Firefox zero-day vulnerability (or is it?)



I saw a comment somewhere else that zero-day was overused and in essense ANY previously unknown vulnerability in open source software is technically zero day… the intent here though is to use the word in this context…. “vulnerability has been released without giving the vendor an opportunity to patch…” Yes, the fun vulnerability weekend seems to be continuing – there’s a javascript zdnet has coverage it’s “impossible to patch” (?) from the individuals that have publicized it. The announcement came at Toorcon.


It affects firefox on all Operating Systems it looks like and can allow for remote code execution. The only workarounds suggested are the noscript extension and the possibility of browsing in a Virtual Machine.

(10/2/06 update)

It’s starting to look like THIS story may be falling apart….

The main purpose of our talk was to be humorous.

As part of our talk we mentioned that there was a previously known Firefox vulnerability that could result in a stack overflow ending up in remote code execution. However, the code we presented did not in fact do this, and I personally have not gotten it to result in code execution, nor do I know of anyone who has.

I have not succeeded in making this code do anything more than cause a crash and eat up system resources, and I certainly haven’t used it to take over anyone else’s computer and execute arbitrary code.

I do not have 30 undisclosed Firefox vulnerabilities, nor did I ever make this claim. I have no undisclosed Firefox vulnerabilities. The person who was speaking with me made this claim, and I honestly have no idea if he has them or not.

I apologize to everyone involved, and I hope I have made everything as clear as possible.
Sincerely,
Mischa Spiegelmock

So, currently – the only flaw seems to be a remote browser crash. Still an issue, but not as bad as first claimed. Stay tuned.

–Update 10/3/06–

Now, I’m not prepared to say don’t worry about this…. as incidents.org notes DoS attacks against IE in the past have had a tendency to resurface as remote code execution vulnerabities…. so I wouldn’t be quite content with where things stand at the moment. That much said, there are many reports out now that this is a hoax.

Right now, I can say that the code presented at Toorcon apparently only leads to DoS and there have been no verifications of “30 exploits” for firefox’s javascript.

So, is firefox impervious to any and all web attacks – NO, just like any other software it has flaws, but the truth be told this does NOT appear to be the big problem we were initially led to believe. The SecurityFix has an angle on this that isn’t being covered too many other outlets. “We pretty much just wanted to have fun up there” and some other notes about their presentation and “research” on the flaw.

This leads me to conclude that they’ve pretty much succeeded in some ways towards one thing that they apparently urged people to do….

They ardently urged those in attendance to use their knowledge to “ruin things” as much as possible for Internet users.

The story of the boy that cried wolf comes to mind, ultimately crying wolf when there was none left the town defenseless when the wolf REALLY arrived. The same with computer security, we all lead busy lives and it’s important that if there’s a security problem it’s not a “crying wolf” incident. Too many incidents of JUST crying wolf over nothing and people ignore the warnings more and more. In fact, I think one reason many “average” people have such a hard time keeping their computers updated/antivirus up-to-date is the fact that there is just TOO much to keep up with. Windows, Office, Quicktime, Real player, Firefox, OpenOffice.org, AOL, Antivirus software, not to mention all the other add in toolbars and applications that people typically install. ALL these need to be kept up with updates and for many users you’ll find AT LEAST the list above installed on the system. Not to mention third party software that came with printers, digital cameras, etc. MANY times those 3rd party applications will act as a web client of sorts as well (for update notifications or who KNOWS what.) Add in to that the driver layer, like the Intel wireless drivers of recent note.

What they’ve done is muddy the waters and perhaps one more person has tuned out at this point, they found out firefox wasn’t safe and maybe it was a hoax, but many have the attitude they have nothing anyone would want to take anyway so they shouldn’t worry about computer security.

That much said, DoS vulnerabilities should be investigated and fixed, but this wasn’t quite the boogeyman it was built up to be.

   Send article as PDF   

Similar Posts