Critical javascript security flaw in firefox

[Matt Kruse]

http://news.zdnet.com/2100-1009_22-6121608.html

Hackers claim zero-day flaw in Firefox
09 / 30 / 06 | By Joris Evers

SAN DIEGO--The open-source Firefox Web browser is critically flawed in the
way it handles JavaScript, two hackers said Saturday afternoon.
An attacker could commandeer a computer running the browser simply by
crafting a Web page that contains some malicious JavaScript code, Mischa
Spiegelmock and Andrew Wbeelsoi said in a presentation at the ToorCon hacker
conference here. The flaw affects Firefox on Windows, Apple Computer's Mac
OS X and Linux, they said.

"Internet Explorer, everybody knows, is not very secure. But Firefox is also
fairly insecure," said Spiegelmock, who in everyday life works at blog
company SixApart. He detailed the flaw, showing a slide that displayed key
parts of the attack code needed to exploit it.

The flaw is specific to Firefox's implementation of JavaScript, a
10-year-old scripting language widely used on the Web. In particular,
various programming tricks can cause a stack overflow error, Spiegelmock
said. The implementation is a "complete mess," he said. "It is impossible to
patch."

The JavaScript issue appears to be a real vulnerability, Window Snyder,
Mozilla's security chief, said after watching a video of the presentation
Saturday night. "What they are describing might be a variation on an old
attack," she said. "We're going to do some investigating."

Snyder said she isn't happy with the disclosure and release of an apparent
exploit during the presentation. "It looks like they had enough information
in their slide for an attacker to reproduce it," she said. "I think it is
unfortunate because it puts users at risk, but that seems to be their goal."

At the same time, the presentation probably gives Mozilla enough data to fix
the apparent flaw, Snyder said. However, because the possible flaw appears
to be in the part of the browser that deals with JavaScript, addressing it
might be tougher than the average patch, she added. "If it is in the
JavaScript virtual machine, it is not going to be a quick fix," Snyder said.

The hackers claim they know of about 30 unpatched Firefox flaws. They don't
plan to disclose them, instead holding on to the bugs.

Jesse Ruderman, a Mozilla security staffer, attended the presentation and
was called up on the stage with the two hackers. He attempted to persuade
the presenters to responsibly disclose flaws via Mozilla's bug bounty
program instead of using them for malicious purposes such as creating
networks of hijacked PCs, called botnets.

"I do hope you guys change your minds and decide to report the holes to us
and take away $500 per vulnerability instead of using them for botnets,"
Ruderman said.

The two hackers laughed off the comment. "It is a double-edged sword, but
what we're doing is really for the greater good of the Internet, we're
setting up communication networks for black hats," Wbeelsoi said.

 

[VK]

http://news.zdnet.com/2100-1009_22-6121608.html

Hackers claim zero-day flaw in Firefox
09 / 30 / 06 | By Joris Evers

SAN DIEGO--The open-source Firefox Web browser is critically flawed in the
way it handles JavaScript, two hackers said Saturday afternoon.
An attacker could commandeer a computer running the browser simply by
crafting a Web page that contains some malicious JavaScript code, Mischa
Spiegelmock and Andrew Wbeelsoi said in a presentation at the ToorCon hacker
conference here. The flaw affects Firefox on Windows, Apple Computer's Mac
OS X and Linux, they said.

Firefox gets stable over 10% market share (not 20% this area / 2% this
area, but 10% guaranteed any market area you take). That's the next
important milestone (the first important one is 1%: "the level of
asknowledgment" is passed way ago). The Empire strikes back to the most
important promo of the competitor: to the security. Totally normal,
nothing outside of the regular Big Business fights.

10.02.06
C.L.J. - someone called VK claims the possibility to do whatever he
wants with any computer with IE installed. No JScript support is
required: the fact itself that you are viewing my page using IE is
self-sufficient. Hackers around the world are benefiting of the wide
spread of this environment for many years in the row.


P.S. Is Firefox made by Gods? Sure not, by the same humans. It means
that the axiom of "Super Hacker limit" works for it as well. It will
never be able to become an *absolutely* safe environment. It can only
resolve the equation with more and more better results up to (ideally
but fantastically) a totally unbreakable system and an only person in
the world able to break it (lim->1, never 0).

 

[Erwin Moller]

Firefox gets stable over 10% market share (not 20% this area / 2% this
area, but 10% guaranteed any market area you take). That's the next
important milestone (the first important one is 1%: "the level of
asknowledgment" is passed way ago). The Empire strikes back to the most
important promo of the competitor: to the security. Totally normal,
nothing outside of the regular Big Business fights.

10.02.06
C.L.J. - someone called VK claims the possibility to do whatever he
wants with any computer with IE installed. No JScript support is
required: the fact itself that you are viewing my page using IE is
self-sufficient. Hackers around the world are benefiting of the wide
spread of this environment for many years in the row.


P.S. Is Firefox made by Gods? Sure not, by the same humans. It means
that the axiom of "Super Hacker limit" works for it as well. It will
never be able to become an *absolutely* safe environment. It can only
resolve the equation with more and more better results up to (ideally
but fantastically) a totally unbreakable system and an only person in
the world able to break it (lim->1, never 0).

Well, don't take it so lightly.
I am NOT happy with 20 securityholes in FF.
Not at all.
The fact that one of the hackers called the JS implentation in FF 'a total
mess so don't expect a patch soon' or something along that lines, didn't
help either...

You can say 'the empire strikes back' and calling it 'business as usual' and
be done with it, but that is just putting your head in the sand.
FF is insecure in its current state. Period.
Yes, that sucks.
Of course I hope they'll patch it anyway soon because I love that browser.

Regards,
Erwin Moller

 

[Dag Sunde]

http://news.zdnet.com/2100-1009_22-6121608.html

Hackers claim zero-day flaw in Firefox
09 / 30 / 06 | By Joris Evers

SAN DIEGO--The open-source Firefox Web browser is critically flawed
in the way it handles JavaScript, two hackers said Saturday afternoon.
An attacker could commandeer a computer running the browser simply by
crafting a Web page that contains some malicious JavaScript code,
Mischa Spiegelmock and Andrew Wbeelsoi said in a presentation at the
ToorCon hacker conference here. The flaw affects Firefox on Windows,
Apple Computer's Mac OS X and Linux, they said.

"Internet Explorer, everybody knows, is not very secure. But Firefox
is also fairly insecure," said Spiegelmock, who in everyday life
works at blog company SixApart. He detailed the flaw, showing a slide
that displayed key parts of the attack code needed to exploit it.

The flaw is specific to Firefox's implementation of JavaScript, a
10-year-old scripting language widely used on the Web. In particular,
various programming tricks can cause a stack overflow error,
Spiegelmock said. The implementation is a "complete mess," he said.
"It is impossible to patch."

The JavaScript issue appears to be a real vulnerability, Window
Snyder, Mozilla's security chief, said after watching a video of the
presentation Saturday night. "What they are describing might be a
variation on an old attack," she said. "We're going to do some
investigating."
Snyder said she isn't happy with the disclosure and release of an
apparent exploit during the presentation. "It looks like they had
enough information in their slide for an attacker to reproduce it,"
she said. "I think it is unfortunate because it puts users at risk,
but that seems to be their goal."
At the same time, the presentation probably gives Mozilla enough data
to fix the apparent flaw, Snyder said. However, because the possible
flaw appears to be in the part of the browser that deals with
JavaScript, addressing it might be tougher than the average patch,
she added. "If it is in the JavaScript virtual machine, it is not
going to be a quick fix," Snyder said.
The hackers claim they know of about 30 unpatched Firefox flaws. They
don't plan to disclose them, instead holding on to the bugs.

Jesse Ruderman, a Mozilla security staffer, attended the presentation
and was called up on the stage with the two hackers. He attempted to
persuade the presenters to responsibly disclose flaws via Mozilla's
bug bounty program instead of using them for malicious purposes such
as creating networks of hijacked PCs, called botnets.

"I do hope you guys change your minds and decide to report the holes
to us and take away $500 per vulnerability instead of using them for
botnets," Ruderman said.

The two hackers laughed off the comment. "It is a double-edged sword,
but what we're doing is really for the greater good of the Internet,
we're setting up communication networks for black hats," Wbeelsoi
said.

