Remote code execution exploit for Firefox 3.5 in the wild

Remote code execution exploit for Firefox 3.5 in the wild

Summary: A zero day exploit (Firefox 3.5 Heap Spray Vulnerability) affecting Mozilla's latest Firefox release has been published in the wild.

SHARE:
TOPICS: Security, Browser
33

A zero day exploit (Firefox 3.5 Heap Spray Vulnerability) affecting Mozilla's latest Firefox release has been published in the wild. Through an error in the processing of JavaScript code in 'font tags' malicious attackers could achieve arbitrary code execution and install malware on the affected hosts.

There's no indication of its use on a global scale just yet, however due to the fact that the PoC is now public, it shouldn't take long before cybercriminals embed it within the diverse exploits set of their web malware exploitation kits, allowing it to scale.

More details on the mitigation and the exploit itself:

"Mozilla Firefox is prone to a remote code-execution vulnerability.  Successful exploits may allow an attacker to execute arbitrary code in the context of the user running the affected application. Failed attempts will likely result in denial-of-service conditions. The issue affects Firefox 3.5; other versions may also be vulnerable.

NOTE: Remote code execution was confirmed in Firefox 3.5 running on Microsoft Windows XP SP2. A crash was observed in Firefox 3.5 on Windows XP SP3."

Additional testing courtesy of heise Security indicates the exploit crashed Firefox under Vista, and that when tested under Windows 7 RC1 a dialog abortion script appeared.

In terms of mitigation, NoScript works like charm, successfully detecting the PoC's attempt to access file://.

Topics: Security, Browser

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

33 comments
Log in or register to join the discussion
  • install "noscript" now!

    This is exactly the type of exploit noscript is designed to prevent - unless you allow the untrusted web site, you will be protected.

    https://addons.mozilla.org/en-US/firefox/addon/722

    cheers
    ~doolittle~
    • And we all know...

      ...that it's impossible for our "trusted" websites to become compromised.

      Oh wait, that actually does happen. What are the stats again...? Beyond 50% of malicious sites are normally-safe sites that have been compromised? Debate the statistical methodology if you wish, but the bottom line from a security standpoint is to plan for the worst, instead of hoping for the best.

      Whether it's NoScript on FireFox, or using the Security Zones on IE, or any other whitelisting method, that's the Achillies' heel of whitelisting "trusted" sites. I'd recommend a defense-in-depth approach, as always. If the goal of an exploit is to download & launch an executable, then low-rights accounts and a disallowed-by-default Software Restriction Policy would be a good arbitrary countermeasure.
      mechBgon
      • over 50% of your trusted sites are compromised?

        No comment on your surfing habits, or where you got those stats :)

        Kidding aside, those are good measures for security-conscience users (be it linux / apparmor or XP w/ reduced priv or Vista / Win7) it is most always going to be the "average user" (aka "general population", "lusers", etc) who are security oblivious that are going to be hit.

        We are here to clean up their mess :)

        ~doolittle~
        • How do you know either side.

          It is difficult to determine if a trusted site has been compromised. Most crackers don't put any telltale signs that they have cracked into a trusted site and by the time you find out it will come from the news or a letter from your credit card company. NoScript and other extensions will prevent you from executing scripts from unknown sites but not prevent known sites that have been compromised from executing scripts.
          Recently some researchers have released an tool that silently hijacks EV SSL sessions so even the sites that show "Trusted and test" on their websites can be compromised:
          http://www.darkreading.com/security/app-security/showArticle.jhtml?articleID=218500176&cid=nl_DR_DAILY_H

          Scary. However, knowledge of these will help mitigate these issues.
          phatkat
          • permanent fix was painfully simple

            1 - put "about:config" in the address
            2 - set javascript.options.jit.content to "false"

            done, the vulnerability is now defunct.

            I say was, because the v3.5.1 has just been auto-downloaded and installed

            quick fix - less than two days, nice
            ~doolittle~
  • Shields Up!:Noscript? Check. Adblock? Check.

    Ubuntu 9.04 Linux? Check.
    AppArmor Firefox Profile? Check.

    Everything is super fine and safe with Linux.

    Windows XP users should use Firefox with Noscript enabled at all times unless you are sure of the website you are accessing.

    Dietrich T. Schmitz
    • UAC? Check. Standard Privileged Accounts? Check.

      Does not affect current version of Windows? Check. Disable Active-X? Check.

      Everything is super fine and safe with Windows.

      Windows XP users should use IE with Internet Zone set at the highest security level at all times unless you are sure of the website you are accessing (which should be placed in the Trusted Sites zone).

      Your point?
      ye
    • Vista installed? check IE running in protected mode? check.

      that's it. solid any system today gets, possibly moreso with very current layered security built into the OS. <br>
      With the added bonuse of integration into the most widely used array of software on the face of the earth. Quite compelling.
      <br>
      And please, the flame wars here are such a colossal waste of time (lives in some cases for the radical haters) why don't we try to end them. Pointing out flaws on something so widespread and diverse and used with so many configurations and applications and services it boggles the mind, a truely honest man, imho, could only conclude that Microsoft is pulling off a small miracle and certainly a super human effort to keep that system running and the patches working for all of that possible diverse usage, which has to be taken into account for every patch.
      Why would someone go after the very small minority of issues that creep in, with something this unprecedented? That is laughable and such a waste....
      With issues abounding with OS X and all linux variants, it's just such an asinine thing, don't you agree?
      xuniL_z
      • Hope you downloaded and installed those

        urgent patches for ActiveX exploits targeting IE. Also sure hope that you don't run into any of the existing and unpatched exploits to...

        Check?

        Right

        LOL ;)
        jacarter3
        • Why? Vista users had nothing to worry about.

          Well those who left it at its default settings and exercise a little common sense.
          ye
          • That kind of naivete is so frightening

            that it's funny!

            Thanks for making my day ;)
            jacarter3
          • Yet here I am, malware free.

            Guess it's not so naive after all.
            ye
          • As for now...

            I am malware free too. Guess using XP Pro and FF with some common sense works too. However my common sense is based on not assuming that MS will make things all safe and better for me...
            jacarter3
          • I didn't say it was an exclusive combination.

            I said:

            "Vista users had nothing to worry about."

            So I'm not sure what your point is.
            ye
        • nt

          <i></i>
          xuniL_z
        • I'm good, thanks anyway. Hope you get code....

          for this zero day critical flaw in FF and /or the serious flaws with Safari.
          <br>
          xuniL_z
          • You forgot to mention Opera

            Now their feelings are hurt...

            The FF exploit is for 3.5 - not running that (3.0.11) and using NoScript as well as Adblock Plus. No site has permanent permissions either. I do use Opera as well.

            I do not use Safari and never will. I would say the same for IE but I have to use it for Windows Updates (frequently it seems) and time keeping.
            jacarter3
          • LOL! Once a month is "frequently"? Thanks, I needed a laugh. (nt)

            .
            ye
          • Never assume...

            I have several Windows machines and I will never ever again allow for automatic updates.

            And "once a month" is the minimum frequency. Not so infrequently, we again discover that Windows has such big holes with wind blowing through them that MS releases out of cycle patches.

            Just keep on laughing ;)
            jacarter3
          • So you're one of those people who know better.

            Well, I don't recall saying your weren't foolish.

            [i]Not so infrequently, we again discover that Windows has such big holes with wind blowing through them that MS releases out of cycle patches.[/i]

            Really? So how many out-of-cycle patches have there been in the many years Microsoft has been using the montly patch schedule? I think it's two but feel free to provide the correct number if I'm wrong.
            ye