madison

Zero Day

Ryan Naraine and Dancho Danchev
Home / News & Blogs / Zero Day

Firefox hit by drive-by download security holes

By | July 21, 2010, 7:16am PDT

Summary: Mozilla has shipped a mega patch for Firefox to fix a total of 16 security flaws that expose Web surfers to drive-by download, data theft and local bar spoofing attacks.

Mozilla has shipped a mega patch for Firefox to fix a total of 16 security flaws that expose Web surfers to drive-by download, data theft and local bar spoofing attacks.

The latest Firefox 3.6.7 update includes fixes for nine “critical” issues that could be exploited to launch remote code execution attacks.  Two of the 16 bugs are rated “high risk” while five carry a “moderate” severity rating.

Here’s the skinny on the critical fixes:

Remote code execution using malformed PNG image

OUSPG researcher Aki Helin reported a buffer overflow in Mozilla graphics code which consumes image data processed by libpng. A malformed PNG file could be created which would cause libpng to incorrectly report the size of the image to downstream consumers. When the dimensions of such images are underreported, the Mozilla code responsible for displaying the graphic will allocate too small a memory buffer to contain the image data and will wind up writing data past the end of the buffer. This could result in the execution of attacker-controlled memory.

nsTreeSelection dangling pointer remote code execution vulnerability follow Ryan Naraine on twitter

Security researcher regenrecht reported via TippingPoint’s Zero Day Initiative an integer overflow vulnerability in the implementation of the XUL <tree> element’s selection attribute. When the size of a new selection is sufficiently large the integer used in calculating the length of the selection can overflow, resulting in a bogus range being marked selected. When adjustSelection is then called on the bogus range the range is deleted leaving dangling references to the ranges which could be used by an attacker to call into deleted memory and run arbitrary code on a victim’s computer.

[SEE: Mozilla increases flaw bounty to $3K, adds Firefox Mobile ]

nsCSSValue::Array index integer overflow

Security researcher J23 reported via TippingPoint’s Zero Day Initiative that an array class used to store CSS values contained an integer overflow vulnerability. The 16 bit integer value used in allocating the size of the array could overflow, resulting in too small a memory buffer being created. When the array was later populated with CSS values data would be written past the end of the buffer potentially resulting in the execution of attacker-controlled memory.

Arbitrary code execution using SJOW and fast native function

Mozilla security researcher moz_bug_r_a4 reported that when content script which is running in a chrome context accesses a content object via SJOW, the content code can gain access to an object from the chrome scope and use that object to run arbitrary JavaScript with chrome privileges.

Plugin parameter EnsureCachedAttrParamArrays remote code execution vulnerability

Security researcher J23 reported via TippingPoint’s Zero Day Initiative an error in the code used to store the names and values of plugin parameter elements. A malicious page could embed plugin content containing a very large number of parameter elements which would cause an overflow in the integer value counting them. This integer is later used in allocating a memory buffer used to store the plugin parameters. Under such conditions, too small a buffer would be created and attacker-controlled data could be written past the end of the buffer, potentially resulting in code execution.

Use-after-free error in NodeIterator

Security researcher regenrecht reported via TippingPoint’s Zero Day Initiative an error in Mozilla’s implementation of NodeIterator in which a malicious NodeFilter could be created which would detach nodes from the DOM tree while it was being traversed. The use of a detached and subsequently deleted node could result in the execution of attacker-controlled memory.

DOM attribute cloning remote code execution vulnerability

Security researcher regenrecht reported via TippingPoint’s Zero Day Initiative an error in the DOM attribute cloning routine where under certain circumstances an event attribute node can be deleted while another object still contains a reference to it. This reference could subsequently be accessed, potentially causing the execution of attacker controlled memory.

Miscellaneous memory safety hazards

Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code.

The release comes just days after Mozilla announced it would pay a $3,000 bounty for security security vulnerabilities found in its flagship Firefox and Thunderbird software products. As reported by Dennis Fisher at Threatpost, the new bounty is a huge increase over the $500 per bug payout that Mozilla has been offering since 2004.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Integer, Mozilla Firefox, Researcher, Flaw, Memory, Buffer, Mozilla Corp., Plug-in, TippingPoint Technologies, Flash Memory, Security, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a security evangelist. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

Talkback Most Recent of 20 Talkback(s)

  • RE: Firefox hit by drive-by download security holes
    First one to update this morning! Soon as I got to my PC I checked to see if there was an update and sure enough there was. That gives me all kinds of bragging rights for being first happy
    ZDNet Gravatar
    Loverock Davidson
    21st Jul 2010
  • What a concept...
    Paying for people to report vulnerabilities instead of treating them like pond scum for reporting them, and then publicly bashing them when they get fed up with the treatment and go public with the vulnerability.
    ZDNet Gravatar
    jasonp@...
    21st Jul 2010
  • RE: Firefox hit by drive-by download security holes
    @jasonp@...

    Its extortion no matter how much you sugarcoat it. And you do need to be treated like pond scum because this hurts real people and only helps the criminals who are just waiting for the pond scum to make there lives easyer
    ZDNet Gravatar
    Stan57
    21st Jul 2010
  • The problem with your argument...
    @Stan57 You assume everyone who goes and digs up holes is at most neutral in their scruples. Which simply isn't true. There are people with true malice digging up holes first. What generally happens is sometime later the flaw is discovered after many, many machines have been compromised. Usually more than someone who has gone public through more normal channels and been branded (self or otherwise) a "security researcher".

    Regardless, you lose both ways, but you have to pick the lesser of two evils.

    I can also tell you most individuals don't protect themselves, but what's worse is when they are part of an org with people on staff who should know better. Letting Windows XP users run with administrative rights boggles my mind (been with 2 orgs recently where this is true). No admin privileges means you knock off a whole class of exploits or severely reduce the chance anything meaningful on behalf of rogue code can be achieved - arbitrary code execution, installation of rootkits and permutations thereof, e.g., changing an .EXE on your local file system.
    ZDNet Gravatar
    betelgeuse68
    21st Jul 2010
  • RE: Firefox hit by drive-by download security holes
    @jasonp@...
    I'm confused! Thought linux did not have security issues???
    ZDNet Gravatar
    windozefreak
    21st Jul 2010
  • You ARE confused.....
    @windozefreak

    This is NOT about any Linux distribution Operating System. What this is about, rather, is the Firefox web browser. Evidently the $3,000 -- now $4,000 -- bounty is now motivating and encouraging the best and the brightest to locate as many vulnerabilities and exploits as possible. This is a GOOD thing; (and yes, ANY Linux distro is INHERENTLY more secure than M$ Windoze -- that's why I made the switch myself).
    ZDNet Gravatar
    nbahn
    22nd Jul 2010
  • RE: Firefox hit by drive-by download security holes
    @windozefreak >>> Really, Firefox for Windows has to address Windows failings. The parallel versions of Firefox for Linux don't have problems. You should prove it to yourself. It's really rather boring not having virus problems for over 8 years, You don't even have the excitement of installing AV.
    ZDNet Gravatar
    Joe.Smetona
    24th Jul 2010
  • Tavis Ormandy and Google
    Feels that 60 days (or just 5?) should be enough to patch vulnerabilities.

    Mozilla are among the "fastest patchers" - the absolute elite. Perhaps because they don't make operating systems where a rushed patch could disrupt an entire language area.

    Yet several of these patches concern vulnerabilities many months old. Back from march 2010, to be specific.

    Good thing that not every "security researcher" is as irresponsible as mr. Ormandy.

    Firefox has far too many vulnerabilities and still no sandbox. Use at your own risk.
    ZDNet Gravatar
    honeymonster
    21st Jul 2010
  • RE: Firefox hit by drive-by download security holes
    @honeymonster
    Why do you feel 60 days is enough? What are your qualifications to make that statement
    ZDNet Gravatar
    Stan57
    21st Jul 2010
  • RE: Firefox hit by drive-by download security holes
    @Stan57

    My stance is that number of days "reasonable" depends. It will vary depending on the severity of the issue, whether the vuln is being actively exploited or commonly known *and* the part of the system which will be affected by a patch.

    Patching a browser vuln. is not the same thing as patching a central component of the entire OS, like e.g. the SMB protocol. The latter will require more regression testing, and testing it will also be more involved.

    Some posters here felt that Tavis Ormandy was being very responsible when he went public with a vulnerability in Windows XP. His stated reason for doing so was that he was not able to get Microsoft to commit to a 60 days timeline.

    Given that the specific vulnerability was in a little-used (and deprecated) protocol, it was not a central OS component and 60 days seems reasonable. But that was not the issue.

    The issue was that he went public after just 4 (four!) days and his proof-of-concept code was used less than 6 days after that in actual, malicious attacks.

    He reported the issue to Microsoft a Saturday, wanting Microsoft to commit to a 60-day timeline. The following Tuesday (a patch tuesday, no less) Microsoft told him that they would be able to give him a timeline at Friday the same week. Not good enough for mr. Ormandy he went public the next day - Wednesday. A few weeks later some 15,000 customers had been hit.

    Some here are so blinded by their hate for Microsoft that they'll accept any such behavior - as long as it hurts Microsoft (or as in this case some 10-20,000 customers).

    This mega-patch has vulnerabilities more than 100 days old (from report). This just puts it in perspective.
    ZDNet Gravatar
    honeymonster
    21st Jul 2010
  • You'll have to ask Tavis Ormandy.
    @Stan57: Why do you feel 60 days is enough? What are your qualifications to make that statement

    As it was his requirement.
    ZDNet Gravatar
    ye
    21st Jul 2010
  • RE: Firefox hit by drive-by download security holes
    @Raymond Danner
    That's not a natively sandboxed Firefox, it's Firefox sandboxed by a third party by stuffing it inside a secure container. They could have used any browser, but in this instance they chose Firefox.
    ZDNet Gravatar
    BrewmanNH
    21st Jul 2010
  • That's right folks
    Firefox has far too many vulnerabilities and still no sandbox. Use at your own risk.

    And here's a subtle plug for IE8, folks. Let's all go back to a one browser world like M$ used to have. Just like the good old days of 1999-2004 between the demise of Netscape and the rise of Firefox.

    ActiveX slavery, anyone?
    ZDNet Gravatar
    ahh so
    21st Jul 2010
  • RE: Firefox hit by drive-by download security holes
    @honeymonster
    Yes, several of these vulnerabilities go back to March. But how do you know when these vulnerabilities have been patched? Firefox 3.6.7 is the first security release since Firefox 3.6.3 (released April 1st), the releases in between (Firefox 3.6.4 and 3.6.6) were dedicated to process separation for plugins and were created from a branch. For all that I know, all these vulnerabilities were most likely fixed in April and May and were just sitting around waiting to be shipped. Had any of these vulnerabilities become public Mozilla would have certainly released a fix. But without that - why should they rush a release, what's the emergency? Arguably, process separation was more important than all these security issues together. And getting it right also meant holding back everything else unless there is a good reason not to.
    ZDNet Gravatar
    Wladimir Palant
    26th Jul 2010
  • FireFox 3.6.7 has been available for at least a week
    I'm sure confused. We've had FF 3.6.7 on our computers for about a week, honest! Guess Mozilla must like us.
    ZDNet Gravatar
    dl@...
    21st Jul 2010
View More Comments

Talkback - Tell Us What You Think

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
Click Here

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources