Free Republic
Browse · Search
General/Chat
Topics · Post Article

Skip to comments.

Attack code for Firefox zero-day goes wild, says researcher
The Register ^ | 18 February 2010 | Dan Goodin

Posted on 02/19/2010 10:40:03 AM PST by ShadowAce

A Russian security researcher on Thursday said he has released attack code that exploits a critical vulnerability in the latest version of Mozilla's Firefox browser.

The exploit - which allows attackers to remotely execute malicious code on end user PCs - triggers a heap corruption vulnerability in the popular open-source browser, said Evgeny Legerov, founder of Moscow-based Intevydis. He recently added it as a module to Vulndisco, an add-on to the Immunity Canvas automated exploitation system sold to security professionals.

"We've played a lot with it in our labs - it was very reliable," Legerov wrote in an email to The Reg. "Works against the default install of Firefox 3.6. We've tested it on XP and Vista."

The report comes as Mozilla pushed out a Firefox update that tackles three critical vulnerabilities in version 3.5.7. One of those bugs is also described as a heap corruption vulnerability, but Legerov said the flaw is different from the one his code exploits.

Mozilla issued a statement that read in part: "Mozilla takes all security vulnerabilities seriously, and have as yet been unable to confirm the claim of an exploit. We value the contributions of all security researchers and encourage them to work within our security process, responsibly disclosing vulnerabilities to ensure the highest level of security and best outcome for users."

Legerov said his firm does not provide advanced notification to software makers under an arrangement often referred to as responsible disclosure.

If Legerov's claim pans out, it would be one of the few times in recent memory that a zero-day vulnerability for Firefox has circulated in the wild. While the exploit is currently available only to those who pay a hefty licensing fee, wider circulation can't be far behind. This story will be updated as more is learned.

More about the bug is here and here. ®


TOPICS: Computers/Internet
KEYWORDS: firefox; security
Navigation: use the links below to view more comments.
first previous 1-2021-4041-48 next last
To: Mr. Jazzy

Absolutely, something major was enhanced. I immediately noticed a speed improvement. Thanks for the link.


21 posted on 02/19/2010 11:21:01 AM PST by foolishboi (Under certain circumstances profanity provides relief denied even to prayer...... Mark Twain)
[ Post Reply | Private Reply | To 20 | View Replies]

To: Mr. Jazzy

Got it.


22 posted on 02/19/2010 11:30:35 AM PST by John W
[ Post Reply | Private Reply | To 8 | View Replies]

To: ShadowAce

OK, thanks. The article reads like he is selling something illegal or illegally, and I appreciate the clarification.


23 posted on 02/19/2010 11:31:12 AM PST by Bean Counter (I keeps mah feathers numbered, for just such an emergency...)
[ Post Reply | Private Reply | To 19 | View Replies]

To: ShadowAce
"We've played a lot with it in our labs - it was very reliable," Legerov wrote in an email to The Reg. "Works against the default install of Firefox 3.6. We've tested it on XP and Vista."

My question would be, does it work on real operating systems?

Linux and OSX come to mind.

24 posted on 02/19/2010 11:31:30 AM PST by zeugma (Proofread a page a day: http://www.pgdp.net/)
[ Post Reply | Private Reply | To 1 | View Replies]

To: zeugma

I tried Linux and gave it a fair chance. For the serious user Linux is more trouble than it’s worth. You need to have a lot of tinker time set aside.


25 posted on 02/19/2010 11:34:38 AM PST by foolishboi (Under certain circumstances profanity provides relief denied even to prayer...... Mark Twain)
[ Post Reply | Private Reply | To 24 | View Replies]

To: ShadowAce

Yes, altho I just assumed anyone in the know would know and people like me....well, we are just dumb!


26 posted on 02/19/2010 11:35:57 AM PST by brytlea (Jesus loves me, this I know.)
[ Post Reply | Private Reply | To 17 | View Replies]

To: foolishboi

Interesting viewpoint. When did you try it? I find it to be more useful than Windows in my work.


27 posted on 02/19/2010 11:36:31 AM PST by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 25 | View Replies]

To: ShadowAce

I recently gave it a whirl in the last 2 months on one of my machines. Ubuntu and Mint didn’t do it for me. The biggest negative is that the hard drive can’t be imaged and reinstalled with both OS side by side.(unless I’m missing something) I found that if you don’t put them side by side all your windows drivers that are already there can’t be converted into Linux easily. So far anyway.


28 posted on 02/19/2010 11:43:04 AM PST by foolishboi (Under certain circumstances profanity provides relief denied even to prayer...... Mark Twain)
[ Post Reply | Private Reply | To 27 | View Replies]

To: foolishboi

That was last year...try Mint.


29 posted on 02/19/2010 11:47:33 AM PST by Ernest_at_the_Beach ( Support Geert Wilders)
[ Post Reply | Private Reply | To 25 | View Replies]

To: foolishboi

What is the requirement to convert the Windows drivers?


30 posted on 02/19/2010 11:49:02 AM PST by Ernest_at_the_Beach ( Support Geert Wilders)
[ Post Reply | Private Reply | To 28 | View Replies]

To: foolishboi
It is possible to install both Windows and linux on the same hard drive, but I've always found it easier to use separate drives, and run GRUB to choose either Linux or Windows.
31 posted on 02/19/2010 11:50:19 AM PST by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 28 | View Replies]

To: Ernest_at_the_Beach

Mint is much more of a user friendly critter compared to Ubuntu, but still has it’s challenges.


32 posted on 02/19/2010 11:50:36 AM PST by foolishboi (Under certain circumstances profanity provides relief denied even to prayer...... Mark Twain)
[ Post Reply | Private Reply | To 29 | View Replies]

To: Ernest_at_the_Beach

Lots of intestinal fortitude and lots of patience. lol
Linux will convert drivers to a certain extent. BUT if it doesn’t you will need to learn a whole new language used in Linux. I’m taking it on as a challenge and with some free time I will plug along.


33 posted on 02/19/2010 11:55:03 AM PST by foolishboi (Under certain circumstances profanity provides relief denied even to prayer...... Mark Twain)
[ Post Reply | Private Reply | To 30 | View Replies]

To: foolishboi
Why not split the work load that does require Windows from a Machine that is used only for browsing....

You can control both from one terminal and keyboard with a KVM switch....

There might still be occasions where you would need to browse with the Windows machine...but over time perhaps those occasions could be reduced.

Dual booting is a pain.

34 posted on 02/19/2010 11:56:26 AM PST by Ernest_at_the_Beach ( Support Geert Wilders)
[ Post Reply | Private Reply | To 32 | View Replies]

To: ShadowAce

That is my next move. I will format my drive into separate partitions and see how that works for me.


35 posted on 02/19/2010 11:56:55 AM PST by foolishboi (Under certain circumstances profanity provides relief denied even to prayer...... Mark Twain)
[ Post Reply | Private Reply | To 31 | View Replies]

To: foolishboi
How to get started with Linux
36 posted on 02/19/2010 11:58:14 AM PST by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 28 | View Replies]

To: foolishboi

That’s a lot of work...


37 posted on 02/19/2010 11:58:15 AM PST by Ernest_at_the_Beach ( Support Geert Wilders)
[ Post Reply | Private Reply | To 35 | View Replies]

To: Ernest_at_the_Beach

Yes it is, but my main concern is to be able to image my drives for quick fixes rather than complete re-installs should something go haywire. Better to re-image my drive after a mishap rather than spend days getting things back to the way I had them.


38 posted on 02/19/2010 12:05:13 PM PST by foolishboi (Under certain circumstances profanity provides relief denied even to prayer...... Mark Twain)
[ Post Reply | Private Reply | To 37 | View Replies]

To: ShadowAce

Thanks for the link. “Linux for Dummies” LOL

I will go over it this weekend.


39 posted on 02/19/2010 12:08:49 PM PST by foolishboi (Under certain circumstances profanity provides relief denied even to prayer...... Mark Twain)
[ Post Reply | Private Reply | To 36 | View Replies]

To: brytlea; Ron C.
re: No, you don’t need to do anything. Your copy of Firefox will automatically download and install (probably already has) all security updates. A major update was sent out two or three days ago.

Only if Firefox is set to download updates automatically. That option can be turned off. Please don't give advice like that unless you know how the person's computer is set up.

brytlea -- in Firefox, go to Help -> Check for Updates, and see what it tells you. If it says no new updates are available, you're up-to-date. Otherwise, you might need to download an update.

40 posted on 02/19/2010 12:11:57 PM PST by ken in texas
[ Post Reply | Private Reply | To 9 | View Replies]


Navigation: use the links below to view more comments.
first previous 1-2021-4041-48 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson