Zero Day Exploit in Mozilla's New Firefox 3.5 - GoFuckYourself.com

fusionx · 07-14-2009, 01:43 PM

Zero Day Exploit in Mozilla's New Firefox 3.5
SEVERITY: HIGH
14 July, 2009
SUMMARY:
 This vulnerability affects: Firefox 3.5 (and potentially previous versions)
 How an attacker exploits it: By enticing one of your users to visit a malicious web page
 Impact: An attacker executes code on your user's computer, possibly gaining complete control of it
 What to do: See workarounds described in the Solutions section of this alert.

EXPOSURE:

Late yesterday, a security researcher named Simon Berry-Byrne released exploit code for a zero day vulnerability in Firefox 3.5 for Windows. At this time, it is unclear whether or not this vulnerability affects previous versions of Firefox, or other operating systems.
The exploit leverages a flaw in Firefox's JavaScript engine when handling HTML font tags. By enticing you to a specially crafted web page, an attacker could exploit this flaw to execute code on your computer with your privileges. If you have local administrator privileges in Windows, the attacker gains complete control of your machine.

Mozilla seems to have known about this vulnerability prior to this release. However, they did not expect the researcher to publicly disclose his exploit yesterday. In this blog post, Mozilla confirms the vulnerability in Firefox 3.5's Just-in-Time (JIT) JavaScript compiler and promises to fix it in their next security update, which they hope to release soon.

We have tested the publicly available exploit and confirmed it works. The current Proof-of-Concept (PoC) exploit is just designed to execute the Windows calculator application. However, a smart attacker could easily modify this exploit with more dangerous shellcode. With such dangerous exploit code widely available, we consider this vulnerability a critical risk. You should implement the workaround described below as soon as possible.

SOLUTION PATH:

Mozilla has not had time to patch this particular vulnerability, but they plan to patch it as soon as possible. Until then, here are two workaround that can help mitigate the risk of this vulnerability:

 Disable JIT in Firefox's JavaScript engine - In Firefox, type about:config in the browser's location bar (where you enter URLs). A warning may display on your screen. If it does, click the button that says, "I'll be careful, I promise!" Next, type jit in the filter dialog box near the top of the screen. Finally, double-click the line javascript.options.jit.content to set it to false. These steps disable the vulnerable component in Firefox. You can also run through the same steps to re-enable the JIT component when Mozilla releases a patch (just change the setting back to true).

 Use the Firefox NoScript extension - The NoScript extension for Firefox disables JavaScript, Java, ActiveX, and Flash content on web pages by default. However, it also offers an easy way for you to enable that content for legitimate web pages you trust. When you browse with the NoScript extension, you prevent the code needed for many malicious web site's to execute the attacks. In general, if you use Firefox, we recommend you use NoScript to help mitigate the risk of many web-based attacks.

FOR ALL USERS:

This attack arrives as normal-looking HTTP traffic, which you must allow through your firewall if your network users need to access the World Wide Web. Therefore, the workarounds above are your best solution.

STATUS:

The Mozilla Foundation will release a patch as soon as they can. Until then, the workarounds described above will mitigate the risk of this vulnerability.

woj · 07-14-2009, 02:10 PM

these seem to be popping up more lately, there goes that idea that FF is more secure

07-14-2009, 01:43 PM	#1
fusionx Confirmed User Industry Role: Join Date: Nov 2003 Location: Olongapo City, Philippines Posts: 4,618	Zero Day Exploit in Mozilla's New Firefox 3.5 Zero Day Exploit in Mozilla's New Firefox 3.5 SEVERITY: HIGH 14 July, 2009 SUMMARY:  This vulnerability affects: Firefox 3.5 (and potentially previous versions)  How an attacker exploits it: By enticing one of your users to visit a malicious web page  Impact: An attacker executes code on your user's computer, possibly gaining complete control of it  What to do: See workarounds described in the Solutions section of this alert. EXPOSURE: Late yesterday, a security researcher named Simon Berry-Byrne released exploit code for a zero day vulnerability in Firefox 3.5 for Windows. At this time, it is unclear whether or not this vulnerability affects previous versions of Firefox, or other operating systems. The exploit leverages a flaw in Firefox's JavaScript engine when handling HTML font tags. By enticing you to a specially crafted web page, an attacker could exploit this flaw to execute code on your computer with your privileges. If you have local administrator privileges in Windows, the attacker gains complete control of your machine. Mozilla seems to have known about this vulnerability prior to this release. However, they did not expect the researcher to publicly disclose his exploit yesterday. In this blog post, Mozilla confirms the vulnerability in Firefox 3.5's Just-in-Time (JIT) JavaScript compiler and promises to fix it in their next security update, which they hope to release soon. We have tested the publicly available exploit and confirmed it works. The current Proof-of-Concept (PoC) exploit is just designed to execute the Windows calculator application. However, a smart attacker could easily modify this exploit with more dangerous shellcode. With such dangerous exploit code widely available, we consider this vulnerability a critical risk. You should implement the workaround described below as soon as possible. SOLUTION PATH: Mozilla has not had time to patch this particular vulnerability, but they plan to patch it as soon as possible. Until then, here are two workaround that can help mitigate the risk of this vulnerability:  Disable JIT in Firefox's JavaScript engine - In Firefox, type about:config in the browser's location bar (where you enter URLs). A warning may display on your screen. If it does, click the button that says, "I'll be careful, I promise!" Next, type jit in the filter dialog box near the top of the screen. Finally, double-click the line javascript.options.jit.content to set it to false. These steps disable the vulnerable component in Firefox. You can also run through the same steps to re-enable the JIT component when Mozilla releases a patch (just change the setting back to true).  Use the Firefox NoScript extension - The NoScript extension for Firefox disables JavaScript, Java, ActiveX, and Flash content on web pages by default. However, it also offers an easy way for you to enable that content for legitimate web pages you trust. When you browse with the NoScript extension, you prevent the code needed for many malicious web site's to execute the attacks. In general, if you use Firefox, we recommend you use NoScript to help mitigate the risk of many web-based attacks. FOR ALL USERS: This attack arrives as normal-looking HTTP traffic, which you must allow through your firewall if your network users need to access the World Wide Web. Therefore, the workarounds above are your best solution. STATUS: The Mozilla Foundation will release a patch as soon as they can. Until then, the workarounds described above will mitigate the risk of this vulnerability.

07-14-2009, 02:10 PM	#2
woj <&(©¿©)&> Industry Role: Join Date: Jul 2002 Location: Chicago Posts: 47,882	these seem to be popping up more lately, there goes that idea that FF is more secure __________________ Custom Software Development, email: woj#at#wojfun#.#com to discuss details or skype: wojl2000 or gchat: wojfun or telegram: wojl2000 Affiliate program tools: Hosted Galleries Manager Banner Manager Video Manager Wordpress Affiliate Plugin Pic/Movie of the Day Fansign Generator Zip Manager