Author Topic: Firefox now vulnerable by default...  (Read 4974 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33374
  • malware fighter
Firefox now vulnerable by default...
« on: February 09, 2008, 01:36:25 PM »
Hi malware fighters,

We saw the time coming, that Firefox was to become vulnerable by default:
http://www.0x000000.com/index.php?i=515
Just shortly after a major upgrade and 10 patches, a new even more serious information hole has been found up, that could be abused without vulnerable plug-ins.
I would advice not to use Firefox any longer without the NoScript add-on installed.
Patches take too long, code is brought in too early. Mozilla developers should step up.
I rather use Flock because it is a smaller platform, and that was 'the advantage of Firefox in the past.

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Firefox now vulnerable by default...
« Reply #1 on: February 09, 2008, 04:50:42 PM »
Hi Polonus,

Your post seems to refer to this one:

http://blog.mozilla.com/security/2008/01/29/status-update-for-chrome-protocol-directory-traversal-issue/#comment-17143

Doesn't seem to be any comment on the exploit yet- please keep us abreast with the latest news as and when.
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33374
  • malware fighter
Re: Firefox now vulnerable by default...
« Reply #2 on: February 09, 2008, 07:39:55 PM »
Hi FwF,

This was the previous one, that was fixed with the latest update to version 2.0.0.12. This one that is of a much more general nature, goes beyond plug-ins and extensions or jar or flat plug-ins right into the heart of Firefox, much more dangerous and attacking Firefox by default, so the browser is vulnerable. The leak was published just a couple of  hours after the latest version had been launched, that patched the less serious hole you mentioned. The new hole makes it possible for attackers to steal confidential information. The standard open source browser Firefox is now vulnerable, extensions installed or not.

An attacker can open local files inside the Mozilla directory and read out all browser settings. "Funny but rather sad really, because Firefox 2.0.0.12 has just been launched, to find itself broken again.

The Dutch security researcher R. Van den Heetkamp accuses Mozilla not doing a full job. "I accused Mozilla before, not half of all the holes are being patched, they should take the time to really go to the core of the problem." The researcher advises Firefox users to use another browser or install the NoScript plugin as I mentioned in the previous posting.

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Firefox now vulnerable by default...
« Reply #3 on: February 09, 2008, 07:48:05 PM »
The quote "Firefox is not vulnerable by default" comes from the page I linked to: I noticed this was a new problem.  ;)
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Offline rdmaloyjr

  • Super Poster
  • ***
  • Posts: 1864
  • The beatings will continue until morale improves!
    • The Cross
Re: Firefox now vulnerable by default...
« Reply #4 on: February 09, 2008, 11:28:09 PM »
Opera is safer, faster, better & more fun. ;D

Opera isn't perfect, Firefox & IE just make it seem that way. ;D
"If you want to make a Conservative angry, tell him a lie. If you want to make a Liberal angry, tell him the truth." - Rush Limbaugh

avast! Free    Mbam Pro   Privatefirewll  WinPatrol Plus               Pentium Dual-Core  Windows 7 64bit SP1  8 gigs of RAM

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33374
  • malware fighter
Re: Firefox now vulnerable by default...
« Reply #5 on: February 10, 2008, 12:39:02 AM »
Hi rdmaloyjr,

Starting to believe you there.
Firefox has some underlying problems waiting to be dug up, and they started to find things for prefs/all.js. back in May last year:
Code: [Select]
<script>
function pref(param,value){
document.write ("<b>"+param+"</b> = "+value+"")
};
</script>
<script src="resource://gre/greprefs/security-prefs.js"></script>
<script src="resource://gre/greprefs/all.js"></script>

See then what this code reveals "Master Reconnaissance Tool", and yep only NoScript protects you here, they even can establish with this script whether you have tor running: http://ha.ckers.org/mr-t/
This script is not malicious, checked it with DrWeb's av-hyperlink plug-in but mr-t's script reveals loads
of browser information.

Back to the pref function. Another useful info is the real User Agent/Current FF version:
Code: [Select]
<script>
function pref(param,value){
if (param==”general.useragent.extra.firefox”) {
alert(”Your real FF version is: “+value)
}
};
</script>
<script src=”resource://gre/defaults/pref/firefox.js”></script>

This will bypass the “User Agent Switcher” add-on.

And then there are problems with xpinstall.js & browserconfig.properties

But some POC's were patched as the "5%c"resource URL traversal, but as you see the prefs/all.js has a lot of potentiality, and it will certainly take some time to make FF more secure in this respect,

polonus


« Last Edit: February 10, 2008, 01:50:14 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline rdmaloyjr

  • Super Poster
  • ***
  • Posts: 1864
  • The beatings will continue until morale improves!
    • The Cross
Re: Firefox now vulnerable by default...
« Reply #6 on: February 10, 2008, 03:21:59 AM »
Polonus,

I was a big fan of Firefox, I used it since it was a pre-release.

I didn't like Opera.  I first tried Opera when it was ad suported.  I didn't like it after it went totally free in version 8 either.  Everytime I would try Opera, I would soon uninstall it, except on my laptop.  I got a laptop so I can take it with me.  I have a free dial-up ISP on my laptop for when I can't hook up to WIFI or any other broadband ISP.  Opera made a big difference on dial-up.  Opera is the only way to go with dial-up.

I got tired of the memory "leakage" in FF, it's slow start-up & other issues.  I was just going to use Opera till FF got it's act together.

After a while Opera grew on me.  Now I don't want to use any other browser. :)
"If you want to make a Conservative angry, tell him a lie. If you want to make a Liberal angry, tell him the truth." - Rush Limbaugh

avast! Free    Mbam Pro   Privatefirewll  WinPatrol Plus               Pentium Dual-Core  Windows 7 64bit SP1  8 gigs of RAM

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Firefox now vulnerable by default...
« Reply #7 on: February 10, 2008, 10:32:44 AM »
Some comments from Slashdot:

Quote
Doesn't look like a vulerability to me. So it can read files in /usr/lib/firefox, but those are just the standard files from the firefox package. User configuration and stored passwords etc are not stored there... It still can't get to $HOME/.mozilla...

Quote
gre is constant data. This report is FUD.

Firefox is open source; anyone who wants to view view-source:resource:///greprefs/all.js can just as easily load http://mxr.mozilla.org/mozilla1.8/source/modules/libpref/src/init/all.js?raw=1 [mozilla.org] it has the same content.

all.js is *not* user data, it's *public* app data. Your preferences are stored in prefs.js which are not exposed by greprefs.

Quote
Seriously, this title should be changed now (get rid of "Serious"), and a "!serious" tag added. The author of the article is an asshole who just waited for this release to fear monger and gain some attention. This bug exists in previous versions, this is not a new issue. The fact is, 2.0.0.12 fixes issues from previous issues, and does NOT introduce this "new" bug.

"Vulnerable by default" seems to be sexing up the story on WMD scale.  ::)
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33374
  • malware fighter
Re: Firefox now vulnerable by default...
« Reply #8 on: February 10, 2008, 05:58:48 PM »
Hi FwF,

Missed the link which is well worth reading:
http://it.slashdot.org/article.pl?sid=08/02/09/2215205
Conclusion all centers again around Mr. Maone's NoScript, an awesome add-on!

pol
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33374
  • malware fighter
Re: Firefox now vulnerable by default...
« Reply #9 on: February 10, 2008, 08:17:22 PM »
Hi malware fighters,

It is being downplayed now as "false alarm, go to bed..":
http://robert.accettura.com/archives/2008/02/10/false-alarm-go-back-to-bed/

polonus

P.S. I leave NoScript on, just to be secure...

Damian
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!