Exploit turns up heat for Firefox flaw

CNet News ^ | 8 February 2006 | Joris Evers

[ShadowAce]

Computer code that could be used in cyberattacks on Firefox users has been released, increasing the urgency for people to upgrade to the latest version of the Web browser.

The two pieces of exploit code, posted online earlier this week, take advantage of a security vulnerability in Firefox that Mozilla patched in an update Thursday. In response to the exploit release, the browser maker on Tuesday upgraded the severity rating of the flaw from "moderate" to "critical," its most serious rating.

"This exploit was published after we released the 1.5.0.1 update," said Mike Schroepfer, vice president of engineering at Mozilla. "Most of our users had already been upgraded by the time this exploit was published."

The code could be used to commandeer computers running a vulnerable version of the open-source Web browser on Linux or Mac OS X systems. It has been published as part of the Metasploit Framework, a widely used hacking tool.

The specific flaw exists only in Firefox 1.5 and was fixed in Firefox 1.5.0.1. The problem could cause a memory corruption an outsider could use to run code on a vulnerable PC, according to a Mozilla advisory. The corruption would come from calling the "QueryInterface" method of the Location and Navigator objects in the browser.

Firefox users have already been urged to install the patched version of the browser. Security monitoring company Secunia last week rated the Firefox update "highly critical," and Mozilla has pushed out updates.

If for some reason users have not upgraded, they should definitely do so, Schroepfer said.

[D-Chivas]

1.5 was a piece of crap.

I installed it on all my machines and it would hog CPU time like nobody's business. Had to uninstall and go back to 1.07.

My love affair with Firefox is badly damaged. I don't trust what they're putting out anymore.

[Terpfen]

Can't say I see the reason in that. If software offers its own update service, I say use it.

Of course, I have qualms with using Linux in the first place, so I'll be quiet.

[JoJo Gunn]

That makes two of us. Every single time Mozilla breaks wind it breaks extensions and themes, one of the features they beat their chest about. They're screwed up the themes and extensions site so that it's a pain to keep going back and finding and reloading it all. (Used to be you could select 50 items on a page, now it's at 10 only. Yawn....)

[TexasTransplant]

>>>"Probably is, but why keep using 1.0.7?"<<<


I don't anymore, just spent 5 minutes updating and everything still works fine.

[Terpfen]

I installed it on all my machines and it would hog CPU time like nobody's business.

That sounds like an issue with your installation, not 1.5, especially given that there aren't many others complaining about such problems. Give 1.5.0.1 a try.

[zeugma]

From the article, it says that it allows "an outsider could use to run code on a vulnerable PC". Does that mean it execute with user privs? It doesn't sound like you get priviledge elevation, or I would expect them to say that.

I'm also confused as to whether this is a remote-site issue like we had this January with the Microsoft WMF defect? By that, I mean, can you execute arbitrary code via a link from FR? I'm sure you could post a link to an external site and sucker people into clicking it by saying it was a poll or something though, so I guess the distinction really doesn't matter much.

[Terpfen]

Every single time Mozilla breaks wind it breaks extensions and themes, one of the features they beat their chest about.

Not really. Extensions and themes work like this: each Firefox version has its own internal version ID. Extensions and themes specify which versions of Firefox they can install on by defining a range between a minimum version (usually 0.9) and a maximum (which is usually the latest version at the time of that extension or theme's release.) Shortsighted extension/theme authors would set the maxversion in such a way as to require that extention/theme to be constantly updated whenever a new version of Firefox came out. That's not Mozilla's fault.

1.5 attempts to work around this with the four-digit version numbers. The third number represents whether or not there's been a change in the extension/theme APIs that would require code reworking, and the fourth number is the usual incremental version number. All extensions and themes should be set to a maxversion of 1.5.0.* to guarantee maximum compatibility, but again, it depends on the author.

Don't blame Mozilla for the faults of third-party stuff.

[aimhigh]

It's time for Microsoft and Firefox to fund a new class of users - internet bounty hunters.

[Cheburashka]

Well Im using Linux (Fedora) right now so I cant try the update but Ill see if I get time tomorrow..
---
A matter of curiosity, since I don't use linux, why can't you download the updated version?

[Drango]

Open invite...Please joing other FReepers geeks "folding" here :

http://www.freerepublic.com/focus/f-chat/1572512/posts?page=131#131

---

Post Reply | Private Reply | To 1 | View Replies

[N3WBI3]

Nothing is stopping me except preference. When you use a distro like fedora many applications like FireFox are packaged along with it. When anyone of the packages needs an update I get an alert, click update and the whole system is updated. I can also just easily schedule updates for the whole system (like WindowsUpdate).

I don't care to keep track of FireFox, OpenOffice, Gimp, and the dozens of other apps I run so I let the update agent for fedora take care of it. Until there is a seriously compelling feature, Performance enhancement, or security threat to software I'm running Ill leave it that way..

[Cheburashka]

I'm using Firefox 1/5.0.1 on a seven year old computer, with Win98SE.
No problems running it.
I do note that if you are going to websites with a lot of graphics, Firefox 1.5.0.1 lags behind Internet Explorer. But that was true of all the 1.x versions as well.
You might want to check your computer to see if there is some other problem.

[CedarDave]

Thanks. See post #10 -- If option is turned on (by default it should be) Firefox will notify automatically if an update is available.

[JoJo Gunn]

Don't blame Mozilla for the faults of third-party stuff.

And just who designed it that way? Who designed it for third party stuff? It makes absolutely no sense to have to find another extension because 1.5.0 changed to 1.5.0.1

If I'd been an extension writer, I'd have long ago given up on trying to keep up with the changes, and some have.

[Terpfen]

Actually, the version number for the 1.5.0 series is 1.5.0.*. There's a reason why most extensions haven't broken after 1.5.0.1 was released.

Windows allows third-party programs to run: does that mean I should be angry with Microsoft when Photoshop screws up? If not, why should I be angry with Mozilla when Adblock screws up?

Redirect your anger. Or just install the Nightly Tester Tools extension, use its Force Extension Compatibility feature, and be at ease.

[JoJo Gunn]

Don't give me any lectures, fanboi. I can get that garbage at the MoZine forum.

[Terpfen]

Facts are now lectures? Huh.

[JoJo Gunn]

I'll give some facts to an adolescent "Mozilla can do no wrong" fanboi.

Mozilla is not ready for Prime Time and never will be. It's only a curiosity for geeks. For close to a year there was a major flaw, where uninstalling Firefox took out the whole frickin' Program Files folder with it. Mozilla should have dropped everything right then and there to address it, but they didn't, and that spoke volumes to me.

To this day there's still RAM problems. The MoZine forum is loaded with threads about lost bookmarks and posts from peckerheads who say it's always the fault of the user. There were some good themes and extensions from the 0.8 days that you can't find any longer because the writers got tired of the crap about having to break it all down whenever Mozilla changed a decimal point.

Why should I sing the praises of something like that? You get Firefox set up the way you like it, and in no time you'll have to raise the hood and tinker tinker tinker, and if you need help you'll damn sure not get it from a forum run over with know-it-all zit farmers.

I gave them their chance. Adblock and Flashblock is all they have left in their favor.

[zeugma]

Wow. You sure sound like someone put a gun to your head and made you use firefox against your will.

BTW: I have been using firefox since version .3, (when it was still called phoenix i believe), yet someohow I managed to still have the same bookmark file that I've been using for more than 10 years now, though it gets larger every year. I don't know of any IE users who can say the same.

[JoJo Gunn]

Show me where I said I never had a choice.