Mozilla: Firefox can be hacked via booby-trapped images

Mozilla: Firefox can be hacked via booby-trapped images

Summary: For the second time in a week, Mozilla patches a "critical" vulnerability that could be remotely exploitable and can lead to arbitrary code execution.

SHARE:
TOPICS: Browser, Security
13

For the second time this week, Mozilla has rushed out a Firefox security update to fix a dangerous security vulnerability.

The latest vulnerability, which was discovered and reported by representatives from Red Hat, "could be attacked simply by displaying a maliciously crafted image."

The skinny from a Mozilla advisory: follow Ryan Naraine on twitter

The libpng graphics library, used by Firefox and Thunderbird as well as many other software packages, contains an exploitable integer overflow bug. An attacker could craft malicious images which exploit this bug, and deliver them to users through websites or email messages.

This bug is remotely exploitable and can lead to arbitrary code execution. Firefox, Thunderbird and Seamonkey users could be attacked simply by displaying a maliciously crafted image.

[ SEE: Ten little things to secure your online presence ]

The open-source group shipped Firefox 10.0.2 to correct the flaw.  The fix is being distributed via the browser's silent update mechanism.

Earlier this week, Mozilla patched a separate flaw that could lead to drive-by download malware attacks if a user simply surfed to a booby-trapped web site.  Both browser updates are rated "critical," Mozilla's highest severity rating.

Topics: Browser, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

13 comments
Log in or register to join the discussion
  • RE: Mozilla: Firefox can be hacked via booby-trapped images

    I was the first one to update at the office this morning. I got bragging rights all day.
    Loverock Davidson-
  • RE: Mozilla: Firefox can be hacked via booby-trapped images

    Where are all the open source zealots that posted on the IE patch Tuesday thread? Didn't see any on the Chrome browser patch either.
    whatagenda
    • RE: Where are all the open source zealots ...?

      @whatagenda A good question, but remember that Google's Chrome browser is proprietary even though it has open-source underpinnings. This vulnerability is remotely exploitable, can be triggered simply through the display of a maliciously-crafted image and can lead to arbitrary code execution. In addition, it applies to all platforms, including Linux.

      [b]Firefox and Thunderbird, by default, are not sandboxed on *any* operating system. Instead, the user must take discrete steps to place them in a sandbox. Of course, most users don't bother with a sandbox.[/b] And also, by default, both are configured to load images automatically.

      Whereas Microsoft's Internet Explorer is sandboxed by default on Windows Vista/7 and Google's Chrome is sandboxed by default on Windows XP/Vista/7, Mac OS X and Linux (Debian, Ubuntu, Fedora and openSUSE).

      I use Firefox as my default web browser on both Windows and Linux and treat all images, including advertisements, as untrusted by unchecking the "Load images automatically" option under Preferences -> Content. This really speeds up ones browsing. If I want to view an image, I use my mouse to right-click on the specific image I wish to download and view. And I use a 3rd party sandbox for Firefox on both Windows and Linux, just in case.

      The workaround as of 2/15/2012 for the associated PNG vulnerability is not to open PNG files from untrusted sources. Both the Debian Project and Google (for Chrome) patched this libpng vulnerability on 2/15/2012, two days ago.
      Rabid Howler Monkey
      • RE: Mozilla: Firefox can be hacked via booby-trapped images

        @Rabid Howler Monkey <br><br>My point (sarcasm intended) is that in the 'normal course' all software will be found to have gotchas ... either exploits or broken/less than ideal functionality. The rants by Apple/MS/Linux/IE/Firefox/Safari/Chrome, etc., fanbois are unproductive, though sometimes amusing. <br>All the fanboy rants do is push the Zdnet writers to write increasingly click bait articles as that drives the revenue. Unfortunately, it also drives the value of the site rapidly downward.
        whatagenda
      • RE: Mozilla: Firefox can be hacked via booby-trapped images

        @whatagenda Your statement that "all software will be found to have gotchas" is spot on. However, web browser defense-in-depth provided by sandboxing is also noteworthy because all of the major web browsers enable highly-exploited settings like JavaScript, IFRAMES, plug-ins (e.g., Java and Flash Player) [i]and image loading (e.g., malvertisements)[/i] by default. In addition, some users and Linux distros aren't as quick to patch as others. Not to mention 0-days.

        Mozilla both announced and patched this vulnerability last Thursday. Red Hat rolled-out patches last Friday and Ubuntu rolled-out patches earlier today.
        Rabid Howler Monkey
  • Firefox CANNOT be hacked if your Linux is running it in AppArmor

    nt
    Dietrich T. Schmitz *Your
    • RE: Mozilla: Firefox can be hacked via booby-trapped images

      @Dietrich T. Schmitz * Your Linux Advocate *sigh* could you give it a rest? Even sjvn acknowledges that nobody uses Linux desktops.
      Aerowind
      • RE: Mozilla: Firefox can be hacked via booby-trapped images

        @Aerowind
        troll
        kirovs@...
      • Wrong.....

        @Aerowind

        But try again....You may make it some day.
        linux for me
    • RE: Mozilla: Firefox can be hacked via booby-trapped images

      @Dietrich T. Schmitz * Your Linux Advocate
      Sure it can, it will just be prevented from giving the hacker access to your computer, in other words, it will be sandboxed.
      MrElectrifyer
      • (Taps on shoulder) You just contradicted yourself.

        @MrElectrifyer
        nt
        Dietrich T. Schmitz *Your
    • That's great info

      @Dietrich T. Schmitz * Your Linux Advocate
      So, I assume that Ubuntu and Mint come with apparmor enabled by default for Firefox?

      I also assume that enabling apparmor does not influence my browsing experience, for example it will not be harder to download files and save them where I want on the disk?

      On Windows there is no apparmor. If lazy Mozilla had cared about users' security they would have used the sandbox technology available on Windows: Low integrity mode. But no - that would mean that they would have to address the above problem. Google did it. Chrome on Windows uses low-integrity processes. Microsoft did it. IE protected mode sandboxes IE.

      Remarkably, the Windows sandbox (unlike apparmor) inhibit browsing experience. So - unlike apparmor - it can be switched on by default without causing usability problems and user confusion.
      honeymonster
  • RE: Mozilla: Firefox can be hacked via booby-trapped images

    Nice bait title.
    Chrome also contained the same open source image code and was also fixed recently.
    caspy7