Free Republic
Browse · Search
General/Chat
Topics · Post Article

Skip to comments.

Attack code for Firefox zero-day goes wild, says researcher
The Register ^ | 18 February 2010 | Dan Goodin

Posted on 02/19/2010 10:40:03 AM PST by ShadowAce

A Russian security researcher on Thursday said he has released attack code that exploits a critical vulnerability in the latest version of Mozilla's Firefox browser.

The exploit - which allows attackers to remotely execute malicious code on end user PCs - triggers a heap corruption vulnerability in the popular open-source browser, said Evgeny Legerov, founder of Moscow-based Intevydis. He recently added it as a module to Vulndisco, an add-on to the Immunity Canvas automated exploitation system sold to security professionals.

"We've played a lot with it in our labs - it was very reliable," Legerov wrote in an email to The Reg. "Works against the default install of Firefox 3.6. We've tested it on XP and Vista."

The report comes as Mozilla pushed out a Firefox update that tackles three critical vulnerabilities in version 3.5.7. One of those bugs is also described as a heap corruption vulnerability, but Legerov said the flaw is different from the one his code exploits.

Mozilla issued a statement that read in part: "Mozilla takes all security vulnerabilities seriously, and have as yet been unable to confirm the claim of an exploit. We value the contributions of all security researchers and encourage them to work within our security process, responsibly disclosing vulnerabilities to ensure the highest level of security and best outcome for users."

Legerov said his firm does not provide advanced notification to software makers under an arrangement often referred to as responsible disclosure.

If Legerov's claim pans out, it would be one of the few times in recent memory that a zero-day vulnerability for Firefox has circulated in the wild. While the exploit is currently available only to those who pay a hefty licensing fee, wider circulation can't be far behind. This story will be updated as more is learned.

More about the bug is here and here. ®


TOPICS: Computers/Internet
KEYWORDS: firefox; security

1 posted on 02/19/2010 10:40:03 AM PST by ShadowAce
[ Post Reply | Private Reply | View Replies]

To: rdb3; Calvinist_Dark_Lord; GodGunsandGuts; CyberCowboy777; Salo; Bobsat; JosephW; ...

2 posted on 02/19/2010 10:40:32 AM PST by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce

I am pretty much stupid about this stuff, but use Firefox. What does this mean for me? Do I need to do something?


3 posted on 02/19/2010 10:42:01 AM PST by brytlea (Jesus loves me, this I know.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce

I am pretty much stupid about this stuff, but use Firefox. What does this mean for me? Do I need to do something?


4 posted on 02/19/2010 10:42:23 AM PST by brytlea (Jesus loves me, this I know.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: brytlea

3.5.8 came out today, at least it did when I first opened Firefox this morning.


5 posted on 02/19/2010 10:43:27 AM PST by John W
[ Post Reply | Private Reply | To 3 | View Replies]

To: ShadowAce

6 posted on 02/19/2010 10:44:27 AM PST by JoeProBono (A closed mouth gathers no feet)
[ Post Reply | Private Reply | To 2 | View Replies]

To: ShadowAce
"Security researcher", and he intentionally releases the attack code to the public?

Sorry, dude, that makes you no different than any other scumbag, black-hat hacker in my book.

7 posted on 02/19/2010 10:46:32 AM PST by TChris ("Hello", the politician lied.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: John W

Firefox 3.6 is out now.

Use the HELP tab and CHECK FOR UPDATES or here is a link to the download.

http://www.mozilla.com/en-US/


8 posted on 02/19/2010 10:48:05 AM PST by Mr. Jazzy ("I AM JIM THOMPSON and moderates make me PUKE!!!")
[ Post Reply | Private Reply | To 5 | View Replies]

To: brytlea

No, you don’t need to do anything. Your copy of Firefox will automatically download and install (probably already has) all security updates. A major update was sent out two or three days ago.


9 posted on 02/19/2010 10:51:53 AM PST by Ron C.
[ Post Reply | Private Reply | To 4 | View Replies]

To: ShadowAce

Ok let me get this straight. A “security researcher” releases code that is toxic to a browser? I have always suspected that the anti virus people and the hackers are one and the same. They run a protection racket. Anything here that I’m missing? Believe me I don’t claim to understand the world of IT, but this seems to confirm what Ive always suspected to be true. Am I right?


10 posted on 02/19/2010 10:51:58 AM PST by DariusBane (Even the Rocks shall cry out "Hobamma to the Highest")
[ Post Reply | Private Reply | To 1 | View Replies]

To: brytlea
I'm not sure yet. From my understanding of the reading, there is no fix for this particular exploit.

