Mozilla patches DLL load hijacking vulnerability

Mozilla patches DLL load hijacking vulnerability

Summary: The open-source group released Firefox 3.6.9 with patches for a total of 15 vulnerabilities (11 rated critical), including the publicly known DLL load hijacking flaw that exposes Windows users to remote code execution attacks.

SHARE:
TOPICS: Browser
45

Mozilla has joined Apple in being among the first to fix the DLL load hijacking attack vector that continues to haunt hundreds of Windows applications.

The open-source group released Firefox 3.6.9 with patches for a total of 15 vulnerabilities (11 rated critical), including the publicly known DLL load hijacking flaw that exposes Windows users to remote code execution attacks.

The majority of the 15 vulnerabilities in this Firefox patch batch could be exploited to launch drive-by download attacks from booby-trapped Web sites.

follow Ryan Naraine on twitter

According to Firefox, the DLL load hijacking issue only affects Windows XP users:

Firefox could be used to load a malicious code library that had been planted on a victim's computer. Firefox attempts to load dwmapi.dll upon startup as part of its platform detection, so on systems that don't have this library, such as Windows XP, Firefox will subsequently attempt to load the library from the current working directory. An attacker could use this vulnerability to trick a user into downloading a HTML file and a malicious copy of dwmapi.dll into the same directory on their computer and opening the HTML file with Firefox, thus causing the malicious code to be executed. If the attacker was on the same network as the victim, the malicious DLL could also be loaded via a UNC path. The attack also requires that Firefox not currently be running when it is asked to open the HTML file and accompanying DLL.

Microsoft ships 'Fix-It' for DLL load hijacking attack vector ]

Firefox 3.6.9 also fixes the following "critical" security problems issues:

  • MFSA 2010-59 Mozilla developer Blake Kaplan reported that the wrapper class XPCSafeJSObjectWrapper (SJOW), a security wrapper that allows content-defined objects to be safely accessed by privileged code, creates scope chains ending in outer objects. Users of SJOWs which expect the scope chain to end on an inner object may be handed a chrome privileged object which could be leveraged to run arbitrary JavaScript with chrome privileges.  Mozilla said Google researcher Michal Zalewski's recent contributions helped to identify this architectural weakness.
  • MFSA 2010-58: Security researcher Marc Schoenefeld reported that a specially crafted font could be applied to a document and cause a crash on Mac systems. The crash showed signs of memory corruption and presumably could be used by an attacker to execute arbitrary code on a victim's computer.
  • MFSA 2010-57: Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that code used to normalize a document contained a logical flaw that could be leveraged to run arbitrary code. When the normalization code ran, a static count of the document's child nodes was used in the traversal, so a page could be constructed that would remove DOM nodes during this normalization which could lead to the accessing of a deleted object and potentially the execution of attacker-controlled memory.
  • MFSA 2010-56: Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that the implementation of XUL <tree>'s content view contains a dangling pointer vulnerability. One of the content view's methods for accessing the internal structure of the tree could be manipulated into removing a node prior to accessing it, resulting in the accessing of deleted memory. If an attacker can control the contents of the deleted memory prior to its access they could use this vulnerability to run arbitrary code on a victim's machine.
  • MFSA 2010-54: Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that there was a remaining dangling pointer issue leftover from the fix to CVE-2010-2753. Under certain circumstances one of the pointers held by a XUL tree selection could be freed and then later reused, potentially resulting in the execution of attacker-controlled memory.
  • MFSA 2010-53: Security researcher wushi of team509 reported a heap buffer overflow in code routines responsible for transforming text runs. A page could be constructed with a bidirectional text run which upon reflow could result in an incorrect length being calculated for the run of text. When this value is subsequently used to allocate memory for the text too small a buffer may be created potentially resulting in a buffer overflow and the execution of attacker controlled memory.
  • MFSA 2010-51: Security researcher Sergey Glazunov reported a dangling pointer vulnerability in the implementation of navigator.plugins in which the navigator object could retain a pointer to the plugins array even after it had been destroyed. An attacker could potentially use this issue to crash the browser and run arbitrary code on a victim's computer.
  • MFSA 2010-50: Security researcher Chris Rohlf of Matasano Security reported that the implementation of the HTML frameset element contained an integer overflow vulnerability. The code responsible for parsing the frameset columns used an 8-byte counter for the column numbers, so when a very large number of columns was passed in the counter would overflow. When this counter was subsequently used to allocate memory for the frameset, the memory buffer would be too small, potentially resulting in a heap buffer overflow and execution of attacker-controlled memory.
  • MFSA 2010-49: Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code.

Mozilla Firefox 3.6.9 is available for Windows, Mac and Linux users via the browser's auto-update mechanism.

Topic: Browser

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

45 comments
Log in or register to join the discussion
  • Really, it is much more secure to run Firefox on Linux or OSX.

    Ditch Windows now!!
    DonnieBoy
    • Really, it is much more productive to run Firefox on Windows.

      @DonnieBoy So what's your point?
      statuskwo5
      • RE: Mozilla patches DLL load hijacking vulnerability

        @statuskwo5
        windoze sucks! use it at your own peril!
        M$ is unable to fix it.
        Linux Geek
      • Clever

        @Linux Geek

        What's broken in it? Security? Well, I've never had a virus because I'm not an idiot. Speed? No, Windows 7 is speedy. Features? No, Windows 7 has everything I need, and most of the things I want.

        What is broken?
        Michael Alan Goff
      • RE: Mozilla patches DLL load hijacking vulnerability

        @statuskwo5 Thanks for sharing. i really appreciate it that you shared with us such a informative post..
        <a href="http://www.ashwooduniversity.net/ashwood/life_experience_degrees_programs.asp">Degree Program</a> <a href="http://www.ashwooduniversity.net/ashwood/master_degrees_programs.asp">Masters Degree Programs</a> <a href="http://www.ashwooduniversity.net/ashwood/online-degrees/index.asp">Online Degree</a> <a href="http://www.ashwooduniversity.net/ashwood/online-degrees/accredited-degree.asp">Accredited Degree</a>
        disturbforce
      • RE: Mozilla patches DLL load hijacking vulnerability

        @statuskwo5 No, Windows 7 has everything I need, and most of the things I want.<a href="http://aboutiao.com/online-education-standards/an-in-depth-view-of-the-iao-accreditation-system/">IAO</a> <a href="http://www.iao.org/iao/memberarea/cert-82.asp">IAO Accreditation</a> <a href="http://www.computerpointbbn.com/">International Accreditation Organization</a>
        nestdrive
      • RE: Mozilla patches DLL load hijacking vulnerability

        This vulnerability isnt a windows only problem. His point is to switch to mac I guess. So did the wholte touristic branche already over here. My Hotel I am working at which is called <a href="http://www.hotel-klughardt.de">Hotel Nuernberg</a> had real problems with the hijacking vulnerability and switched to mac using the software hotel manager Pro.
        MrHotel
      • RE: Mozilla patches DLL load hijacking vulnerability

        @statuskwo5 Some things need a -real- OS. Even a normal Linux Distro is more useful than ChromeOS. <a href="http://www.nationhighschool.com/">High School Diploma</a>
        disturbforce
      • RE: Mozilla patches DLL load hijacking vulnerability

        <a <div href="http://www.storabokbytardagenimariefred.com/"><font color="light&amp;height"> story</font></a> is something that <a <div href="http://www.chicago-water-damage.info/"><font color="light&amp;height">water</font></a> can demage any <a <div href="http://www.esn-nederland.org/"><font color="light&amp;height">nederland</font></a> people from around <a <div href="http://www.gburgtv.com/"><font color="light&amp;height">best TV</font></a> that you can <a <div href="http://www.newyork-auto.net/"><font color="light&amp;height">newyork</font></a> is the.
        Juliety
      • RE: Mozilla patches DLL load hijacking vulnerability

