Monday, October 02, 2006 10:14 PM
sandi
Firefox 1.5.0.7 hit by zero day vulnerability affecting Windows, Apple Computer's Mac OS X and Linux
This is pretty darned close to a true Zero Day Vulnerability.
Securiteam have some info:
http://blogs.securiteam.com/index.php/archives/657
As does zdnet. The fact that the exploit has been described, and slides displaying key parts of the attack code shown, perhaps enough for attackers to reproduce the exploit, moves this away from what a purist would consider to be a zero day:
http://news.zdnet.com/2100-1009_22-6121608.html
As Snyder, a Mozilla Security Chief, said "If it is in the JavaScript virtual machine, it is not going to be a quick fix". Thor Larholm of securiteam doesn't agree, saying that he thinks that the vulnerability "if the history of security handling at Mozilla is any pointer, they will be fixed within days - at most a week." I suppose time will tell who is correct.
Window Snyder comments further:
http://developer.mozilla.org/devnews/index.php/2006/10/02/possible-vulnerability-reported-at-toorcon/
"So far we’ve been able to reproduce a denial of service issue based on the information they gave during their talk. In some cases this causes a crash based on an out of memory error. Based on the information we have at this time we have not been able to confirm whether an attacker can achieve code execution. We’re still investigating and we’ll keep you updated."
Until Firefox manage to "fix" this problem (assuming it can be fixed), some are recommending the No Script plugin for Firefox:
http://www.noscript.net/whats
Its scary that the 'hackers' claim to know of 30 vulnerabilities in Firefox that they do not plan to disclose, but instead intend to use to set up a "communication network for blackhats". In other words, they want to use these exploits to gain access to, and make use of, other people's computers.
According to the Zdnet article, Firefox tried to convince the hackes to be responsible and submit the bugs to Firefox's bug bounty program, promising to pay them the princely sum of $500 per bug. Unfortunately for Firefox the hackers have, according to zdnet, declined to cooperate.
Note: the following comments can also be applied to the Mac and Linux worlds that tout the security of their systems and encourage users to change for security reasons, without also pushing for user education.
I have, for a very long time, been warning about the "Switch to Firefox because it is safe" sentiment that goes no further than telling people to change their Web browser. Ok, so they change their browser and feel warm 'n' fuzzy and secure. Then what?
I admit, the pro-Firefox rhetoric has been toned down and become a bit more realistic in some areas over the past few months, but the fact remains that many people have held up Firefox as a wonderful cure-all, encouraging the misconception that switching to Firefox is all that is needed to keep you "safe". I rarely see anybody encourage these new users to also practice safe hex, or learn about security, or educate themselves, to be cautious and careful, to make sure they are up to date with security patches and to always be security conscious.
This is what I want of the "Firefox is safe" brigade now that they have been given a very big wake-up call in the face of the 'we will not disclose but we will use' decision of the hackers. I want them to stop holding up Firefox as a panacea and (finally) see the big picture. I want them to get out there and start educating their users more about security - about patching the operating system, about beefing up the firewall, about practising safe hex. I want the pro-Firefox brigade to start pushing security as hard as Microsoft have been doing for years, whether it be via essays like the ever popular "10 Immutable Laws of Security" or the security focused Web site for the Home User:
http://www.microsoft.com/security/default.mspx