Of course, there is no verifiable instance of it occurring yet, but give it some time.

11 posted on 02/19/2010 10:52:00 AM PST by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 3 | View Replies]

To: DariusBane

Sure seems like it. I don’t normally run AV, though.


12 posted on 02/19/2010 10:52:54 AM PST by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 10 | View Replies]

To: Mr. Jazzy

Is it just me or does 3.6 seem to run much faster?


13 posted on 02/19/2010 11:07:03 AM PST by foolishboi (Under certain circumstances profanity provides relief denied even to prayer...... Mark Twain)
[ Post Reply | Private Reply | To 8 | View Replies]

To: John W

Oh, yeah, I forgot there was an update I downloaded this morning. Good!


14 posted on 02/19/2010 11:08:22 AM PST by brytlea (Jesus loves me, this I know.)
[ Post Reply | Private Reply | To 5 | View Replies]

To: Ron C.

Thank you. This stuff really worries me more now because this year, for the first time, I have had 2 trojans that were a royal pain to get rid of. It seems to me that there has been an uptick in that stuff, but it may also just be that I’ve gotten dumber and somehow am not being careful.


15 posted on 02/19/2010 11:09:52 AM PST by brytlea (Jesus loves me, this I know.)
[ Post Reply | Private Reply | To 9 | View Replies]

To: ShadowAce

HOw would one pick it up?


16 posted on 02/19/2010 11:10:26 AM PST by brytlea (Jesus loves me, this I know.)
[ Post Reply | Private Reply | To 11 | View Replies]

To: brytlea

Unfortunately, the article didn’t say. Makes one wonder, doesn’t it?


17 posted on 02/19/2010 11:12:08 AM PST by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 16 | View Replies]

To: ShadowAce

This sounds like this Russian is selling a program that is capable of hacking into someone’s system, via Firefox.

Is that not a computer crime? What possible legal use is the product this Russian is peddling??


18 posted on 02/19/2010 11:12:15 AM PST by Bean Counter (I keeps mah feathers numbered, for just such an emergency...)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Bean Counter
What possible legal use is the product this Russian is peddling??

Security probing of networks. There are companies that offer their services to companies, offering to break into their network to check the network's security. This is usually done with the permission of the company and most of the time it is very much above-board.

19 posted on 02/19/2010 11:14:24 AM PST by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 18 | View Replies]

To: foolishboi

I think it is just a better, trimmer build.


20 posted on 02/19/2010 11:17:49 AM PST by Mr. Jazzy ("I AM JIM THOMPSON and moderates make me PUKE!!!")
[ Post Reply | Private Reply | To 13 | View Replies]

To: Mr. Jazzy

Absolutely, something major was enhanced. I immediately noticed a speed improvement. Thanks for the link.


21 posted on 02/19/2010 11:21:01 AM PST by foolishboi (Under certain circumstances profanity provides relief denied even to prayer...... Mark Twain)
[ Post Reply | Private Reply | To 20 | View Replies]

To: Mr. Jazzy

Got it.


22 posted on 02/19/2010 11:30:35 AM PST by John W
[ Post Reply | Private Reply | To 8 | View Replies]

To: ShadowAce

OK, thanks. The article reads like he is selling something illegal or illegally, and I appreciate the clarification.


23 posted on 02/19/2010 11:31:12 AM PST by Bean Counter (I keeps mah feathers numbered, for just such an emergency...)
[ Post Reply | Private Reply | To 19 | View Replies]

To: ShadowAce
"We've played a lot with it in our labs - it was very reliable," Legerov wrote in an email to The Reg. "Works against the default install of Firefox 3.6. We've tested it on XP and Vista."

My question would be, does it work on real operating systems?

Linux and OSX come to mind.

24 posted on 02/19/2010 11:31:30 AM PST by zeugma (Proofread a page a day: http://www.pgdp.net/)
[ Post Reply | Private Reply | To 1 | View Replies]

To: zeugma

I tried Linux and gave it a fair chance. For the serious user Linux is more trouble than it’s worth. You need to have a lot of tinker time set aside.


25 posted on 02/19/2010 11:34:38 AM PST by foolishboi (Under certain circumstances profanity provides relief denied even to prayer...... Mark Twain)
[ Post Reply | Private Reply | To 24 | View Replies]

To: ShadowAce

Yes, altho I just assumed anyone in the know would know and people like me....well, we are just dumb!


26 posted on 02/19/2010 11:35:57 AM PST by brytlea (Jesus loves me, this I know.)
[ Post Reply | Private Reply | To 17 | View Replies]

To: foolishboi

Interesting viewpoint. When did you try it? I find it to be more useful than Windows in my work.


27 posted on 02/19/2010 11:36:31 AM PST by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 25 | View Replies]

To: ShadowAce

I recently gave it a whirl in the last 2 months on one of my machines. Ubuntu and Mint didn’t do it for me. The biggest negative is that the hard drive can’t be imaged and reinstalled with both OS side by side.(unless I’m missing something) I found that if you don’t put them side by side all your windows drivers that are already there can’t be converted into Linux easily. So far anyway.


28 posted on 02/19/2010 11:43:04 AM PST by foolishboi (Under certain circumstances profanity provides relief denied even to prayer...... Mark Twain)
[ Post Reply | Private Reply | To 27 | View Replies]

To: foolishboi

That was last year...try Mint.


29 posted on 02/19/2010 11:47:33 AM PST by Ernest_at_the_Beach ( Support Geert Wilders)
[ Post Reply | Private Reply | To 25 | View Replies]

To: foolishboi

What is the requirement to convert the Windows drivers?


30 posted on 02/19/2010 11:49:02 AM PST by Ernest_at_the_Beach ( Support Geert Wilders)
[ Post Reply | Private Reply | To 28 | View Replies]

To: foolishboi
It is possible to install both Windows and linux on the same hard drive, but I've always found it easier to use separate drives, and run GRUB to choose either Linux or Windows.
31 posted on 02/19/2010 11:50:19 AM PST by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 28 | View Replies]

To: Ernest_at_the_Beach

Mint is much more of a user friendly critter compared to Ubuntu, but still has it’s challenges.


32 posted on 02/19/2010 11:50:36 AM PST by foolishboi (Under certain circumstances profanity provides relief denied even to prayer...... Mark Twain)
[ Post Reply | Private Reply | To 29 | View Replies]

To: Ernest_at_the_Beach

Lots of intestinal fortitude and lots of patience. lol
Linux will convert drivers to a certain extent. BUT if it doesn’t you will need to learn a whole new language used in Linux. I’m taking it on as a challenge and with some free time I will plug along.


33 posted on 02/19/2010 11:55:03 AM PST by foolishboi (Under certain circumstances profanity provides relief denied even to prayer...... Mark Twain)
[ Post Reply | Private Reply | To 30 | View Replies]

To: foolishboi
Why not split the work load that does require Windows from a Machine that is used only for browsing....

You can control both from one terminal and keyboard with a KVM switch....

There might still be occasions where you would need to browse with the Windows machine...but over time perhaps those occasions could be reduced.

Dual booting is a pain.

34 posted on 02/19/2010 11:56:26 AM PST by Ernest_at_the_Beach ( Support Geert Wilders)
[ Post Reply | Private Reply | To 32 | View Replies]

To: ShadowAce

That is my next move. I will format my drive into separate partitions and see how that works for me.


35 posted on 02/19/2010 11:56:55 AM PST by foolishboi (Under certain circumstances profanity provides relief denied even to prayer...... Mark Twain)
[ Post Reply | Private Reply | To 31 | View Replies]

To: foolishboi
How to get started with Linux
36 posted on 02/19/2010 11:58:14 AM PST by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 28 | View Replies]

To: foolishboi

That’s a lot of work...


37 posted on 02/19/2010 11:58:15 AM PST by Ernest_at_the_Beach ( Support Geert Wilders)
[ Post Reply | Private Reply | To 35 | View Replies]

To: Ernest_at_the_Beach

Yes it is, but my main concern is to be able to image my drives for quick fixes rather than complete re-installs should something go haywire. Better to re-image my drive after a mishap rather than spend days getting things back to the way I had them.


38 posted on 02/19/2010 12:05:13 PM PST by foolishboi (Under certain circumstances profanity provides relief denied even to prayer...... Mark Twain)
[ Post Reply | Private Reply | To 37 | View Replies]

To: ShadowAce

Thanks for the link. “Linux for Dummies” LOL

I will go over it this weekend.


39 posted on 02/19/2010 12:08:49 PM PST by foolishboi (Under certain circumstances profanity provides relief denied even to prayer...... Mark Twain)
[ Post Reply | Private Reply | To 36 | View Replies]

To: brytlea; Ron C.
re: No, you don’t need to do anything. Your copy of Firefox will automatically download and install (probably already has) all security updates. A major update was sent out two or three days ago.

Only if Firefox is set to download updates automatically. That option can be turned off. Please don't give advice like that unless you know how the person's computer is set up.

brytlea -- in Firefox, go to Help -> Check for Updates, and see what it tells you. If it says no new updates are available, you're up-to-date. Otherwise, you might need to download an update.

40 posted on 02/19/2010 12:11:57 PM PST by ken in texas
[ Post Reply | Private Reply | To 9 | View Replies]

To: ken in texas

Thank you. It did update this morning, I just didn’t know that covered this.


41 posted on 02/19/2010 1:13:11 PM PST by brytlea (Jesus loves me, this I know.)
[ Post Reply | Private Reply | To 40 | View Replies]

To: foolishboi; Ernest_at_the_Beach
Of course, if you're feeling really adventurous, you can try Suicide Linux.

I just wish there was a downloadable version. It could be fun.

42 posted on 02/19/2010 1:16:19 PM PST by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 39 | View Replies]

To: ShadowAce

LOL...

I misspell a lot...I wouldn’t last long.


43 posted on 02/19/2010 1:47:07 PM PST by Ernest_at_the_Beach ( Support Geert Wilders)
[ Post Reply | Private Reply | To 42 | View Replies]

To: foolishboi
You need to have a lot of tinker time set aside.

How much time do you spend keeping up with anti-virus, anti-malware, registry cleaners, defragging, and all the other things that soak up your time if you're going to run windows successfully?

I'll admit, I tinker more than is necessary, but then I also live right on the bleeding edge with Fedora builds. For my work desktop though, where it's important to have it fully functional and working for me rather than the other way around, I spend a heck of a lot less time than I'm sure the vast majority of folks do on windows. Additionally, it truely works for me. I keep more stuff open all the time than most people can probably deal with, yet everything has its place. With 8 desktops, my browsers are always in the same place so I can get my work done quickly. My 80+ terminal windows can be opened with a single command, and I always know where my dev, test, and production boxes are. It is remarkably stable, and goes months without a reboot or even an X restart. I also have vmware sessions for testing particular environments safely and efficiently.

I could easily do the same thing at home, and in some ways I do. If I decide to upgrade my box, I can simply back up my /home partition and when I restore it, everything about my desktop is exactly the way it was before I did anything to it right down to my background and the way my file manager displays and deals with my viewing preferences for different directories.  The last time I had to rebuild someone's windows box it was a nightmare getting things even close to the way they preferred it. 

My time is valuable, so I prefer to spend it where I want to, rather than where Redmond dictates.

44 posted on 02/19/2010 7:27:38 PM PST by zeugma (Proofread a page a day: http://www.pgdp.net/)
[ Post Reply | Private Reply | To 25 | View Replies]

To: Mr. Jazzy

3.6 Crashed on me already.


45 posted on 02/19/2010 7:29:12 PM PST by Norman Greenbaum
[ Post Reply | Private Reply | To 8 | View Replies]

To: ShadowAce
Of course, if you're feeling really adventurous, you can try Suicide Linux.

 That was funny. Of course if your're not root, even the "rm -rf /" won't hurt as bad as it sounds.

46 posted on 02/19/2010 7:32:47 PM PST by zeugma (Proofread a page a day: http://www.pgdp.net/)
[ Post Reply | Private Reply | To 42 | View Replies]

To: Norman Greenbaum

Try Opera.

Decent browser and if you have the same issues with this one as with Firefox, the problem might be with computer.

http://www.opera.com/


47 posted on 02/20/2010 6:14:41 AM PST by Mr. Jazzy ("I AM JIM THOMPSON and moderates make me PUKE!!!")
[ Post Reply | Private Reply | To 45 | View Replies]

To: zeugma

Actually windows is not much of a challenge for me. Anti-virus installed and running automatically. Disk imaging running automatically making incremental back ups daily. Disk defrag running automatically once a month. Everything is on autopilot. I have no Windows worries. If my hard drive goes out I will take me 18 min to re-image a new 300 gig to the exact way I left it or to an earlier place in time all the way back it a fresh install.

As far as Linux machine is concerned in a workplace, it ALL depends on what you need the machines for and what type of software that is needed to be run on them. If you can get around using professional software, well God Bless, but in my line of work the Linux software availability is virtually non existent.

I have time to tinker because my windows machines need no attention whatsoever. I wanted to see for myself why some people were plugging Linux. For the most part I’m giving it an honest chance. So far I’ve concluded that’s it’s great to play with at home, but has not a chance of ever getting anywhere soon in a professional atmosphere. If all one needs is a browsing machine or something to run simple software repeatedly, Linux is well suited. If one needs a variety of softwares that in an ever changing environment need updating... well there is really no alternative to being on the windows train. Linux is far from entering the big league any time soon.


48 posted on 02/20/2010 5:45:02 PM PST by foolishboi (Under certain circumstances profanity provides relief denied even to prayer...... Mark Twain)
[ Post Reply | Private Reply | To 44 | View Replies]

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson