weeks later some 15,000 customers had been hit.

        Some here are so blinded by their hate for Microsoft that they'll accept any such behavior - as long as it hurts Microsoft (or as in this case some 10-20,000 customers).

        This mega-patch has vulnerabilities more than 100 days old (from report). This just puts it in perspective.
        honeymonster
      • You'll have to ask Tavis Ormandy.

        @Stan57: [i]Why do you feel 60 days is enough? What are your qualifications to make that statement[/i]

        As it was his requirement.
        ye
    • RE: Firefox hit by drive-by download security holes

      @Raymond Danner
      That's not a natively sandboxed Firefox, it's Firefox sandboxed by a third party by stuffing it inside a secure container. They could have used any browser, but in this instance they chose Firefox.
      BrewmanNH
    • That's right folks

      [i]Firefox has far too many vulnerabilities and still no sandbox. Use at your own risk.[/i]<br><br>And here's a subtle plug for IE8, folks. Let's all go back to a one browser world like M$ used to have. Just like the good old days of 1999-2004 between the demise of Netscape and the rise of Firefox.<br><br>ActiveX slavery, anyone?
      ahh so
    • RE: Firefox hit by drive-by download security holes

      @honeymonster
      Yes, several of these vulnerabilities go back to March. But how do you know when these vulnerabilities have been patched? Firefox 3.6.7 is the first security release since Firefox 3.6.3 (released April 1st), the releases in between (Firefox 3.6.4 and 3.6.6) were dedicated to process separation for plugins and were created from a branch. For all that I know, all these vulnerabilities were most likely fixed in April and May and were just sitting around waiting to be shipped. Had any of these vulnerabilities become public Mozilla would have certainly released a fix. But without that - why should they rush a release, what's the emergency? Arguably, process separation was more important than all these security issues together. And getting it right also meant holding back everything else unless there is a good reason not to.
      Wladimir Palant
  • FireFox 3.6.7 has been available for at least a week

    I'm sure confused. We've had FF 3.6.7 on our computers for about a week, honest! Guess Mozilla must like us.
    dl@...
    • RE: Firefox hit by drive-by download security holes

      @dl
      You are most likely on the beta channel - what you got was a release candidate, not the final release (I think there was only one release candidate this time so the two are identical). Easiest way to change the update channel is Channel Selector extension (https://addons.mozilla.org/addon/6263/). The other option is editing channel-prefs.js manually: http://support.mozilla.com/tiki-view_forum_thread.php?locale=en-US&comments_parentId=717488&forumId=1#threadId717594
      Wladimir Palant
  • Adobe 'push' POS too!

    Yup, just updated my FF and barely caught Adobe trying to foist an auto-downloader via Firefox update. ARRGGGH!!
    jerswing@...
  • Stupid question of the day:

    Does Mozilla run out of vulnerabilities or money first?
    trm1945
    • Yep, that IS pretty stupid.....

      @trm1945

      As long as they have that business deal going on with Google, then you needn't worry! :P
      nbahn
  • RE: Firefox hit by drive-by download security holes

    Great !!! thanks for sharing this information to us!
    <a href="http://www.yuregininsesi.com">sesli sohbet</a> <a href="http://www.yuregininsesi.com">sesli chat</a>
    yarinsiz