Serious Zero-day flaw in Firefox.

Joey · Oct 1, 2006

http://news.com.com/2100-1002_3-6121608.html?part=rss&tag=6121608&subj=news

SAN DIEGO, Calif.--The open-source Firefox Web browser is critically flawed in the way it handles JavaScript, two hackers said Saturday afternoon.
An attacker could commandeer a computer running the browser simply by crafting a Web page that contains some malicious JavaScript code, Mischa Spiegelmock and Andrew Wbeelsoi said in a presentation at the ToorCon hacker conference here. The flaw affects Firefox on Windows, Apple Computer's Mac OS X and Linux, they said.
"Internet Explorer, everybody knows, is not very secure. But Firefox is also fairly insecure," said Spiegelmock, who in everyday life works at blog company SixApart. He detailed the flaw, showing a slide that displayed key parts of the attack code needed to exploit it.
The flaw is specific to Firefox's implementation of JavaScript, a 10-year old scripting language widely used on the Web. In particular, various programming tricks can cause a stack overflow error, Spiegelmock said. The implementation is a "complete mess," he said. "It is impossible to patch."
The JavaScript issue appears to be a real vulnerability, Window Snyder, Mozilla's security chief, said after watching a video of the presentation Saturday night. "What they are describing might be a variation on an old attack," she said. "We're going to do some investigating."
Snyder said she isn't happy with the disclosure and release of an exploit during the presentation. "It looks like they had enough information in their slide for an attacker to reproduce it," she said. "I think it is unfortunate because it puts users at risk, but that seems to be their goal."
At the same time, the presentation probably gives Mozilla enough data to fix the flaw, Snyder said. However, because the flaw appears to be in the part of the browser that deals with JavaScript, addressing it might be tougher than the average patch, she added. "If it is in the JavaScript virtual machine, it is not going to be a quick fix," Snyder said.
The hackers claim they know of about 30 unpatched Firefox flaws. They don't plan to disclose them, instead holding on to the bugs.
Jesse Ruderman, a Mozilla security staffer, attended the presentation and was called up on the stage with the two hackers. He attempted to persuade the presenters to responsibly disclose flaws via Mozilla's bug bounty program instead of using them for malicious purposes such as creating networks of hijacked PCs, called botnets.
"I do hope you guys change your minds and decide to report the holes to us and take away $500 per vulnerability instead of using them for botnets," Ruderman said.
The two hackers laughed off the comment. "It is a double-edged sword, but what we're doing is really for the greater good of the Internet, we're setting up communication networks for black hats," Wbeelsoi said.
Click to expand...

They sound like right wangs. Does some one know how a black hat communication network is for the good of the internet? Or at least their reasoning for it?

I would think the best way to guard against this is block scripts.
(can some one confirm that doing this avoids this vulnerability?)

I use "No Script".
You just have to enable it for sites you regularly visit and trust.

https://addons.mozilla.org/firefox/722/

AlecRyben · Oct 1, 2006

Java is mess. Someone should kill the guy who invented it...

Finchwizard · Oct 1, 2006

The difference between IE and Firefox, and Microsoft and other companies, is now that they know, what are they doing to fix it.

I mean, Firefox may have more problems, but they patch their bugs and security issues a heck of a lot faster than Microsoft do.

compunut · Oct 1, 2006

hope mozilla fixes this problem ASAP
else have to switch back to IE7

Loki91 · Oct 1, 2006

i'd just like to say... Opera FTW

Animatrix · Oct 7, 2006

Just to give the update.

Update: Possible Vulnerability Reported at Toorcon

We got a chance to talk to Mischa Spiegelmock, the Toorcon speaker that reported the potential javascript security issue referenced earlier. He gave us more code to work with and also made this statement and agreed to let me post it here:

The main purpose of our talk was to be humorous.

As part of our talk we mentioned that there was a previously known Firefox vulnerability that could result in a stack overflow ending up in remote code execution. However, the code we presented did not in fact do this, and I personally have not gotten it to result in code execution, nor do I know of anyone who has.

I have not succeeded in making this code do anything more than cause a crash and eat up system resources, and I certainly haven’t used it to take over anyone else’s computer and execute arbitrary code.

I do not have 30 undisclosed Firefox vulnerabilities, nor did I ever make this claim. I have no undisclosed Firefox vulnerabilities. The person who was speaking with me made this claim, and I honestly have no idea if he has them or not.

I apologize to everyone involved, and I hope I have made everything as clear as possible.

Sincerely,

Mischa Spiegelmock

Even though Mischa hasn’t been able to achieve code execution, we still take this issue seriously. We will continue to investigate.

-Window Snyder
Click to expand...

So the two guys; Andrew Wbeelsoi (right) and Mischa Spiegelmock were apparently being humorous which was totally left out in the initial mainstream reporting. Although some of the attendees got it.

http://hepkitten.livejournal.com/513183.html

I am at toorcon in San Diego until monday. It's been pretty hilarious so far. lj users weev and revmischa gave their talk yesterday and it was probably one of the funniest con talks I have seen in awhile. they took a relentless problackhat stance (duh) and showed off some new 0day like OH DANG WHAT YOU KNOW ABOUT FIREFOX JAVASCRIPT VULNS AND STACK OVERFLOW you can read the ensuing press drama here or here or here.
Click to expand...

Hacker backpedals on Firefox zero-day claim
Security Bites Podcast: Was the Firefox zero-day a hoax?

All in all the reporting seems to have been pretty bad with lots of misquoting and rewriting.

Bug 355069 Bantown discusses an arbitrary code execution in the JavaScript implementation on any OS, Comment #15 has the the full raw testcase. I manage to close the tab before it crashed on me, but it's pretty bad and will likely crash at some point. Systems with 512 ram or less is likely going to crash faster. At this point all there seems to be is a DoS, no code execution etc.

Log in or Sign up

Serious Zero-day flaw in Firefox.

Joey Guest

AlecRyben Guest

Finchwizard Don Apple

compunut Maha Guru

Loki91 Guest

Animatrix Ancient Guru

Share This Page