bit-tech.net

New Firefox vulnerability confirmed

New Firefox vulnerability confirmed

The flaw in Firefox 3.5 - and the newly-released 3.5.1 - can lead to remote code execution due to a flaw in the Unicode text handler.

The first major security flaw in the release branch of Firefox 3.5 may have been fixed, but the fun isn't over yet: another serious flaw has been discovered in the browser.

Despite being recently updated to version 3.5.1, SecurityFocus is reporting on a stack buffer overflow vulnerability which affects both the original 3.5 release of Firefox as well as the latest 3.5.1 release.

The vulnerability, which comes about from the software's Unicode text handling system, allows a remote attacker to execute arbitrary code simply by embedding it into a web site: as soon as the visitor hits the affected page, the software crashes – leading to a denial of service attack – and under certain conditions the code will be executed by Windows.

With a simple exploit already available, it's fair to say that if the ne'er-do-wells aren't already using this as an attack vector it won't take them long to wise up.

The vulnerability is the second in the last week to target the latest release branch of the popular open-source browser, and again there is no patch yet available from the Mozilla Foundation. Worse still, there appears to be no easy workaround for the issue this time – although once again something like the NoScript plugin would protect you from attack by untrusted pages, as the exploit relies on Javascript in order to execute.

Are you starting to question just how much work was done checking the security of this latest Firefox branch or is the Mozilla Foundation just having a bad week? Share your thoughts over in the forums.

14 Comments

Discuss in the forums Reply
Tyrmot 20th July 2009, 10:28 Quote
Quote from Mozilla's VP of engineering:

"In the last few days, there have been several reports (including one via SANS) of a bug in Firefox related to handling of certain very long Unicode strings. While these strings can result in crashes of some versions of Firefox, the reports by press and various security agencies have incorrectly indicated that this is an exploitable bug."

ie there is a bug, but it's not exploitable - apparently it can just crash Firefox
impar 20th July 2009, 10:43 Quote
Greetings!
Quote:

Also, the article at Bit-tech lacks the link to this thread.

PS: Tyrmot was faster.
andrew8200m 20th July 2009, 12:15 Quote
And they most certainly will wise up if people such as yourselves keep broadcasting it over the internet! How stupid can people get? If things like this are wanted to be kept quiet to keep other safe from those who wish to do harm, why even mention it? Its basically an invitation to one of these sorts of prople to be shown where the loop holes are and how to use them. Ridiculous!

Andy
bowman 20th July 2009, 12:49 Quote
Nothing ventured, nothing gained. The TraceMonkey javascript engine is new and needs to work out its kinks. Testing is fine but not enough people download betas and release candidates. Some times things just have to be dropped out and sink or swim. Then append floaties as needed afterwards. :p

As for andy..

http://en.wikipedia.org/wiki/Full_disclosure
andrew8200m 20th July 2009, 14:55 Quote
Thats just ridiculous. Yes it may make the public aware but it also makes those who need not know (for obvious reasons) aware... where is the logic in that? Keeping everyone in the dark keeps those who shouldnt know in the dark. Its the safest bet so this "full disclosure policy" is some what flawed.

Andy
thehippoz 20th July 2009, 15:03 Quote
it's open source andrew.. if the security experts can find these bugs and point them out- so can anyone else for whatever reason, just imagine what the experts don't find and puppetmasta does- he'll have his hand up your computers ass in no time
Otto69 20th July 2009, 16:59 Quote
WTF, are people still using strcpy instead of strncpy, or is this some new class of buffer overrun?
asadotzler 20th July 2009, 17:04 Quote
"The vulnerability, which comes about from the software's Unicode text handling system, allows a remote attacker to execute arbitrary code simply by embedding it into a web site: as soon as the visitor hits the affected page, "

This is absolutely false. This is not a security vulnerability. it does not allow for any code execution.

"With a simple exploit already available, it's fair to say that if the ne'er-do-wells aren't already using this as an attack vector it won't take them long to wise up."

There is no exploit available. That's just a simple browser crash and there's no evidence that it's exploitable. None. All evidence points to just the opposite, that it's not exploitable.

http://blog.mozilla.com/security/2009/07/19/milw0rm-9158-stack-overflow-crash-not-exploitable-cve-2009-2479/
Nicb 20th July 2009, 17:50 Quote
I'm all for security update news. People that know how to exploit the newest Ver. of browsers do not depend on the news to find out. They simply just run through their library of vulnerability test of code, malware, adware, bla bla bla.

This article has personal assumptions that falsely imply that this is harmful to users. It's a bug not a vulnerability. Programs crash when they cannot complete a process. I don't like scaring people over nothing, This is for the most part the wrong comunity to shove PC fears down are throats. These articles are for a different audience.

“People are stupid. They will believe a lie because they want to believe it’s true, or because they are afraid it might be true.”

—-Wizard’s First Rule – By Terry Goodkind

You know what Bit-Tech members would really think was cool??? If your found articles like the one you just wrote and then called it BS, and then counteracted to it with the words similar to the comments that we have. I'm not being sarcastic, I would seriously love to see that.

That's what this community is all about learning and knowing what others don't. Because of that by our nature we will always question what is being said.

Gareth, I'm a big fan, this is just a little criticism, nothing else.
Gareth Halfacree 20th July 2009, 20:11 Quote
Quote:
Originally Posted by Nicb (and echoed by others)
This article has personal assumptions that falsely imply that this is harmful to users. It's a bug not a vulnerability.
No personal assumptions on my part - I was going by a SecurityFocus posting which claimed that it was remotely exploitable. There's even an exploit linked to in the article. I see that the posting has now been modified, but at the time of writing it claimed both denial of service and code execution capabilities.

The Google cached copy - which still shows the original version - is available http://209.85.229.132/search?q=cache:ZaODIeala_AJ:www.securityfocus.com/bid/35707/discuss+http://www.securityfocus.com/bid/35707/discuss&cd=1&hl=en&ct=clnk&gl=uk&client=firefox-a" target="_blank">here. For when that gets updated, here's a picture:

[url=http://www.mobypicture.com/user/ghalfacree/view/364722

Without the time to test to see if the exploit did what the SecurityFocus posting claimed, I could only go on the evidence presented: at the time of writing, Mozilla - as far as I'm aware - had not repudiated the claims.

Criticism noted, however - and taken on board.
Nicb 20th July 2009, 21:35 Quote
aaahhhh. Well the switch up really got us going. Haha

You think they would be more hesitant to put up the word "vulnerability", "execute code", "attack", until they had solid evidence.

To each his own......... browser. :)
Gareth Halfacree 20th July 2009, 22:06 Quote
Quote:
Originally Posted by Nicb
To each his own......... browser. :)
Aye - you'll notice the browser I'm using in the screenshot... ;)
Nicb 20th July 2009, 22:21 Quote
Haha yeah I notice now.

I've played around with other browsers but I find FF better suits me because of how far you can customize it's security. You can really get underneath the hood and make it your own, plus their are also some good add-ons. I believe no browser is good to use if it is left to default untouched.

To me Firefox gives you back the Linux feel in windows.
BLC 21st July 2009, 10:30 Quote
Quote:
Originally Posted by andrew8200m
Thats just ridiculous. Yes it may make the public aware but it also makes those who need not know (for obvious reasons) aware... where is the logic in that? Keeping everyone in the dark keeps those who shouldnt know in the dark. Its the safest bet so this "full disclosure policy" is some what flawed.

Andy

It's a difficult balance. On the one hand, you risk increasing the potential for exploitation by exposing the flaw to the world + dog, but on the other hand you risk malicious parties discovering it and also keeping quiet, whilst silently infecting millions of machines.
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Discuss in the forums