back to article Attack code for Firefox zero-day goes wild, says researcher

A Russian security researcher on Thursday said he has released attack code that exploits a critical vulnerability in the latest version of Mozilla's Firefox browser. The exploit - which allows attackers to remotely execute malicious code on end user PCs - triggers a heap corruption vulnerability in the popular open-source …

COMMENTS

This topic is closed for new posts.

Page:

This post has been deleted by its author

Badgers

WOW

Longer explanation: Mozilla made millions distributing a crappy insecure browser, we might as well cash in and screw their users too. Adequate road sign, as this is Mozilla, not Toyota.

3
34
Linux

@jmesse

"Longer explanation: Mozilla made millions distributing a crappy insecure browser"

Sorry, for a moment I thought you said "Mozilla" instead of "Microsoft"...

"We've tested it on XP and Vista"

...but does it work on Ubuntu (or any other Linux for that matter)? What about OSX? If not then we know where the problem *really* lies...

3
4
FAIL

@AC (12:10)

"...but does it work on Ubuntu (or any other Linux for that matter)? What about OSX? If not then we know where the problem *really* lies..."

Does the code work if the program (firefox) is not running, or better yet if it's not installed? Probably not, so we REALLY know where it lies.

When a company says it's product is 'the most secure', and spends more than half its annual income on marketing, I'd guess it talks about 'secure' in the anti-terrorism sense. (IE keep claiming safety, and hope people are stupid enough to believe the line of crap)

2
1
Badgers

Wanna bet they reach out...

to companies that can afford to pay before they release an exploit!

Open-source, non-profit organizations would be perfect targets to show proprietary, for profit companies that this company can find and will release exploits.

Perhaps, there should be an International law on disclosing exploits. Should the time frame be two weeks, a month from the time the exploit is handed to the company which owns (created) the code until it is release?

badjers, because this has got me fighting mad - I'm not big on police states and increasing policing powers but if this is not illegal it probably should be.

1
0

This post has been deleted by its author

WTF?

Paid to Shill Much?

*cough* "As efficient as C++ - as safe as Java or .Net" *cough*

Oh dear oh dear oh dear.

6
0
Silver badge

There's a big problem to that.

Safe languages take up resources and time with garbage collection and sanity checking. Thing is, even now with modern multicore CPUs, speed is still an issue (one of Mozilla's criticisms is that it's a bit slow--particularly with ECMAScript). Optimizing coding means eschewing some of the checks and balances.

Think of the safe vs. fast programming problem like the airport security checkpoint problem. They're very much alike in that being too lenient or quick means things get through while being too strict or thorough reduces throughput to a crawl.

0
0

It's not the language

It's the programmer.

17
0
Silver badge
Boffin

Re: There's a big problem to that.

"Safe languages take up resources and time with garbage collection and sanity checking. "

Not necessarily. Garbage collection is not required, just the checking (Pascal and its relatives do not have garbage collection). And it was demonstrated already in the 1970's by some researchers that the cost of runtime checks can be reduced to just a few % when an optimizing compiler is made to take them into account. This requires the checks are integral to the language and compiler, not a bolted-on feature.

In respect to safety, the field took a nosedive when C and its descendants took over from Pascal and its descendants (like Modula and Ada).

11
1
Boffin

Deal ?

I for one would be all for trading some of the rather plentiful hardware horsepower we have today for easier to write, more reliable software; Brinch Hansen, Hoare & al. were pushing this in the 1970s already, apparently convinced that this would be a good deal.

0
0
Thumb Up

@MacroRodent

"And it was demonstrated already in the 1970's by some researchers that the cost of runtime checks can be reduced to just a few % when an optimizing compiler is made to take them into account. This requires the checks are integral to the language and compiler, not a bolted-on feature"

This is just a variant of the Assembler Vs HLL problem. You'd have thought it had died a *long* time ago.

One of Pascal's original aims was to make it run as fast as badly structured languages like FORTRAN (this is early 1970's FORTRAN). It succeded. In the commercial world Ferranti released an ALGOL compiler with substantial error checking. When they asked customers did they want runtime error checking removed to improve speed for 2.0 the customers said no. This was in the 60's, when assembler was pretty much the norm and performance was a real premium.

For the daddy of these contests look at the Space Shuttle systems. Real time control system with *hard* response limits on a processor which flat out managed 400KIPS (that's not a typo).

Benchmarked assembler Vs the HLL gave IIRC at most a 15% performance hit. Despite hardware failures the system has *never* failed in flight. No 178b standard. No TCP/IP stack.. Just an awareness that failure means people will die and a pretty effective compiler for a HLL which fitted the problem domain quite well.

And BTW Microsoft whine about putting a JVM on Windows but what is the "Common Language Environment"? How much of Windows already is running on a VM?

IMHO writing secure, reliable code consistantly (anyone can get lucky once) is *never* an accident. The whole system is only as secure as its weakest link (human, software or hardware). A first rate team with a good understanding of security issues running solid tools and following a painstaking process could still (and my gut tells me probably has) been undermined because a bought in library was actually written by some clueless bong chugging Summer intern.*

However for this to happen it has to be a *management* priority. Someone somewhere has to be responsible for it and get it in the neck if it does not happen.

Anon for the line at the bottom.

*or in one case getting to a Star Trek convention on time.

6
0
WTF?

@joeuro

Sappeur:

"Which platforms are supported at this time ?SAPPEUR currently is available for Intel(R) 32bit 80X86 Processors running Windows VISTA or Ubuntu"

So none then. Clicking on the tab for "Buying" gives a blank screen which tells me that this product isn't finished yet anyway.

The *real* solution is rigorous testing and not falling for any of the traps (as listed yesterday in El Reg's article on 25 potential problems you might accidentally code into your software...)

1
0
Boffin

sappeur?

Isn't that a bit of a giveaway. Sappers traditionally undermine the opposition's position.

1
0
FAIL

Its not that simple

If you think fixing security bugs is as simple as using a different language, I'm afraid you are mistaken. Its perfectly possible, easy in fact, to write insecure programs that leak memory in C#/Java/whatever.

The only way to fix the problem is to write secure code in whatever language you are using.

Incidentally, garbage collection is possible in C++...

3
0
Black Helicopters

C Must Die!!!

Here here! well said. C and C++ are the main cause of this kind of issue. With a proper language you simply can not over run a buffer etc.

Modula 2, now thats and OO language and its good for saftey critical work. Ok, so it didn't have a large take up once windows came along but you'd never have exploited it.

Still, C is the most popular language, so your manager isn't going to be blamed for failier if he choses a less common language.

C as a language suffers primarily from a design floor. It was only ment to port the unix kernal, so its the only language that was designed to make the compiler easier to write. Now since when was that import to an application developer?

C should be buried at Sea!

0
1
WTF?

Speed?

Hahaha, now that just silly and wrong.

Its been proven, look it up. C is not quicker to develope because it takes much longer to debug.

Plus, execution speed will not change much as your not executing the code.

Your thinking Java, and that slow because it not native execution.

As an Ex-Delphi developer I know 100% that if I coded some thing in delphi it would be as fast as if it was coded in C++. This speed argument has been going on for 20 years and its no more true now then 20 years ago.

Good, well writen code is what matters. You honestly think that with multiple giga, multi core machines a little bit of pointer checking matters? For a start, now Mozilla will have to write code to stop the problem.... so shockingly, they will be just a touch slower then not checking. Just more secure.

2
0
Linux

The problem with C / C++

The issue with C and C++ is that they are NOT safe and require programmer and expirience to add the code to cover for this.

Safer languages are not always slower. The solution is a language that is safe by DEFAULT and if required the checks and balances can be disable were required.

You dont spend time optimising the full source tree, that would be an expensive waste you only optimise were the bottle necks are.

Why use a language that is always unsafe just because occasionally it is an advantage?

2
0
Linux

Safty first ? Only after the lawers!

The only time its going to become a *management* priority is when software HAS to be fit for purpose and can not hide behind the "Not fit for any particular purpose" which is the get out of Gail free card.

Once users can sue providers for crap software then and only then will market forces make software reliable and safe.

3
0
Alert

Just to clarify...

I don't mean to say that we shouldn't be looking at higher level languages for these kind of applications, but doing so in the belief that this will solve all, or even many of our security problems is to bury our heads in the sand.

0
0
Anonymous Coward

It's not the programmer... it's the QA process

It's not the language... it's not the programmer... it's the QA process

With the best will in the world, even the best programmer will make a mistake sooner or later. That's why every organisation that develops software should have a QA process that ensures all code is reviewed against a checklist of good and bad development practices (amongst other things).

0
0
Heart

C is a harsh mistress

>If you think fixing security bugs is as simple as using a different language ...

It is not that simple, but using a language/environment where it is not plain possible to e.g. inject code trough causing a piece of code overwrite the machine stack should help. Somehow e.g. insisting on using C for everything smacks of an attitude where the only honourable way of writing software by operating console switches. Silly, that, when we can use the machine itself to do such mundane stuff and save our attention for more important things, such as security.

Mind you, C in itself is an object of my deepest admiration [hence icon] as the language is clean and simple, yet strikes a pretty much optimal balance between portability and low-level access to the machine. The latter, unfortunately, opens the door for a class of nasty bugs. Fortunately, low-level access (and absolute efficiency) is not needed for most work and/or all code.

1
0
Anonymous Coward

RE: C Must Die!!!

Do you possibly do you mean "Design flaw" rather than "Design Floor" (which is just wrong).

1
0
Anonymous Coward

I studied C++ ...

fifteen years ago, and I wasn't that young then, and not only is garbage collection in C++ possible it wasn't very hard to implement.

I only worked/studied in the programming environment for one year and I must say that I'm sorry my opportunities took in other employment directions, but if C++ programmers can't implement proper garbage collection in C++ perhaps there are in the field.

0
0
Stop

All browsers have vulnerabilities!

Will the French and German goverments now be advising their citizens to stay clear of Firefox as well?

2
9
Silver badge

The rate they're going...

...they'll be advising their citizens to cut their Ethernet cords and WiFi antennae and go back to the pre-Net days when the most reliable method of content delivery was the Sneakernet.

1
1

nope

they won't do that at all.

1
0
Silver badge
Happy

Too late!

Thought they were already doing that by cutting off anyone that so much as downloads a gif/jpg they have no copyright on!

1
0
Silver badge

Stands to reason Firefox is getting flack

as it is getting an ever-larger piece of the action, so nefarious people will turn their attentions to it. Safety is valued in terms of what you trust, and how much trust you have.

Would I be safe? ABP&NoScript and I don't "allow" sites at random. If a site fails with NoScript, I usually just find another. I hope the morons that require scripting to follow a clicky-link are paying attention.

Please let's NOT have any references to Opera, Chrome, Safari, or other browsers. Trust me, if said browser(s) had a sufficiently large share, it would be compromised.

14
2
Terminator

about getting flack...

"I hope the morons that require scripting to follow a clicky-link are paying attention."

Perhaps they are, and far too closely.

1
0
Anonymous Coward

So?

You've just pointed out the only reason you need to move away from Firefox. There are of course other reasons, but the only one you actually NEED is that minority browsers don't attract the attention of the black hats.

As for Noscript it's a nice addon but far too intrusive for ordinary Josephines.

0
2
Silver badge
Grenade

Move away from Firefox? (and a security rant)

Why? It works for me. And maybe one day it will be the IE replacer and Opera will have a 33% market share and it will be subject to attacks. So what, all the Opera lovers will ditch it for some other minority browser?

As for the ordinary Josephines, there are countless examples of stupid things ordinary people do that backfire on them. Just last year a girl in her Clio went around a bunch of cars (about seven of us) on a blind bend. 70kph (in a 50 zone) straight into the front of a corn harvester. It would have been epic wreckage had the driver not been up high, seen the car, and stopped. As it was, pieces of Clio and body parts. People are expected to have a clue when hurting around at high speed in soft metal containers. There's fairly rote but nonetheless complex things to remember like starting and stopping, braqking distance, reaction times, changing track on the CD player instead of putting the wipers on, the scary gearstick (which while R is usually opposite 5, the car really would sulk expensively at going from one to the other). Yet everybody does this regularly. Some even know how to indicate correctly on the roundabout. Some <gasp> even pay attention to the Give Way signs.

Why is it, then, that our portal to the online world is "too complicated" and "difficult"? Sure, there's a lot to remember as the Internet provides a lot of different services, and it is further compounded by subtle differences in browsers (but no less annoying than the control sticks by the steering wheel having no standardisation, the one on the left - indicators or headlights? and God help you if your car has more than two!).

Given the level of loss possible (to your wallet, not just trashing your computer), perhaps it is time Josie educated herself and understood why these precautions are necessary. You don't walk in a city alone at night. You don't leave your front door wide open. You don't run scripting from sites you don't know...

[on my mother's profile, I am installing NoScript... ought to be a barrel of laughs, given her previous level of tech was opening the typewriter to change the inky ribbon! but, hell, if she's going to Google crochet and Amish recipes (!?) on my computer, she's going to have to take security seriously and not cop out with "oh, it's complicated" like so many people seem to want to do... after all, getting scammed to hell and back happens to other people, right?]

0
0
Silver badge
FAIL

We've tested it on XP and Vista.

Good work, it's not like there are any other OS's out there.

Oh wait . . .

4
2

That makes 75% of computers (says W3counter)

I'm sure that as far as he's concerned, that's a success.

0
0
Linux

Need more input

It would be nice to know a little more about the mechanics of the exploit.

3
0
Happy

So they charge for it

Open Source has had the benfit of people debugging the code for free for quite a while now, it stands to reason people are starting to go "this is not our product, and no one is paying us to fix what we've discovered. we can either report it and hope someone fixes it (whenever they feel like it), or come up with POC code that exploits it, and if the company whose product is flawed wants to fix it, they can buy a license for the POC code"

Sound fair, to be honest. If you spend time to work out an exploit bug and the people whose program it is don't feel that's worth rewarding, charge them. No one's stopping Mozilla from forking over the same amount of money they charge for anyone else to get their hands on the exploit code. Just because it's open source doesn't mean everyone's an altruist through thick and thin - a little economic dip and anyone who can come up with a good way to generate cash will do so.

To borrow a phrase, the real wtf is that they're the first to figure out that if they sell licenses to exploit code, either the owning company can pay that license in order to stop the exploit, or their product gets blasted. Pretty effective business model really.

5
7
Unhappy

Business models

"pay that license in order to stop the exploit, or their product gets blasted. Pretty effective business model really."

Yes, I think it is called blackmail.

8
1
Flame

You sir are a Knob!

You really think this is responsible, justifiable behaviour? Guys like this make the net *less* secure. What kind of d*ckhead releases details of a remote execution exploit to make a quick buck rather than notifying the software maker. Doesn't matter whether it's mozilla, Microsoft, Apple. That's why there's a responsible in 'responsible disclosure'

Frankly, I hope that the exploit does get exploited by some black hats, then hopefully the marks will sue this shithole of a company into oblivion for negligently releasing details of an attack vector without taking steps to help the developers mitigate the risks.

This guy is scum, and if you think his stance sounds fair, then you can join the ranks of people not worthy of internet access!

5
1

Isn't Firefox 3.6 the current release?

That's what I'm running.

2
2
Silver badge
Stop

Have a look and find out

http://www.mozilla.com/en-US/firefox/upgrade.html

0
0
Thumb Down

Bottoms

"Legerov said his firm does not provide advanced notification to software makers under an arrangement often referred to as responsible disclosure."

So he just flogs the info to whoever wants to pay for it? Black or white hat?

Dear Sarah,

Can we have bullshit icon?

Ta!

5
0
Gates Halo

@Mike Kamermans

Open source?

Mozilla is free to use but its not open source.

0
26
FAIL

@AC 2010-02-19-05:17

you can download the source here.

http://releases.mozilla.org/firefox/releases/latest/source/

you can refer to the open source information here:

http://www.mozilla.org/foundation/licensing.html

"All Mozilla software is open source. This means that it is not only available for download free of charge, but you have access to the source code and may modify and redistribute our software subject to certain restrictions as detailed in our license agreements."

16
0
Anonymous Coward

But...

...they get very arsey if they don't like the modifications. Hence Iceweasel.

0
0
Bronze badge

Firefox is open source, but not Free

Because, yes, they do get upset if you change things and still call it Firefox.

0
0
Anonymous Coward

No they don't

They get arsey if you distribute your modified version with Firefox branding because of the 'defend it or lose it' part of US trademark law. It's an aspect of law with some unfortunate effects for free software, much like patent law. Hence Iceweasel, because it's preferable to Monopoly Firefox, now with added vendor lockin, or AdBroker Firefox with extra spying.

2
0
Silver badge

Not quite

Not quite.

The version that Mozilla distribute in binary form contains proprietary components that are not present in the version that you can build for yourself from Source Code.

1
0
Bronze badge
WTF?

Really?

[citation needed]

0
1
Linux

Linux, linux and more linux

Should be safe on Linux.

And I don't follow dodgy links.

1
2
Grenade

But WINDOWS still remains the target!

Despite the cross platform nature of Firefox, this hole is still a more significant issue for Windows users than anyone else. Last time I checked I was not starting Firefox as root :-) if someone went to the trouble to use the exploit with Linux & Mac they may be able to empty my home directory, but that would pretty much be the limit of it :-)

7
1

Page:

This topic is closed for new posts.

Forums