Hackers claim zero-day flaw in Firefox

update SAN DIEGO--The open-source Firefox Web browser is critically flawed in the way it handles JavaScript, two hackers said Saturday afternoon.

An attacker could commandeer a computer running the browser simply by crafting a Web page that contains some malicious JavaScript code, Mischa Spiegelmock and Andrew Wbeelsoi said in a presentation at the ToorCon hacker conference here. The flaw affects Firefox on Windows, Apple Computer's Mac OS X and Linux, they said.

"Internet Explorer, everybody knows, is not very secure. But Firefox is also fairly insecure," said Spiegelmock, who in everyday life works at blog company SixApart. He detailed the flaw, showing a slide that displayed key parts of the attack code needed to exploit it.

Video: Hackers claim Firefox zero-day flaw
Is the browser more vulnerable than thought?

Video: Hackers vs. Firefox
Mozilla antsy about expolited Firefox flaws.

The flaw is specific to Firefox's implementation of JavaScript, a 10-year-old scripting language widely used on the Web. In particular, various programming tricks can cause a stack overflow error, Spiegelmock said. The implementation is a "complete mess," he said. "It is impossible to patch."

The JavaScript issue appears to be a real vulnerability, Window Snyder, Mozilla's security chief, said after watching a video of the presentation Saturday night. "What they are describing might be a variation on an old attack," she said. "We're going to do some investigating."

Snyder said she isn't happy with the disclosure and release of an apparent exploit during the presentation. "It looks like they had enough information in their slide for an attacker to reproduce it," she said. "I think it is unfortunate because it puts users at risk, but that seems to be their goal."

At the same time, the presentation probably gives Mozilla enough data to fix the apparent flaw, Snyder said. However, because the possible flaw appears to be in the part of the browser that deals with JavaScript, addressing it might be tougher than the average patch, she added. "If it is in the JavaScript Virtual Machine, it is not going to be a quick fix," Snyder said.

The hackers claim they know of about 30 unpatched Firefox flaws. They don't plan to disclose them, instead holding onto the bugs.

Jesse Ruderman, a Mozilla security staffer, attended the presentation and was called up on the stage with the two hackers. He attempted to persuade the presenters to responsibly disclose flaws via Mozilla's bug bounty program instead of using them for malicious purposes such as creating networks of hijacked PCs, called botnets.

"I do hope you guys change your minds and decide to report the holes to us and take away $500 per vulnerability instead of using them for botnets," Ruderman said.

The two hackers laughed off the comment. "It is a double-edged sword, but what we're doing is really for the greater good of the Internet. We're setting up communication networks for black hats," Wbeelsoi said.

Since the presentation, Spiegelmock has backpedalled on the zero-day claims. In a note posted to the Mozilla Web site on Monday, he says that he was never able to exploit the supposed vulnerability to hijack computers.

[macemoneta]

ExecShield, SELinux?

There have been a number of zero-day flaws reported, but (so far) these have been prevented from being effective by either ExecShield or SELinux or both. For example, the recent exploit that compromised the Debian servers would have been prevented.

The article doesn't mention whether this is true for this exploit. I run a distribution that has both facilities (Fedora Core), and I'd suggest that anyone that is interested in the security of their system find a distribution that provides these great tools.

There are hundreds of Linux distributions, and security is not a primary concern for many of them. Choose wisely.

[david.donoho]

NoScript extension for Firefox

I have been using the NoScript extension for Firefox and Seamonkey. It allows you to select those sites that you trust to use javascript. CNET is one of the sites on which I allow javascript to run. I hope my trust is not misplaced

http://www.noscript.net/whats

[PCCRomeo]

Yea...

Obviously so because 90% of the time it crashes when you try and run JavaScript.

[Mephux]

People Still Use Firefox?

wow, did know that. Anyways the whole application in a whole
needs to be reprogrammed. I was really disappointed with the
outcome of the software. It just really does not compete anymore
Oh and get a Mac!

[Jon N.]

Whoa !

Well, I for one, am getting tired of people calling these things "flaws"! They are not "flaws" but "vulnerabilities","discovered vulnerabilities", or "created vulerabilities". They would not exist if it weren't for some quasie-intellegent jackass, or some underworld pinhead attempting to write code to exploit them and attept to bot, or compromise our systems, and attempt to steal I.D.'s. It's time for Draconian measures against "created vulnerabilities". If you posted to this blog, you too were using Java and Javascript to chime in. Now our 1st Amendment voices are now at risk. We chime in to express ourselves, and that creates a bot condition that can possibly create my own Identity Theft? We need to quickly find these punks, and bring them to justice! Again, they're not "flaws" they're "vulnerabilities". Sheeeeesh!

[_dietrich]

AppArmor

Not an issue--just run AppArmor in SUSE 10.1 and you have a 'sandbox' around it.

OK thanks. Later!

[arzynik]

exploit in vista?

Does anyone know if this stack overflow in FF can be exploited in Vista? Vista is a piece for security but it generally makes these kind of holes much more difficult to exploit.

I see allot of flaming in the talkback on this subject as arrogance seems to attract arrogance. It would be nice to get some clarification on this subject instead of more gunfire.

[james2vegas]

heh

pretty rich that someone who works at sixapart calls someone else's code "a mess".

[hybris06]

Or you could use emulation

Or you could run a virtual OS and run firefox in it.

When ever I search for something which might lead to questionable websites, such as ed2k links, I use virtual PC and use Firefox for the search.

[System Tyrant]

I wonder?

I was reading that the "hackers" basically showed how to exploit the hole. I might have missed this, but did the "hackers" give Mozilla and advanced warning or notification?

It's my understanding that for the most part those who find flaws in software generally try to give the software maker time to fix the problem before going public. Maybe I missed it in the article. I say it's not fair, but then again if a bad guy was the one that found the code exploit then all bets would be off.

I'm finding that most of these hacker security guys and many developers are little more than babies. Always trying to show up the next guy.

I use Firefox and I use Opera. I would love to own a Mac and I don't like Microsoft. I'm biased and opinionated. I'm just like everybody else. Unlike most I feel like everybody is in the wrong. All these people quick to point out a problem and lay blame on everybody else, but to useless to help find a solution. Those who stand buy ******** about problems, but never looking for the solution are just a bunch of useless people.

[K.P.C.]

About the flaw . . .

Is this the same "zero-day" exploit being used against I.E.?
Can it or is it also being used against other browsers - Safari,
Opers, etc.?

Regarding the "Flamer" and the pissing contest that insued:
I learned at a very young age that "if you **** on a fire, you stink
up the whole camp".
Best to keep it zipped or go find some shrubs if ya REALLY gott
go

Regarding arrogance & snobbery:
There are arrogant snobs in ALL the camps - Mac, M.S. & Linux.
One calling the other such is the proverbial "Pot calling the
Kettle black". Or even worse, just think back to those
kindergarten days when the arguments resorted to "So am I but
what are You?"

[fred dunn]

FireFox, IE, Whatever. Browsers are targets...

You can side with one browser or another, that's your choice. But what it comes down to is this:
The most popular browsers are going to be targets, PERIOD.
This does not make them bad products nor does it make indicate their developers are inempt.
People get a grip, coding anything these days no longer involves cheat sheets to CPU instructions and hand coding machine code byte by byte. It involves librarys, compilers, frameworks and IDEs. All of which by themselves can introduce security issues.
If you want to nail someone or something for security flaws then start at the right place, the development tools.

[aabcdefghij987654321]

These bozos should go to jail

It's obvious they are there to brag about what they know and not to help solve the problem. Their statements should be enough to provide grounds for a search warrant to seize and examine all of their computer systems.

Like thieves everywhere they try to justify their actions with a lame excuse (providing black hats with places to meet?!) ignoring the simple fact that their own machines could be used for that purpose instead of stealing from others.

[Sea of Cortez]

get Oxygen browser, be Hack free

That is why I only use Oxygen browser from Netdive. It may be old. But in 4 years of using it myself and everyone else in our company, we have not had one, NOT even ONE, Virus or Hack getting through it. It is one of my favorite software products to use, you should try it too, it is here:
http://www.netdive.com/htms/products.htm
I swear if it was not for this Oxygen browser, I think I would have thrown my PC out of the window 10 times already
Because whenever I switch to IE or FFox, it seems it is matter of weeks before something nasty inflicts my PC.
And then I am back to only using Oxygen to be able to access the web free of whatever crap that IE or FFox
brought down onto my PC.
Well this is my 2 cents
Cheeriooo,

[Seaspray0]

Secure your browser

Believe it or not, many browsers do have the ability to set what your browser will and will not do. There are browser settings that will turn on/off active-x, java scripting, cookie handling etc. The more restrictive you make the settings, the more secure your computer will be against an attack. You also restrict what features webpages can do in your browser and there may be websites you trust where you wish to have these features. Most people will lower their settings for these sites and leave them that way when they browse the rest of the internet, going to "unknown" sites. This is a bad security risk and entirely your responsibility since you were given the ability to set the level of security. You may not wear a condom when you have sex with your spouse, but go to the local hooker without a condom and you can get infected with nasty diseases. It's the same way on the internet.

I haven't found similar settings in firefox yet, but IE does also have the ability to set security for different "zones". I'm hoping firefox does have this ability. What it comes down to, is being able to divide the internet into seperate zones that you can define and being able to set the security level different for each zone. For those zones you trust, you add the website to the zone and set the security to the level you need to allow the features you want. For those websites not defined in your trusted zone, they fall under the general internet zone where you set the security much, much higher. It's like having a condom put on automatically just for the hookers.

Ok, so the hooker analogy is crude, but it does emphasize a point and I only use it to emphasize the importance of protecting your compute from viruses, trojans, etc. Secure your computer browser.

[Hardrada]

Six Apart better fire this guy

According to the article one of the hackers, Mischa Spiegelmock, works for the blogging company Six Apart. I wonder how their business customers would feel knowing that they are providing employment to a hacker who is "setting up communication networks for black hats". Would they feel comfortable using software developed by a company whose employees are helping criminals compromise the security of their networks by providing them detailed information about how to exploit browser security flaws but refusing to provide the same information to the browser vendors? I sure wouldn't.

Mischa and his buddy sound like a couple of immature punks who don't mind screwing over millions of innocent computer users for the sake of gaining prestige within the hacker community. If Six Apart is smart they will fire this guy. I hope they lose a lot of business until they do.

[Penguinisto]

All Hearsay thus far...

http://www.securityfocus.com/bid/20282/discuss

...even the vuln DB and Bugtraq are empty of details.

Methinks there is more noise than toys in this case. I'll wait and see if anything actually comes of it, or if it's just someone trying to see just how little they can actually prove while making themselves look good.

/P

[careysizer]

does this affect flock?

are these exploits likely to work on flock?

[Mendz]

Shame

For something that claims to be more secure than IE, it's definitely breaking a lot of promise.

Shame to those who so blindly defends a product just as flawed... But at least Firefox does not crash compared to IE7. Ha!

So far, Opera is still cleaner. But it gets slower to launch every new version. I wonder about version 10...

[Lindy01]

Those two

girls need to be flogged. What total ant-social punks. I wish them much misfortune in their liftimes.....to say the least.