Firefox now vulnerable by default...

[polonus]

Hi malware fighters,

We saw the time coming, that Firefox was to become vulnerable by default:
http://www.0x000000.com/index.php?i=515
Just shortly after a major upgrade and 10 patches, a new even more serious information hole has been found up, that could be abused without vulnerable plug-ins.
I would advice not to use Firefox any longer without the NoScript add-on installed.
Patches take too long, code is brought in too early. Mozilla developers should step up.
I rather use Flock because it is a smaller platform, and that was 'the advantage of Firefox in the past.

polonus

[FreewheelinFrank]

Hi Polonus,

Your post seems to refer to this one:

http://blog.mozilla.com/security/2008/01/29/status-update-for-chrome-protocol-directory-traversal-issue/#comment-17143

Doesn't seem to be any comment on the exploit yet- please keep us abreast with the latest news as and when.

[polonus]

Hi FwF,

This was the previous one, that was fixed with the latest update to version 2.0.0.12. This one that is of a much more general nature, goes beyond plug-ins and extensions or jar or flat plug-ins right into the heart of Firefox, much more dangerous and attacking Firefox by default, so the browser is vulnerable. The leak was published just a couple of  hours after the latest version had been launched, that patched the less serious hole you mentioned. The new hole makes it possible for attackers to steal confidential information. The standard open source browser Firefox is now vulnerable, extensions installed or not.

An attacker can open local files inside the Mozilla directory and read out all browser settings. "Funny but rather sad really, because Firefox 2.0.0.12 has just been launched, to find itself broken again.

The Dutch security researcher R. Van den Heetkamp accuses Mozilla not doing a full job. "I accused Mozilla before, not half of all the holes are being patched, they should take the time to really go to the core of the problem." The researcher advises Firefox users to use another browser or install the NoScript plugin as I mentioned in the previous posting.

polonus

[FreewheelinFrank]

The quote "Firefox is not vulnerable by default" comes from the page I linked to: I noticed this was a new problem. 

[rdmaloyjr]

Opera is safer, faster, better & more fun.

Opera isn't perfect, Firefox & IE just make it seem that way.

[polonus]

Hi rdmaloyjr,

Starting to believe you there.
Firefox has some underlying problems waiting to be dug up, and they started to find things for prefs/all.js. back in May last year:

Code: [Select]

<script>
function pref(param,value){
document.write ("<b>"+param+"</b> = "+value+"")
};
</script>
<script src="resource://gre/greprefs/security-prefs.js"></script>
<script src="resource://gre/greprefs/all.js"></script>

See then what this code reveals "Master Reconnaissance Tool", and yep only NoScript protects you here, they even can establish with this script whether you have tor running: http://ha.ckers.org/mr-t/
This script is not malicious, checked it with DrWeb's av-hyperlink plug-in but mr-t's script reveals loads
of browser information.

Back to the pref function. Another useful info is the real User Agent/Current FF version:

Code: [Select]

<script>
function pref(param,value){
if (param==”general.useragent.extra.firefox”) {
alert(”Your real FF version is: “+value)
}
};
</script>
<script src=”resource://gre/defaults/pref/firefox.js”></script>
This will bypass the “User Agent Switcher” add-on.

And then there are problems with xpinstall.js & browserconfig.properties

But some POC's were patched as the "5%c"resource URL traversal, but as you see the prefs/all.js has a lot of potentiality, and it will certainly take some time to make FF more secure in this respect,

polonus

[rdmaloyjr]

Polonus,

I was a big fan of Firefox, I used it since it was a pre-release.

I didn't like Opera.  I first tried Opera when it was ad suported.  I didn't like it after it went totally free in version 8 either.  Everytime I would try Opera, I would soon uninstall it, except on my laptop.  I got a laptop so I can take it with me.  I have a free dial-up ISP on my laptop for when I can't hook up to WIFI or any other broadband ISP.  Opera made a big difference on dial-up.  Opera is the only way to go with dial-up.

I got tired of the memory "leakage" in FF, it's slow start-up & other issues.  I was just going to use Opera till FF got it's act together.

After a while Opera grew on me.  Now I don't want to use any other browser.

[FreewheelinFrank]

Some comments from Slashdot:

Doesn't look like a vulerability to me. So it can read files in /usr/lib/firefox, but those are just the standard files from the firefox package. User configuration and stored passwords etc are not stored there... It still can't get to $HOME/.mozilla...

gre is constant data. This report is FUD.

Firefox is open source; anyone who wants to view view-source:resource:///greprefs/all.js can just as easily load http://mxr.mozilla.org/mozilla1.8/source/modules/libpref/src/init/all.js?raw=1 [mozilla.org] it has the same content.

all.js is *not* user data, it's *public* app data. Your preferences are stored in prefs.js which are not exposed by greprefs.

Seriously, this title should be changed now (get rid of "Serious"), and a "!serious" tag added. The author of the article is an asshole who just waited for this release to fear monger and gain some attention. This bug exists in previous versions, this is not a new issue. The fact is, 2.0.0.12 fixes issues from previous issues, and does NOT introduce this "new" bug.

"Vulnerable by default" seems to be sexing up the story on WMD scale. 

[polonus]

Hi FwF,

Missed the link which is well worth reading:
http://it.slashdot.org/article.pl?sid=08/02/09/2215205
Conclusion all centers again around Mr. Maone's NoScript, an awesome add-on!

pol

[polonus]

Hi malware fighters,

It is being downplayed now as "false alarm, go to bed..":
http://robert.accettura.com/archives/2008/02/10/false-alarm-go-back-to-bed/

polonus

P.S. I leave NoScript on, just to be secure...

Damian