Posted on 02/19/2010 10:40:03 AM PST by ShadowAce
A Russian security researcher on Thursday said he has released attack code that exploits a critical vulnerability in the latest version of Mozilla's Firefox browser.
The exploit - which allows attackers to remotely execute malicious code on end user PCs - triggers a heap corruption vulnerability in the popular open-source browser, said Evgeny Legerov, founder of Moscow-based Intevydis. He recently added it as a module to Vulndisco, an add-on to the Immunity Canvas automated exploitation system sold to security professionals.
"We've played a lot with it in our labs - it was very reliable," Legerov wrote in an email to The Reg. "Works against the default install of Firefox 3.6. We've tested it on XP and Vista."
The report comes as Mozilla pushed out a Firefox update that tackles three critical vulnerabilities in version 3.5.7. One of those bugs is also described as a heap corruption vulnerability, but Legerov said the flaw is different from the one his code exploits.
Mozilla issued a statement that read in part: "Mozilla takes all security vulnerabilities seriously, and have as yet been unable to confirm the claim of an exploit. We value the contributions of all security researchers and encourage them to work within our security process, responsibly disclosing vulnerabilities to ensure the highest level of security and best outcome for users."
Legerov said his firm does not provide advanced notification to software makers under an arrangement often referred to as responsible disclosure.
If Legerov's claim pans out, it would be one of the few times in recent memory that a zero-day vulnerability for Firefox has circulated in the wild. While the exploit is currently available only to those who pay a hefty licensing fee, wider circulation can't be far behind. This story will be updated as more is learned.
More about the bug is here and here. ®
Thank you. It did update this morning, I just didn’t know that covered this.
I just wish there was a downloadable version. It could be fun.
LOL...
I misspell a lot...I wouldn’t last long.
How much time do you spend keeping up with anti-virus, anti-malware, registry cleaners, defragging, and all the other things that soak up your time if you're going to run windows successfully?
I'll admit, I tinker more than is necessary, but then I also live right on the bleeding edge with Fedora builds. For my work desktop though, where it's important to have it fully functional and working for me rather than the other way around, I spend a heck of a lot less time than I'm sure the vast majority of folks do on windows. Additionally, it truely works for me. I keep more stuff open all the time than most people can probably deal with, yet everything has its place. With 8 desktops, my browsers are always in the same place so I can get my work done quickly. My 80+ terminal windows can be opened with a single command, and I always know where my dev, test, and production boxes are. It is remarkably stable, and goes months without a reboot or even an X restart. I also have vmware sessions for testing particular environments safely and efficiently.
I could easily do the same thing at home, and in some ways I do. If I decide to upgrade my box, I can simply back up my /home partition and when I restore it, everything about my desktop is exactly the way it was before I did anything to it right down to my background and the way my file manager displays and deals with my viewing preferences for different directories. The last time I had to rebuild someone's windows box it was a nightmare getting things even close to the way they preferred it.
My time is valuable, so I prefer to spend it where I want to, rather than where Redmond dictates.
3.6 Crashed on me already.
That was funny. Of course if your're not root, even the "rm -rf /" won't hurt as bad as it sounds.
Try Opera.
Decent browser and if you have the same issues with this one as with Firefox, the problem might be with computer.
Actually windows is not much of a challenge for me. Anti-virus installed and running automatically. Disk imaging running automatically making incremental back ups daily. Disk defrag running automatically once a month. Everything is on autopilot. I have no Windows worries. If my hard drive goes out I will take me 18 min to re-image a new 300 gig to the exact way I left it or to an earlier place in time all the way back it a fresh install.
As far as Linux machine is concerned in a workplace, it ALL depends on what you need the machines for and what type of software that is needed to be run on them. If you can get around using professional software, well God Bless, but in my line of work the Linux software availability is virtually non existent.
I have time to tinker because my windows machines need no attention whatsoever. I wanted to see for myself why some people were plugging Linux. For the most part I’m giving it an honest chance. So far I’ve concluded that’s it’s great to play with at home, but has not a chance of ever getting anywhere soon in a professional atmosphere. If all one needs is a browsing machine or something to run simple software repeatedly, Linux is well suited. If one needs a variety of softwares that in an ever changing environment need updating... well there is really no alternative to being on the windows train. Linux is far from entering the big league any time soon.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.