Mozilla: Firefox can be hacked via booby-trapped images
Summary: For the second time in a week, Mozilla patches a "critical" vulnerability that could be remotely exploitable and can lead to arbitrary code execution.
For the second time this week, Mozilla has rushed out a Firefox security update to fix a dangerous security vulnerability.
The latest vulnerability, which was discovered and reported by representatives from Red Hat, "could be attacked simply by displaying a maliciously crafted image."
The skinny from a Mozilla advisory:
The libpng graphics library, used by Firefox and Thunderbird as well as many other software packages, contains an exploitable integer overflow bug. An attacker could craft malicious images which exploit this bug, and deliver them to users through websites or email messages.
This bug is remotely exploitable and can lead to arbitrary code execution. Firefox, Thunderbird and Seamonkey users could be attacked simply by displaying a maliciously crafted image.
[ SEE: Ten little things to secure your online presence ]
The open-source group shipped Firefox 10.0.2 to correct the flaw. The fix is being distributed via the browser's silent update mechanism.Earlier this week, Mozilla patched a separate flaw that could lead to drive-by download malware attacks if a user simply surfed to a booby-trapped web site. Both browser updates are rated "critical," Mozilla's highest severity rating.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
RE: Mozilla: Firefox can be hacked via booby-trapped images
dsfsf
Flash Gift http://www.chinawholesaletown.com/wholesale-Pom-Poms/ Wholesale Mug Wholesale Magnifier
Wholesale Furniture http://www.chinawholesaletown.com/wholesale-Car-Spare-Wheel-Cover/ Wine Set Wholesale Socks
Burlap Drawstring Bag http://www.chinawholesaletown.com/wholesale-Coca-Cola-Glass/ Pet Poo Pick Bag Writing Instrument
Poncho Keychain http://www.chinawholesaletown.com/wholesale-Silicone-Cake-Mould/ Valentine Gifts Pet Dog Leash
Silicone Bakeware http://www.chinawholesaletown.com/wholesale-Highlighter-Pen/ Wholesale Whistle Wholesale Knife
Wholesale Bookmark http://www.chinawholesaletown.com/wholesale-UV-Pen/ Solar Products Audio Video Equipment
Wholesale Towel http://www.chinawholesaletown.com/wholesale-Shopping-Basket/ Wholesale iPod iPhone Wholesale Earphone
Men Beauty Care http://www.chinawholesaletown.com/wholesale-Portfolio/ Wholesale Jewelry Badge Reel
Wholesale Memory Card http://www.chinawholesaletown.com/wholesale-Multifunction-Pen-Holder/ World Cup Products Highlighter
Mini Hockey Stick http://www.chinawholesaletown.com/wholesale-Bar-Caddy/ Wholesale Shoe Wholesale Pom Poms
Valentine Gifts http://www.chinawholesaletown.com/wholesale-Note-Pad-Holder-Calendar/ Notepad Calculator Gift Box
Medicine Instrument http://www.chinawholesaletown.com/wholesale-Whistle/ Wholesale Clothing Valentine Gifts
Beach Towel http://www.chinawholesaletown.com/wholesale-Car-Mini-Refrigerator/ Wholesale Halloween Gift Safety Suppliers
Wholesale Bracelet http://www.chinawholesaletown.com/wholesale-Tin-Box/ Dog Waste Bag Dispenser Advertising Material
Wholesale Halloween Gift http://www.chinawholesaletown.com/wholesale-Shaving-Brush/ Entertainment Supplies Spare Tire Cover
Wholesale Scale http://www.chinawholesaletown.com/wholesale-Extraordinary-Shape-Clock/ China Wholesale Wholesale Playing Card
Money Bank http://www.chinawholesaletown.com/wholesale-Wooden-Cooler-Box/ Wholesale lable Wedding Favors
Wholesale Binoculars http://www.chinawholesaletown.com/wholesale-Rattles---Clappers/ CD Holde Name Card Holder
Wholesale Playing Card http://www.chinawholesaletown.com/wholesale-Bag-Hanger/ Muslim Products Wholesale Pen
Wholesale Stress Ball http://www.chinawholesaletown.com/wholesale-Key-Chain-Bottle-Opener/ Wholesale Umbrella Wholesale Swimming Products
Wholesale Pen http://www.chinawholesaletown.com/wholesale-Shaker-Cup/ Vibram Five Finger Shoe Ring Mug
Perpetual Calendar http://www.chinawholesaletown.com/wholesale-Wedding-Coaster/ Wholesale Scissors Glass Coaster
Wholesale Ashtray http://www.chinawholesaletown.com/wholesale-Training-Clicker-Whistle/ Promotional Products Tangle Puzzle
Digital Photo Frame http://www.chinawholesaletown.com/wholesale-Heart-Tin-Box/ Coca Cola Gifts Wholesale Scale
Water Bottle http://www.chinawholesaletown.com/wholesale-Training-Clicker-Whistle/ Wholesale Pom Poms Fleece Blanket
RE: Mozilla: Firefox can be hacked via booby-trapped images
RE: Where are all the open source zealots ...?
[b]Firefox and Thunderbird, by default, are not sandboxed on *any* operating system. Instead, the user must take discrete steps to place them in a sandbox. Of course, most users don't bother with a sandbox.[/b] And also, by default, both are configured to load images automatically.
Whereas Microsoft's Internet Explorer is sandboxed by default on Windows Vista/7 and Google's Chrome is sandboxed by default on Windows XP/Vista/7, Mac OS X and Linux (Debian, Ubuntu, Fedora and openSUSE).
I use Firefox as my default web browser on both Windows and Linux and treat all images, including advertisements, as untrusted by unchecking the "Load images automatically" option under Preferences -> Content. This really speeds up ones browsing. If I want to view an image, I use my mouse to right-click on the specific image I wish to download and view. And I use a 3rd party sandbox for Firefox on both Windows and Linux, just in case.
The workaround as of 2/15/2012 for the associated PNG vulnerability is not to open PNG files from untrusted sources. Both the Debian Project and Google (for Chrome) patched this libpng vulnerability on 2/15/2012, two days ago.
RE: Mozilla: Firefox can be hacked via booby-trapped images
RE: Mozilla: Firefox can be hacked via booby-trapped images
Mozilla both announced and patched this vulnerability last Thursday. Red Hat rolled-out patches last Friday and Ubuntu rolled-out patches earlier today.
Firefox CANNOT be hacked if your Linux is running it in AppArmor
RE: Mozilla: Firefox can be hacked via booby-trapped images
RE: Mozilla: Firefox can be hacked via booby-trapped images
troll
Wrong.....
But try again....You may make it some day.
RE: Mozilla: Firefox can be hacked via booby-trapped images
Sure it can, it will just be prevented from giving the hacker access to your computer, in other words, it will be sandboxed.
(Taps on shoulder) You just contradicted yourself.
nt
That's great info
So, I assume that Ubuntu and Mint come with apparmor enabled by default for Firefox?
I also assume that enabling apparmor does not influence my browsing experience, for example it will not be harder to download files and save them where I want on the disk?
On Windows there is no apparmor. If lazy Mozilla had cared about users' security they would have used the sandbox technology available on Windows: Low integrity mode. But no - that would mean that they would have to address the above problem. Google did it. Chrome on Windows uses low-integrity processes. Microsoft did it. IE protected mode sandboxes IE.
Remarkably, the Windows sandbox (unlike apparmor) inhibit browsing experience. So - unlike apparmor - it can be switched on by default without causing usability problems and user confusion.
RE: Mozilla: Firefox can be hacked via booby-trapped images
Chrome also contained the same open source image code and was also fixed recently.