Posted on 02/19/2010 10:40:03 AM PST by ShadowAce
A Russian security researcher on Thursday said he has released attack code that exploits a critical vulnerability in the latest version of Mozilla's Firefox browser.
The exploit - which allows attackers to remotely execute malicious code on end user PCs - triggers a heap corruption vulnerability in the popular open-source browser, said Evgeny Legerov, founder of Moscow-based Intevydis. He recently added it as a module to Vulndisco, an add-on to the Immunity Canvas automated exploitation system sold to security professionals.
"We've played a lot with it in our labs - it was very reliable," Legerov wrote in an email to The Reg. "Works against the default install of Firefox 3.6. We've tested it on XP and Vista."
The report comes as Mozilla pushed out a Firefox update that tackles three critical vulnerabilities in version 3.5.7. One of those bugs is also described as a heap corruption vulnerability, but Legerov said the flaw is different from the one his code exploits.
Mozilla issued a statement that read in part: "Mozilla takes all security vulnerabilities seriously, and have as yet been unable to confirm the claim of an exploit. We value the contributions of all security researchers and encourage them to work within our security process, responsibly disclosing vulnerabilities to ensure the highest level of security and best outcome for users."
Legerov said his firm does not provide advanced notification to software makers under an arrangement often referred to as responsible disclosure.
If Legerov's claim pans out, it would be one of the few times in recent memory that a zero-day vulnerability for Firefox has circulated in the wild. While the exploit is currently available only to those who pay a hefty licensing fee, wider circulation can't be far behind. This story will be updated as more is learned.
More about the bug is here and here. ®
I am pretty much stupid about this stuff, but use Firefox. What does this mean for me? Do I need to do something?
I am pretty much stupid about this stuff, but use Firefox. What does this mean for me? Do I need to do something?
3.5.8 came out today, at least it did when I first opened Firefox this morning.
Sorry, dude, that makes you no different than any other scumbag, black-hat hacker in my book.
Firefox 3.6 is out now.
Use the HELP tab and CHECK FOR UPDATES or here is a link to the download.
No, you don’t need to do anything. Your copy of Firefox will automatically download and install (probably already has) all security updates. A major update was sent out two or three days ago.
Ok let me get this straight. A “security researcher” releases code that is toxic to a browser? I have always suspected that the anti virus people and the hackers are one and the same. They run a protection racket. Anything here that I’m missing? Believe me I don’t claim to understand the world of IT, but this seems to confirm what Ive always suspected to be true. Am I right?
Of course, there is no verifiable instance of it occurring yet, but give it some time.
Sure seems like it. I don’t normally run AV, though.
Is it just me or does 3.6 seem to run much faster?
Oh, yeah, I forgot there was an update I downloaded this morning. Good!
Thank you. This stuff really worries me more now because this year, for the first time, I have had 2 trojans that were a royal pain to get rid of. It seems to me that there has been an uptick in that stuff, but it may also just be that I’ve gotten dumber and somehow am not being careful.
HOw would one pick it up?
Unfortunately, the article didn’t say. Makes one wonder, doesn’t it?
This sounds like this Russian is selling a program that is capable of hacking into someone’s system, via Firefox.
Is that not a computer crime? What possible legal use is the product this Russian is peddling??
Security probing of networks. There are companies that offer their services to companies, offering to break into their network to check the network's security. This is usually done with the permission of the company and most of the time it is very much above-board.
I think it is just a better, trimmer build.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.