Hackers claim zero-day flaw in Firefox

[Marc57]

http://news.com.com/Hackers+claim+zero-day+flaw+in+Firefox/2100-1002_3-6121608.html?tag=html.alert

"An attacker could commandeer a computer running the browser simply by crafting a Web page that contains some malicious JavaScript code, Mischa Spiegelmock and Andrew Wbeelsoi said in a presentation at the ToorCon hacker conference here. The flaw affects Firefox on Windows, Apple Computer's Mac OS X and Linux, they said."


Be careful out there everyone.

[polonus]

Hi marc57,

Yes, this is an oldie actualized again, and again it is malicious JavaScript code: the use of JavaScript "OnKeyDown" events to capture and duplicate keystrokes from users. Cybercrooks then filter keystrokes entered into a form to a invisible cloaked filter upload. The full disclosure info can be found here:
http://lists.grok.org.uk/pipermail/full-disclosure/2006-June/046610.html
Conclusion when you do not use JavaScript as a rule (NoScript extension activated in Firefox or Flock) you do not run any risks. The 10 year old JavaScript is ready to be overhauled, because it becomes insecure to use it. Update your Sun Java is advisable, but in the light of 0-day exploits, use it as sparsely as possible. Weak websites can be hacked, online games where you give a lot of keystrokes can be maliciously fiddled with. Scan your sites, so search through www.scandoo.com, and better still actually scan the unknown link with DrWeb's anti virus link scanner extension or plug-in on IE, FF, Flock or manually installed into Opera.
Remember maliciously invaded websites are the main malware vector to-day, take your measures and let Avast protect your browser as well, instructions on the Avast homesite: http://www.avast.com/files/tutorials/ws_ffproxy.htm

polonus

[dk70]

Hyper-paranoia is one solution  A more practical type of paranoia is to use Branch builds of Firefox 2.0. Only way to get the latest fixes which sometimes includes security patches.

Strange that just today there are some secret entries...

#353249 [Core:JavaScript Engine]-(undisclosed security fix) [All]
#354750 [Core:JavaScript Engine]-(undisclosed security fix) [All]
#354924 [Core:JavaScript Engine]-(undisclosed security fix) [All]

Hard to test, at best these are probably alpha-patches, and the Mozilla dude did not encourage them to take the 500$ in return for full disclosure because of curiosity. However, keep eye on Bugzilla and update Firefox daily.

http://forums.mozillazine.org/viewforum.php?f=23

The reason you know about this is bugs were presented on a stage with cameras and microphones! Mozilla security dudes sitting right next to "hackers". Im guessing the same people who have tried to do some quick alpha fixes  When bugs are out in the open, more or less, they also get fixed, worry more about those not born on a stage - though I still think turning off javascript is a big inconvinience as are noscript. No reason to assume the worst for normal user but of course flaws should not be neglected, not the case here either. Most security bugs you see fixed on for example Bugzilla does not end up there because security of 100000 people have been violated but because in theory it is possible. 

If every single theoretical security flaw is a major security risk for browsing outside test-pages only solution is to turn off javascript, java, flash etc. - only way no matter browser. Safe today does not mean safe tomorrow or assume the worst.

[polonus]

Hi dk70.

I am not doubting for a second the coding abilities of the FF or Flock coding geeks, and how they try to make these browsers safer. But it cannot be denied that the functionality of Javascript can be used maliciously as a vector for malware, as are i-frames, as will be almost certainly Ajax etc. As a member of the Flock security community I know what this is about.

I am not paranoid when I scan my searchlinks before clicking them. I am not paranoid when I scan a link with DrWeb av link checker before downloading something or saving something from a website that I do not know. I am not paranoid having the Avast Webshield inside the browser running.

Webbrowsers are a main vector of malware, and secure procedures is a way of avoiding loading malware onto your machine, it is an attitude, and it has paid out for me, as it will pay out for a lot of surfers on the Internet when they learn how they have to adopt to in-browser security. Solely relying on the secure coding of browser security folks and programmers is forgetting about one's responsibility. Paranoia is not part of this.

polonus

[dk70]

Some say the more popular Firefox gets the more exploits. Lets see... Why assume Mozilla will patch in MS tempo? Why assume they might even lose interest for product, like MS. Why assume these exploits will be much more than see what I can do? Exploits needs to be taken advantage of - no direct line between a hole and actual damage due to using Firefox or any other browser. I take it easy  There are a gazillion of pages which will never use malicious javascript code, dont forget that. If sites are hacked I believe we talk about server security. Browser is only top of the cake.

If you really believe computer/browser will be compromised if you turn off no-script then you either visit some exotic sites or is overprotective.

You are right of course, barricading yourself will always work. How can it not? IE have also been pretty much 100% safe for years - with the right setup. Just dont expect that many to pick up same attitude, not how people use computer/browser. Even if you have tiptop secuirty there seems to be little difference to giving up - or having no trust. Web is not that bad. Also dont forget with IE7 and Microsofts increased interest for security products you have 3 companies with claimed focus on safe browsing. MS can now start bragging, a little. Not one of them can relax. Exploits hitting worldwide I would like see before I believe it.

You can also hear some Mozilla fanboys saying there is no way they will use IE7 because of IE6 and general not trusting Microsoft - even though running their OS! May be they have forgotten IE7 eventually will be mandatory update. Anyway, nobody knows history of IE7, wait 6-12 months time. Nothing hints it wont look good, same as nothing hints Firefox have not been practically without risks since forever. I dont know how much protection a little browser is supposed to deliver. I think phishing control is stretching it.

[Smith]

I switch to any browser that satisfies my purpose depending on what I am doing.

For me, one of the problems with IE and OE are that they are historically heavily integral to Windows, which is the part of the reason I wouldn't like them to communicate with "strangers."  If they are exploited, it can also mean the exploitation of the OS itself.  This is why IE and OE are not allowed to access to the net by my personal firewall.  Of course, I use a browser with IE-engine, which can be replaced by IE7 if it becomes a part of Windows Update.  However, till that time, I'd like to have some options of IE7-based browsers.  For I like to have customizable tools fit my needs.

The world is filled with the probability and we are not certain of which option turns out to be "successful."  So, sometimes, it is better for us to choose different ways.  In fact, keeping varieties is what we have been doing even at DNA level.

[dk70]

Well yes but the idea behind making Firefox in the first place is certainly not to make it harder to browse safely. More like the opposite. Which is also why there is every reason to believe problem will be dealt with - they dont have history of zzzzzz I think. If exploit is severe and relevant and they go "in due time" they have big problem - for now it is just business as usual. There will be more.

If those 2 clowns today say "oh did we forget to tell you it works even better on IE7?" there is yet another headline. I dont think they are suited for frontpage on popular websites.

[Smith]

If those 2 clowns today say "oh did we forget to tell you it works even better on IE7?" there is yet another headline. I dont think they are suited for frontpage on popular websites.

No, I see four clowns here, repeating the same old farce till the moderators close the thread but, at least, one of the clowns will leave the stage now.

[polonus]

Hi dk70,

I value your point of view. It is clear and has quite some substance. What in your opinion then is the best way to steer away from this?  How to make the browsers and the Internet substantially more secure? Lies the answer in coding with security at heart? Is the answer making spyware go away (making it less attractive for legit money to invest in it?), but without ad-money the whole structure is changing. Or does the browser owner have to come up with measures to make his browser into a bastion? Questions, questions, where I cannot give a pre-cooked answer.

I at one point like to believe in  in-browser security, because I can apply that myself,  because I realize that some factors that create the malware vectors cannot be influenced and won't go away, just like spam is not likely to go away if some keep on tolerating it. Interested to hear what you say,

polonus

[FreewheelinFrank]

An overflow of stories concerning an alleged Firefox 1.5 exploit hit the Web over the weekend, emerging from an underground users' conference in San Diego. But after the dust has begun settling, evidence of the exploit's severity and even existence has yet to materialize from official sources, including the Mozilla organization responsible for Firefox's development.

In any event, characterizations of the apparently uniquely prepared exploit as "unpatchable" have spread faster than the average zero-day, without the aid of a professional security advisory to push it along.

http://www.betanews.com/article/Alleged_Unfixable_Exploit_in_Firefox/1159803553

[polonus]

Hi FwF,

This  is to demonstrate we live in the days of Web 2.0, and that is exactly what it means, hype and twists, information and dis-information. Apart from the fear-mongering some facts are standing up-right. Not that I would not like to use the browser without NoScript active or fear every yellow search result  on a scandoo.search result page. But whenever in-browser security is available, and it works for ye, why don't use it sensibly? I cannot see if in-browser security is there, it is not good to have it just a fingertip away? Same with in-browser scanning?
If you have not heard about it, surfing taking risks on a default as it comes brower, unpatched one even, then you are "slightly" more at risk. Are am I wrong here?

polonus

[dk70]

Update software polonus then you are safe - or is using wrong software. Use software from companies you trust - open source is not so bad when it comes to security. Can act quickly and not hide. And dont visit crack/warez/porn sites of course. Probably the most effective advice ever.

You are already skeptical and check every link, Im not sure it is possible to infect your computer. Not even if you dumped No-script and what else you got. No reason to assume the worst. Which is what no-script does. In the end not a solution except for the individual. Btw, Firefox have a hidden feature, almost the same as no-script or IEs zone policy - check this http://piro.sakura.ne.jp/xul/_policymanager.html.en Not updated since long but may be it will work.

Also Adblock Plus can do wonders. You dont like being tracked on half of internet sites then take out urchin.js used by Google Analytics. There are more like it.

Remember internet is still used for home banking, pay pal, Visa etc. It is not the underworld you describe or at least expect will grow for each exploit discovered. The reason so many get spyware etc. has more to do with their way of handling computer than crap security anyone must learn to live with. All those people who get infected at Myspace could have avoided by using XP SP2, simple as that. Im as skeptical towards spyware victims use of computer as you are of internet safety level.

Look on the bright side, exploits keeps developers awake and sharp.

[FreewheelinFrank]

Pictures of the two hackers at ToorCon:

http://news.com.com/2300-1002_3-6121772-1.html

[dk70]

Im surprised one of them should work for well known company - or perhaps used to  Internet police needed. If I had been coding for Firefox for years I think I would have had to leave that room with those 2.

Anyway http://developer.mozilla.org/devnews/index.php/2006/10/02/update-possible-vulnerability-reported-at-toorcon/ so yet another internet event

The guy getting cold feet is the guy working for mentioned company, hehe.

[FreewheelinFrank]

Update from the source above:

The main purpose of our talk was to be humorous.

As part of our talk we mentioned that there was a previously known Firefox vulnerability that could result in a stack overflow ending up in remote code execution. However, the code we presented did not in fact do this, and I personally have not gotten it to result in code execution, nor do I know of anyone who has.

I have not succeeded in making this code do anything more than cause a crash and eat up system resources, and I certainly haven’t used it to take over anyone else’s computer and execute arbitrary code.

I do not have 30 undisclosed Firefox vulnerabilities, nor did I ever make this claim. I have no undisclosed Firefox vulnerabilities. The person who was speaking with me made this claim, and I honestly have no idea if he has them or not.

I apologize to everyone involved, and I hope I have made everything as clear as possible.

Sincerely,

Mischa Spiegelmock

Judging from the pictures here, I wouldn't trust either of these two further than I could spit a dead rat.

What a farce!

I think a caption competion might be a good idea.

http://news.com.com/2300-1002_3-6121772-1.html