        <a <div href="http://www.britishshakespeare.com/"><font color="light&amp;height"> british</font></a> urban from it <a <div href="http://www.houseofkidsnyc.com/"><font color="light&amp;height">kids</font></a> is from playing <a <div href="http://th-haint.com/"><font color="light&amp;height">saint</font></a> only goverment to need <a <div href="http://www.edifyonline.net/"><font color="light&amp;height">online</font></a> always today from <a <div href="http://ili-inter.com/"><font color="light&amp;height">finance</font></a> and lot of money
        Juliety
    • Just drop Firefox. It is THE most insecure browser

      @DonnieBoy

      Really. It tops the charts for vulnerable software - ALL -software! Not just more vulnerable than competing browsers but more vulnerable than any other single software product.

      Bad.

      And to make matters worse, <i>it is still the mainstream browser with the poorest anti-exploit</i> mechanisms.

      Oh - and it doesn't have a built-in sandbox like Chrome or IE.

      So my advice: Drop Firefox. Go Chrome on Windows - the most secure combination as you'll have Chromium sandbox and Vista/7's built-in sandboxing on by *default*.
      honeymonster
      • Well, Chrome on ChromeOS will be the way to go if security is really

        important.
        DonnieBoy
      • ChromeOS?

        @ Donnie

        Not everything can be done on the web. Some things need a -real- OS. Even a normal Linux Distro is more useful than ChromeOS.
        Michael Alan Goff
      • RE: Mozilla patches DLL load hijacking vulnerability

        @honeymonster It is also the only one that fully reports ALL of its vulnerabilites. Every single flaw, or potential flaw - even when it has never been exploited - gets reported. That makes the count much much higher.
        The-Bytemaster
      • When did FF become IE6?

        @honeymonster
        Says you. Honestly, you make Firefox sound like IE6 just because it doesn't have sandboxing.
        ZackCDLVI
      • RE: Mozilla patches DLL load hijacking vulnerability

        @honeymonster when it has never been exploited - gets reported. That makes the count much much higher. <a href="http://aboutiao.com/online-education-standards/an-in-depth-view-of-the-iao-accreditation-system/">IAO</a> <a href="http://www.iao.org/iao/memberarea/cert-82.asp">IAO Accreditation</a> <a href="http://www.computerpointbbn.com/">International Accreditation Organization</a>
        nestdrive
    • RE: Mozilla patches DLL load hijacking vulnerability

      @DonnieBoy

      I use Linux and OS X, just for fun. I can ditch any of these anytime.

      I use Windows for real productive & reliable work.

      The only reason I use Firefox is for commonality when using Unix (AIX, HP-UX & Solaris). I also appreciate, use, and contribute toward open-source.

      But don't take my word for it. People just Google "most vulnerable app" and see for yourself...
      http://lmgtfy.com/?q=most+vulnerable+app

      ~~~~~~~~~~~
      A successful man is one who can lay a firm foundation with the bricks others have thrown at him.
      ~ David Brinkley
      WinTard
      • RE: Mozilla patches DLL load hijacking vulnerability

        @WinTard

        Well I Googled it and that was in 2008. What about now??
        Rodo1
      • RE: Mozilla patches DLL load hijacking vulnerability

        deoklein@gmail.com
        adklein31
      • The Metric Used for That List Was Silly

        @WinTard <br>Let's see. What's the most vulnerable Windows application? I know, it must be the one that just had the most security patches released for it. Yeah, that must be it.<br><br>That metric assumes that every application will have the same ratio of patched to unpatched vulnerabilities. Following this reasoning, as long as you never patch any vulnerabilities in an application, it never has any vulnerabilities. So the ultimate answer to perfect security is to never release any patches.

        You could use the same type of reasoning following a different assumption and come to the opposite conclusion. You could start with the assumption that all programs of comparable complexity will start out with about the same number of vulnerabilities (at least as valid of an assumption as that the ratio of patched to unpatched vulnerabilities will be the same for every application). Starting from that assumption, a list of the most patches recently released will be a list of the most secure apps rather than the least secure ones.

        Which of these conclusions is correct? Neither one. They both start out with a false assumption.
        CFWhitman