RSSFirst TraceMonkey vulnerability poses new priorities for Firefox 3.5.1
By Scott M. Fulton, III | Published July 15, 2009, 11:27 AM
Developers on the "Shiretoko" track for Mozilla's new open source Firefox 3.5 Web browser now have very good reason to expect a ship date for the first round of bug fixes and vulnerabilities. A very big vulnerability has turned up in just the wrong place: a public site for posting exploits.
The problem is a new permutation of an old exploit technique that, ironically, was first brought to prominence in 2006 by a package called "Internet Exploiter." It's called a heap spray, comprised of shellcode that's set to be distributed into an area in blocks, a bit like spraying bricks into a wall. The resulting pattern may contain executable code that can be triggered through an overflow; and in this case, it's version 3.5's embedded font support, using the <FONT> tag, that's the trigger.
A check of the Bugzilla database this morning does not indicate the issue as an active security bug among Mozilla testers. However, security firm Secunia rates the vuln "Extremely Critical," as the published exploit is believed to be in use in the wild.
In its proof-of-concept distribution, the exploit triggers CALC.EXE in Windows, though it's an academic matter for someone to make that trigger run other code, perhaps an arbitrary payload. Though this exploit is not a "virus" per se, despite how some local TV newscasts may portray it, certainly the arbitrary payload this trigger may enable could be infectious.
Though a general planning meeting for next-stage Firefox development was scheduled for yesterday morning, and security problems were scheduled to be on the agenda, apparently this latest exploit had not yet cropped up at the time developers met. Meeting notes published yesterday concerning the bug fix schedule for 3.5.1 read, "Contrary to some reports on the Internet, this is the usual process for Firefox and software releases; the 3.5 release was strong, stable and solid, and feedback has been extremely positive. Near the end of the release we become extremely conservative about patches to accept; the 3.5.1 release is a quick update to fold in some patches that came up late in the 3.5 release cycle."
Candidate builds of 3.5.1 were scheduled for next week, though today's discovery may accelerate the release process.
Yea well, I called this patch a week ago. I said that Mozilla would have to patch 3.5 within a month of it's release. Any code written today will be hacked tomorrow, so what's all the hub bub about? I'll bet anyone that by Dec 31st of this year Mozilla will be up to 3.5.12. Any takers?
Score: 0
|The Mozilla team already were working on 3.5.1 before they released 3.5, so why are you taking credit?
Maybe, they'll have to shove back their current work to fix this and 3.5.2 will contain the current fixes. Of course, had they realised that they had opened up to a 2 year old exploit, they might have avoided some embarrassment.
Score: 0
|Computer get owned when while viewing online video (IE), Surfing a site can execute something on the computer (FF 3.5). My poor Linux computer is insensitive to this kind of madness, better yet I don't need to do anything special to get the protection.
Score: -2
|The Firefox 3.5 meeting happens on Wednesdays and today's meeting certainly had a discussion of the issue and the retooled 3.5.1 release followed by a 3.5.2 release: https://wiki.mozilla.org...#Firefox_3.0.x_Releases.
Score: 0
|"However, security firm Secunia rates the vuln "Extremely Critical," as the published exploit is believed to be in use in the wild."
Actually, Secunia rates this "Highly Critical" (one step below "Extremely Critical," their most critical rating). This also means there are no known exploits at this time. Perhaps this changed since the article was written.
Also, this is the bug in question: https://bugzilla.mozilla.../show_bug.cgi?id=503286
Looks pretty active to me.
Score: 0
|I should also note that the developers were, indeed, aware of this problem at their last meeting. It's even in the meeting notes BetaNews linked to--click on the link of bugs that are blockers for Fx 3.5.1, and you'll see this one listed. They just didn't make a big deal of it, and there was really no need to: it is just one of several bugs on their plate that need to or have been fixed for the next release (many of them also considered critical, though not all security-related).
Plus, it's already been fixed!
Score: 0
|No worries, I use Firefox 3.5 on a Mac.
Score: -2
|"Though this exploit is not a "virus" per se, despite how some local TV newscasts may portray it"
Wow, you don't get this type of non biased reporting on IE exploits!
Score: 1
|It's not "bias" to point out where popular reports are inaccurate: There's no self-duplicating capability to this exploit. That doesn't mean it's not a severe hole.
-SF3
Score: 0
|believe it or not IE8 is a very difficult browser to exploit, oddly leaving Firefox and Safari behind in this situation lol
just use noscript and only visit your trusted sites until patch is released, or use IE if on Windows
Score: -3
|This would be the time for one of those annoying Opera fans to post some supercilious comment here. But as it looks like I'm the first to arrive, I'd just like to say Opera rocks !
Score: -3
|Thanks! The comments section of this topic was in dire need of a completely pointless post...
...and now we have 2!
Score: 0
|Well number 3....Glad Firefox is sooooo much safer and better than IE...
Score: 1
|