Looks like we been had...

http://developer.mozilla.org/devnew...e-possible-vulnerability-reported-at-toorcon/

 

[Erwin Moller]

Looks like we been had...

http://developer.mozilla.org/devnew...e-possible-vulnerability-reported-at-toorcon/

LOL, some humor...
/me goes off shooting the 'black hats'.

Regards,
Erwin Moller

 

[VK]

Well, don't take it so lightly.

I am NOT happy with 20 security holes in FF.
Not at all.

I'm not taking it lightly, I'm taking it philosophically An
absolutely secure web-browsing can be only via command-line telnet app.
At least it was such so far. If this kind of "browsing" becomes popular
enough a hack will be found even for this

Any attempt to prove that "Firefox is not Absolutely Secure" is mute
because it is a proof of obvious (see my prev post), so let's us put it
more reality-bound: the amount of situations where your security is
compromised is dramatically lower for FF in comparison with IE.

Also Mozilla and the success of their Firefox goes against of the "Big
Pacification" plan. They've made Jobs to finish the "fight with Big
Brother" epoch which started with the famous "be different!" slogan.
Year earlier they forced McNealy to stop fighting with Windows using
Java. It is interesting that in both cases the "ending" was set as a
public conference with nearly theatrical scenario.
A war is expensive for owners: different standards to support (and
which one will win?), extra sets of egg-heads and hairy guys on the
payroll (for different directions), this and that... As one guy on a
business meeting said (by memory quote): "I don't give a damn what
browser is used, as long as it's the only one to deal with. Internet
Explorer is the most used one, so let it be only Internet Explorer. We
had enough of fight in the past to start it over".

The fact that one of the hackers called the JS implementation in FF 'a total
mess so don't expect a patch soon' or something along that lines, didn't
help either...

I'm not a professional C++ programmer neither hacker to comment on
Gecko source codes. But taking into account that all top level
interface of Firefox is written in JavaScript: maybe it should be said
instead "because of a high level of integration of the application
interface with JavaScript engine some exploits are not so easy to fix
because a quick'n'durty option's lock is often is not an option". So
far nearly every second attack on Gecko was going by the same
scenario: at attempt to penetrate into the program execution context
using stack overflow. So far it lead only to the browser crash.

You can say 'the empire strikes back' and calling it 'business as usual' and
be done with it, but that is just putting your head in the sand.

see the beginning of this post.

FF is insecure in its current state. Period.

to be fixed... and new found... to be fixed... Ellipsis

Yes, that sucks.

Yep.
Actually I strongly believe that a 100,000 - million bucks fine and a
year or two of public works (each time announced in news) do much much
more for the Internet security than any sophisticated programming
protection. IMHO.

Of course I hope they'll patch it

You can count on it.

I love that browser.

I don't really love Firefox neither I hate IE. I like a competition and
I hate monopoly (== stagnation).


P.S.

... Spiegelmock and Andrew Wbeelsoi said in a presentation
at the ToorCon hacker conference ...

<http://www.toorcon.org/2006/sponsors.html>
Platinum: Microsoft, ...
That means nothing of course, Microsoft sincerly helps to many
organizations and funds. Just came into my eyesight.

 

[RobG]

Erwin Moller wrote:
[...]

Well, don't take it so lightly.
I am NOT happy with 20 securityholes in FF.
Not at all.
The fact that one of the hackers called the JS implentation in FF 'a total
mess so don't expect a patch soon' or something along that lines, didn't
help either...

Then you'll be happy to know that the claim of being able to take over
a PC was completely bogus, and the claim of 30 undisclosed security
holes us utterly unsubstantiated (and therefore probaby bogus too).

<URL: http://news.zdnet.com/2100-1009-6122317.html >

 

[Ivan Marsh]

Well, don't take it so lightly.
I am NOT happy with 20 securityholes in FF.
Not at all.
The fact that one of the hackers called the JS implentation in FF 'a total
mess so don't expect a patch soon' or something along that lines, didn't
help either...

Turns out that was a hoax. You shouldn't be so gullible.

 

[Erwin Moller]

Ivan Marsh wrote:

Turns out that was a hoax. You shouldn't be so gullible.

Wise words afterwards.

And yes, I knew that 12 hours ago.
(See this very thread)

Regards,
Erwin Moller