Page 1 of 2 12 LastLast
Results 1 to 16 of 19

Thread: Firefox suffers first 'extremely critical' security hole

  1. #1
    Senior Member
    Join Date
    Aug 2004
    Location
    W Yorkshire
    Posts
    5,691
    Thanks
    85
    Thanked
    15 times in 13 posts
    • XA04's system
      • Motherboard:
      • MSI X570-A Pro
      • CPU:
      • AMD Ryzen 5 3600
      • Memory:
      • Corsair 2x 8gb DDR 4 3200
      • Storage:
      • 1TB Serpent M.2 SSD & 4TB HDD
      • Graphics card(s):
      • Palit RTX 2060
      • PSU:
      • Antec Truepower 650W
      • Case:
      • Fractcal Meshify C
      • Operating System:
      • Windows 10
      • Monitor(s):
      • iiyama 34" Curved UWQHD
      • Internet:
      • Virgin 100mb Fibre

    Firefox suffers first 'extremely critical' security hole


    Firefox has unpatched "extremely critical" security holes and exploit code is already circulating on the Net, security researchers have warned.

    The two unpatched flaws in the Mozilla browser could allow an attacker to take control of your system.

    A patch is expected shortly, but in the meantime users can protect themselves by switching off JavaScript. In addition, the Mozilla Foundation has now made the flaws effectively impossible to exploit by changes to the server-side download mechanism on the update.mozilla.org and addons.mozilla.org sites, according to security experts.

    The flaws were confidentially reported to the Foundation on 2 May, but by Saturday details had been leaked and were reported by several security organisations, including the French Security Incident Response Team (FrSIRT). Danish security firm Secunia marked the exploit as "extremely critical", its most serious rating, the first time it has given a Firefox flaw this rating.

    In recent months Firefox has gained significant market share from Microsoft's Internet Explorer, partly because it is considered less vulnerable to attacks. However, industry observers have long warned that the browser is more secure partly because of its relatively small user base. As Firefox's profile grows, attackers will increasingly target the browser.

    The exploit, discovered by Paul of Greyhats Security Group and Michael "mikx" Krax, makes use of two separate vulnerabilities. An attacker could create a malicious page using frames and a JavaScript history flaw to make software installations appear to be coming from a "trusted" site. By default, Firefox allows software installations from update.mozilla.org and addons.mozilla.org, but users can add their own sites to this whitelist.

    The second part of the exploit triggers software installation using an input verification bug in the "IconURL" parameter in the install mechanism. The effect is that a user could click on an icon and trigger the execution of malicious JavaScript code. Because the code is executed from the browser's user interface, it has the same privileges as the user running Firefox, according to researchers.

    Mozilla Foundation said it has protected most users from the exploit by altering the software installation mechanism on its two whitelisted sites. However, users may be vulnerable if they have added other sites to the whitelist, it warned.

    "We believe this means that users who have not added any additional sites to their software installation whitelist are no longer at risk," Mozilla Foundation said in a statement published on Mozillazine.org.
    Source: http://www.techworld.com/security/ne...e=1&pagePos=16
    More info: http://www.mozillazine.org/talkback.html?article=6590




    , oh well, it was bound to happen sometime!

  2. #2
    Civilian Nick F's Avatar
    Join Date
    May 2004
    Location
    London
    Posts
    4,668
    Thanks
    9
    Thanked
    18 times in 10 posts
    • Nick F's system
      • CPU:
      • 2.4Ghz C2D
      • Memory:
      • 4GB
      • Storage:
      • 320Gb internal / 750Gb external
      • Case:
      • Apple iMac
      • Operating System:
      • Mac OSx
      • Monitor(s):
      • 24inch
      • Internet:
      • 8mb BE connection
    Yeah it was bound to happen, at least they will release a fix in the next day or so I am sure.

  3. #3
    Senior Member
    Join Date
    Aug 2004
    Location
    W Yorkshire
    Posts
    5,691
    Thanks
    85
    Thanked
    15 times in 13 posts
    • XA04's system
      • Motherboard:
      • MSI X570-A Pro
      • CPU:
      • AMD Ryzen 5 3600
      • Memory:
      • Corsair 2x 8gb DDR 4 3200
      • Storage:
      • 1TB Serpent M.2 SSD & 4TB HDD
      • Graphics card(s):
      • Palit RTX 2060
      • PSU:
      • Antec Truepower 650W
      • Case:
      • Fractcal Meshify C
      • Operating System:
      • Windows 10
      • Monitor(s):
      • iiyama 34" Curved UWQHD
      • Internet:
      • Virgin 100mb Fibre
    Quote Originally Posted by Famished
    Yeah it was bound to happen, at least they will release a fix in the next day or so I am sure.
    yeah. faster than m$

  4. #4
    Senior Member Kezzer's Avatar
    Join Date
    Sep 2003
    Posts
    4,863
    Thanks
    12
    Thanked
    5 times in 5 posts
    and i've had about 10 people saying to me "hah, not so good now is it?". It was quite funny when they shut up when i asked them "have you seen the IE flaw list?"

  5. #5
    Shunned from CS:S Trippledence's Avatar
    Join Date
    Feb 2005
    Location
    Exeter Uni/Truro Cornwall
    Posts
    1,848
    Thanks
    0
    Thanked
    1 time in 1 post
    Quote Originally Posted by KeZZeR
    and i've had about 10 people saying to me "hah, not so good now is it?". It was quite funny when they shut up when i asked them "have you seen the IE flaw list?"

    A very good point before people start haveing a go. Ive never got around to firefox personaly. Opera does me fine.

  6. #6
    Photographer; for hire!! shiato storm's Avatar
    Join Date
    Aug 2003
    Location
    next door
    Posts
    6,977
    Thanks
    4
    Thanked
    6 times in 5 posts
    well either way peopel are out there looking for flaws, search hard enough and you'll find one. and as stated before the list at m$ is significant!
    Powered by Marmite and Wet Dog
    Light Over Water Photography

  7. #7
    Senior Member
    Join Date
    Dec 2004
    Location
    Bracknell, Berks/University of Kent, Canterbury
    Posts
    205
    Thanks
    0
    Thanked
    0 times in 0 posts
    Stop telling people to use firefox and we'll all stay safe
    Athlon 64 3800+, 6800GT, 2GB GSkill RAM, 120GB + 320GB HDDs, Logitech Z-680 5.1 etc

  8. #8
    Flak Monkey! Dorza's Avatar
    Join Date
    Jul 2003
    Location
    UK - South Wales
    Posts
    1,762
    Thanks
    34
    Thanked
    17 times in 15 posts
    • Dorza's system
      • Motherboard:
      • Asus P5B Deluxe - WiFi
      • CPU:
      • Q6600 @ 3.06Ghz
      • Memory:
      • 2GB Crucial
      • Storage:
      • 500GB Samsung SpinPoint
      • Graphics card(s):
      • Geforce 9600GT
      • PSU:
      • Cosair HX520W
      • Case:
      • LianLi something something or other
      • Monitor(s):
      • Eizo FlexScan S1910 (1280*1024)
      • Internet:
      • 2mb Virgin (when they want to give me that: else 1mb)
    Source BBC Tech news:
    The Mozilla Foundation has said it is "working aggressively" to fix two flaws in its open source Firefox browser.
    Against Microsofts 6 month wait for a fix for IEs "critical Flaws". Thats the simple but huge difference between mozilla and MS. Thats all ill say about the matter.

  9. #9
    TiG
    TiG is offline
    Walk a mile in other peoples shoes...
    Join Date
    Jul 2003
    Location
    Questioning it all
    Posts
    6,213
    Thanks
    43
    Thanked
    47 times in 42 posts
    Heh you miss the other vital point, this was spotted before it was exploited, if it was an IE flaw, you would know it because the internet would have gone slow with all the rogue machines out there being overrun...

    Nimda, code red are two obvious examples of this....

    TiG
    -- Hexus Meets Rock! --

  10. #10
    Ex-MSFT Paul Adams's Avatar
    Join Date
    Jul 2003
    Location
    %systemroot%
    Posts
    1,926
    Thanks
    29
    Thanked
    77 times in 59 posts
    • Paul Adams's system
      • Motherboard:
      • Asus Maximus VIII
      • CPU:
      • Intel Core i7-6700K
      • Memory:
      • 16GB
      • Storage:
      • 2x250GB SSD / 500GB SSD / 2TB HDD
      • Graphics card(s):
      • nVidia GeForce GTX1080
      • Operating System:
      • Windows 10 x64 Pro
      • Monitor(s):
      • Philips 40" 4K
      • Internet:
      • 500Mbps fiber
    Quote Originally Posted by TiG
    Heh you miss the other vital point, this was spotted before it was exploited, if it was an IE flaw, you would know it because the internet would have gone slow with all the rogue machines out there being overrun...

    Nimda, code red are two obvious examples of this....
    Actually, Nimda and Code Red used a blend of vulnerabilities in IIS and IE which had been identified and fixed months before.

    The last place I worked at it was my responsibility to keep the web servers patched and SuS used to keep IE clients patched - I was on holiday when Nimda struck and we weren't affected... I really should have received a bonus for that
    ~ I have CDO. It's like OCD except the letters are in alphabetical order, as they should be. ~
    PC: Win10 x64 | Asus Maximus VIII | Core i7-6700K | 16GB DDR3 | 2x250GB SSD | 500GB SSD | 2TB SATA-300 | GeForce GTX1080
    Camera: Canon 60D | Sigma 10-20/4.0-5.6 | Canon 100/2.8 | Tamron 18-270/3.5-6.3

  11. #11
    Pixel Abuser Spunkey's Avatar
    Join Date
    Nov 2003
    Location
    Milton Keynes
    Posts
    1,523
    Thanks
    0
    Thanked
    0 times in 0 posts
    the end is nigh!! abandon the intarweb!

    The thing is FireFox is unlikely to ever have a really malicious virus spread through it as its seen as a competitor to MS and therefore a friend of the hacking community. The most significant part of that report to me, is that the flaw was found by two grey hat coders. Not real 'f-you-up-good' hackers.

  12. #12
    Administrator Moby-Dick's Avatar
    Join Date
    Jul 2003
    Location
    There's no place like ::1 (IPv6 version)
    Posts
    10,665
    Thanks
    53
    Thanked
    384 times in 313 posts
    SuS used to keep IE clients patched
    We found Sus pretty unreliable as it only seems to work if clients have local admin

    GFI Languard Security Scanner was better for brute forcing patches out
    my Virtualisation Blog http://jfvi.co.uk Virtualisation Podcast http://vsoup.net

  13. #13
    Ex-MSFT Paul Adams's Avatar
    Join Date
    Jul 2003
    Location
    %systemroot%
    Posts
    1,926
    Thanks
    29
    Thanked
    77 times in 59 posts
    • Paul Adams's system
      • Motherboard:
      • Asus Maximus VIII
      • CPU:
      • Intel Core i7-6700K
      • Memory:
      • 16GB
      • Storage:
      • 2x250GB SSD / 500GB SSD / 2TB HDD
      • Graphics card(s):
      • nVidia GeForce GTX1080
      • Operating System:
      • Windows 10 x64 Pro
      • Monitor(s):
      • Philips 40" 4K
      • Internet:
      • 500Mbps fiber
    Quote Originally Posted by Moby-Dick
    We found Sus pretty unreliable as it only seems to work if clients have local admin
    Really?
    I thought it was set to run as a service so didn't run in the user context?
    After setting it up the once I've never had to do it since so I don't know.

    Quote Originally Posted by Moby-Dick
    GFI Languard Security Scanner was better for brute forcing patches out
    Ah, they the guys that produced that network faxing software?
    The name "GFI" rings a distant bell (or klaxon, not sure ).
    ~ I have CDO. It's like OCD except the letters are in alphabetical order, as they should be. ~
    PC: Win10 x64 | Asus Maximus VIII | Core i7-6700K | 16GB DDR3 | 2x250GB SSD | 500GB SSD | 2TB SATA-300 | GeForce GTX1080
    Camera: Canon 60D | Sigma 10-20/4.0-5.6 | Canon 100/2.8 | Tamron 18-270/3.5-6.3

  14. #14
    www.5lab.co.uk
    Join Date
    Sep 2003
    Posts
    6,406
    Thanks
    1
    Thanked
    0 times in 0 posts
    the word 'zelot' springs to mind..

    ms are pretty quick at fixing security holes (and cirtainly dont take 6 months), granted they have had more in the past, but i've not seen a critical one in quite a while now. and as it has been said, f/f has had too small a userbase to be worth attacking up till now (similar to apple).

    and to state that ff is more 'hacker friendly' so won't get hacked, is unfortunately, complete b*llox. utter trite.
    hughlunnon@yahoo.com | I have sigs turned off..

  15. #15
    smtkr
    Guest
    My guess is that this is a windows only vulnerability. As far as I can tell, you have to log in as root to do serioius damage to a linux system

  16. #16
    Resident abit mourner BUFF's Avatar
    Join Date
    Jul 2003
    Location
    Sunny Glasgow
    Posts
    8,067
    Thanks
    7
    Thanked
    181 times in 171 posts
    Quote Originally Posted by 5lab
    ms are pretty quick at fixing security holes (and cirtainly dont take 6 months),
    iirc they actually had some that took nearly a year to be patched,

    MSI P55-GD80, i5 750
    abit A-S78H, Phenom 9750,

    My HEXUS.trust abit forums

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Nothing is secure
    By nvening in forum Software
    Replies: 5
    Last Post: 09-05-2005, 11:58 PM
  2. Firefox extensions? And a few questions...
    By SilentDeath in forum Software
    Replies: 8
    Last Post: 08-03-2005, 10:01 AM
  3. Have you done all of your windows updates ?
    By Moby-Dick in forum General Discussion
    Replies: 33
    Last Post: 05-05-2004, 01:23 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •