A Russian security researcher on Thursday said he has released attack code that exploits a critical vulnerability in the latest version of Mozilla's Firefox browser. The exploit - which allows attackers to remotely execute malicious code on end user PCs - triggers a heap corruption vulnerability in the popular open-source …
A good point...
But lets not be complacent - its not impossible to chain this exploit with a local root exploit. Given the size of the Linux market right now, I'd say its highly unlikely this would ever get done. If Linux does get a large enough market share for all these kind of exploits to become profitable I shall be installing a *BSD...
rm -rf ~
"...they may be able to empty my home directory..."
And you would be OK with that?
Re : rm -rf ~
I may be paranoid but I don't run FF or other browsers on my own account - the slight inconvenience of using a password to start the browser is more than compensated by the security of running in an empty account.
Assuming I ran the browser on my own account ) the daily backup of the home directories would provide a safety net.
Problem is with the OS
If the OS sandboxed programs in a reasonable way, i.e., by not allowing them to install/run other programs, or to modify themselves, or to read/write files that aren't their own, then all of these security problems would vanish immediately.
The iPhone OS does this for apps and notice that so far no iPhone app has been able to compromise the rest of the system. All of the iPhone security issues have been with jailbroken phones or Apple's weak data encryption.
Extortion by another name?
It's interesting to note that you can only buy access to the exploit after requesting a quote from Intevydis.
Also interesting to note that they're Russian.
You have to wonder if there IS an exploit, and if there is and no-one coughs up who the exploit will be passed on to ...
re: Extortion by another name
Exactly. CANVAS/Vuldisco etc. cost silly money, even more if they don't "approve" of your organisation. They are extremely dodgy people.
On the upside, while it has probably already been used in corporate espionage, various Eastern European organised crime gangs will get careless as it goes further down the food chain, using it to rip off all and sundry via shoddy malware. It's only a matter of time until security researchers who aren't massive f*cking c*ntbags get it, who will tell both Mozilla and the rest of the world, so it can be fixed.
(Sarah, apologies for the outburst. It makes me a little cross, and possibly needs to be said.)
I was thinking the same thing. This Legerov might not want to travel overseas as I can't see how what he is doing is legal anywhere that complies with the rule of law. Apparently Russia is not such a place.
Lack of responsible disclosure procedures should be equated with blackhattery and prosecuted. What an asshat.
Currently the Firefox folk haven't decided there -is- a problem.
Microsoft paid SCO to sue Linux over UNIX properties and hamper its adoption for business for years, maybe they paid this guy, whether there's something there or not... then again, I'm still not quite sure why Bill Gates doesn't just have all these competitors murdered. He's got the money.
Get with the program!
Mozilla have learned from MS
The MS method has always been to deny there is a vulnerability whenever possible until the fix has been released. Of late Mozilla have been following exactly the same protocol.
Quite how anybody go from "we haven't seen any evidence of this vulnerability" to a fix with no intevening period to develop and test said fix is beyond me.
Started reading the article - looked at my version of Firefox - 3.5.7. Updated it and got 3.5.8 which opened with a web page saying that for security reasons I should upgrade to the latest and greatest version. Did so and now have Firefox 3.6. Changed to Chrome to type this.
Does anyone know of an effective way of communicating my displeasure to dear comrade Evgeny Legerov?
Noticed everyone who give an honest opinion about FF but negative gets the thumbs down. The Firefox sheep really are a sad and pathetic bunch
... an honest, negative comment, borne out with evidence. If I saw one, I'd vote it up!
... in an ironic fashion.
...the saddest thing about the FF fanbois is that they always assume that anybody who criticizes FF must be an MS shill. Have they tried all the alternatives and made an informed choice? Or have they just jumped on a bandwagon?
The really strange thing is that most FF fanbois apparently hate MS but run their jesus browser on a MS OS, presumably because they're too dumb to get to grips with an alternative.
Are you reading the same forums?
I kinda thought all the Firefox criticism came from Opera fanbois!
I guess this explains why numerous Firefox fanbois use Windows - we just want the damn browser to work, pretty much out of the box, with minimal time overheads and as little administration as is possible...
Whiners complaining about thumbs down votes
get an automatic down vote from me. Reviewing the down tallies at the time of this post, the one with the most down votes at 22, contained the provably false statement: "Mozilla made millions distributing a crappy insecure browser,..." followed closely by the post with the equally provable statement "Mozilla is free to use but its not open source."
One of the reasons I read the comments on El Reg
is to laugh at the fucktards that post! You have to piss yourself laughing at people claiming to be programmers and vilifying languages, platforms, etc. going on about things like overflows when they can't even spell simple words like "failure".
I mean, come on people! These flaws and vulnerabilities are often caused by circumventing the design process. Proper testing, validation and verification should mitigate most problems with software. However, there will never be the perfect piece of software. Apple fanboi's and Linux guru's - stay down!
I'm not Bill's love child, nevertheless, I do use Windows for certain things like most do. I also use Linux for a lot of things too. In the past I've used AiX and OS/400 where appropriate. This is the entire point. Platforms and languages suited to the task at hand. Testing and verification also suited to the task at hand. I mean there's no point in running Tetris on a super secure OpenBSD box is there?!?!
I don't use Windows myself - I'm a Mac user - that's my choice and if someone else goes the other way, then that's their choice.
I do feel that Duncan's phrase "However, there will never be the perfect piece of software." should be tattooed on the genitals of most of the "one or t'other exclusively" zealots, just to concentrate their minds on pragmatic reality.
Proper testing etc. will as Duncan says, mitigate most problems with software.
That's MOST problems. It's not ALL problems.
No one person, or team will ever have the experience, imagination and time to test modern software for absolutely every contingency - unless we want software's gestation period to go out to several decades. Way back in the '80's, when I installed mini's & micro's for Burroughs Machines, I was often asked to "make this system idiot-proof". I rapidly gained a healthy respect for just how ingenious and inventive idiots could be - and I don't suppose I ever quite achieved the Holy Grail.
Just think how much mor involved & complex things are 25 years later!
A pox & a plague on all the blackhat villains and associated ungodly who give us these problems. May all their capacitors bulge, their r/w heads crash and their RAM sockets fail!
except just for the fun of it and if more people took a little interest in computers/computing and actually learned something the Internet might be a little safer.
@ One of the reasons I read the comments on El Reg →
' they can't even spell simple words like "failure" '
Hey - could be worse, Duncan, they might not know where to put their apostrophes - as in non-possessive ` guru's `.
"Open source" only means
that the source code is supplied to suitably qualified customers. If Microsoft released all the Windows source code to be read by any customer spending more than $1,000,000, they'd be open source. But the product would not be any better than it is now. You couldn't do anything to improve it. Well... they might accept comments about some spelling mistakes.
You can, however, improve Firefox. But you can't call your version anything that makes it sound like you're directly involved with the Firefox people.
I don't know how many people are currently rolling-their-own from the source code. It can be an interesting hobby.
Your example of Open Source is about as good as saying Windows 7 is free - provided you buy a two hundred euro box to take it home in.
Or were you not aware that "open source" as a phrase has a number of little conditions above and beyond the literal interpretation of those two words?
Try reading http://www.opensource.org/docs/definition.php
Had me confused for a second
"wild", not wild
open source and patch tuesday
"Open source" only means that the source code is supplied to suitably qualified customers.
No it doesn't! Microsoft *does* allow Windows source (at least that source for 2000 that was already leaked) to be read by their few largest customers. It's not open source. Open source includes the right to examine the code, right to modify the code, and right to distribute the code. There have been a few products that have an open source license, that the company will only give the source to their own paying customers -- and that is their right. But, as the products were open source, these customers were free to give that source to ANYONE else they wanted. There've been a few other instances where these companies dual-license (so you could buy the software open-source, or buy it, probably less expensively, under a more restrictive license. This is also their right.) Microsoft was trying to pretend their "shared source" crap was open source for a while, it is not.
@grumpy "Lack of responsible disclosure procedures should be equated with blackhattery and prosecuted. What an asshat."
Mozilla foundations been good about it, but I've seen enough groups just sit on security flaws that I think I'd take the discoverers approach too. Note he hasn't released exploit code, he's not selling or giving it to blackhats. I think "responsible disclosure" is a crock -- if a company has it together they get a patch out within days, if they pull a Microsoft they are stupid and wait until "patch Tuesday".
Notice, he used the phrase...
"responsible disclosure". This would seem to indicate that a company was informed of the exploit but that those who discovered it would be releasing the exploit to the public after a reasonable time. The question is what is a reasonable amount of time?
Fixed it for you...
automated exploitation system sold to security professionals
automated exploitation system sold to anyone willing to pay us money, including black hats, dodgy Russians/Chinese hacking groups, etc.
The Russian Business Network is just that - in it for the money - and they're probably smart enough to invest a bit now and then in new technology. They might even get a rebate from Legorov and perhaps even a hint or two on what's really going on inside the tool, being as he's of the Russian persuasion too and probably quite fond of his kids.
Would it be safe to assume that you would need to visit a website that contained malicious code for this to be effective?
Paris, because she knows malicious sites can get you in to a whole lot of trouble......
Surfing using a live CD...
I've been surfing the net mostly booted from a live CD. In my case using OpenSolaris. Seems like that might be a fairly safe option for people, like me, who just browse some sites and read articles they are interested in. It may be a bit limiting but it's all I need most of the time.
Ubuntu would seem to have a convenient feature for this sort of thing: the Guest Session. The idea is that each session starts with a clean slate (the home directory of user guest is restored to a default state). [This can be activated from the upper right corner menu of the default gnome setup.]
Wibbly wobbly safety
I know it's not easily used by the billions of web users out there but Sandboxie has proved to be a wonderful program for me. It can easily be used to sandbox a browser, including firefox, and as far as I humbly know, prevents the siege of nasties. Is this an exploit that circumvents my primary guardian, NoScript? Or is this a dodgy enterprise intending to pimp half-baked exploits?
Decided to run Firefox in Sandboxie - which is now 64-bit OS compatible - until this is all over. Might just continue to do that anyway; there's always something on the horizon.
"If the OS sandboxed programs in a reasonable way, i.e., by not allowing them to install/run other programs, or to modify themselves, or to read/write files that aren't their own, then all of these security problems would vanish immediately."
Even though I agree that OS-based sandboxing is a very good idea it does not fix all kinds of problems. SE Linux and AppArmor are indeed a good idea. So is the sandbox of the new IE.
Yet... it is not a panacea.
Imagine first visiting www.evil.com and then www.barclays.com. Evil.com will install nastyware into your running browser instance and from that point on transmit your banking details to www.evil.com. The OS sandbox cannot do anything against that threat.
The nastyware migh even be able to install itself persistently by means of a buffer overflow in something like the browser's caching, cookie or bookmarking system.
Maybe a well-designed sandbox especially for browsers could work around this (by setting up sandboxes for each www server), but the general problem persists, that a sandbox can only contain, but not avoid risks.
Imagine the malware completely re-rendering the browser window - displaying "I am www.rbs.com, please enter banking credentials now". This certainly requires the cooperation of the user, but we know that inexperienced people often fall to this kind of tricks.
So, OS sandboxes are indispensible in a defense-in-depth strategy, but a safe programming language is absolutely useful as a second layer of defense. Not allowing a buffer overflow in the first place is definitely better than just containing malware.
Forts have deep ditches, high and thick walls, special geometry and big guns. Just relying on high walls is not sufficient.
And no, checking array bounds and using smart pointers is not really a significant performance-penalty, while GC languages like Java and .Net are indeed performance hogs.
Pascal/Delphi demonstrated that to a large degree. It is a sign of widespread unprofessionalism that well-trained software engineers still use C/C++, while knowing about these issues very well.
Despite the fact that one can stil screw up with a safe language, it definitely would be good practice to use them, because low-level issues like buffer overflows are responsible for more than 50% of all security issues.
"Would it be safe to assume that you would need to visit a website that contained malicious code for this to be effective?"
My lord, I am afraid it would probably be effective for whatever malicious piece of html you viewed with firefox. I suggest you do not visit any websites except theregister.co.uk and that you do not view any html Email, except those of Colonel Waitlove, Countess Mildmanner and Baroness Mudslinger.
Opera users get to have a huge gloat at all the morons that jumped on Firefix because Mozilla told them it was was more secure than Internet Explorer...
Just a bunch of Russian asswipes
Deliberately releasing trouble to show how clever they are?
Sounds like another pre-pubescent Russian asswipe script jockey kid.
Bring back Stalin
the definition of open source
open source means whatever the person damn well wants it to mean. some people mean it's got an OSI-appoved license, some people have wider or narrower or totally different criteria
the MS-PL (OSI approved) has no stipulations on the availability of source code, for example (and is more about protection from patent comeback and preserving attribution) and is only an open source license by the OSI definition if it's attached to source code
In general, malicious code can be planted on many innocent web sites - unless their own security is state-of-the-art. For instance, even some browsers' handling of picture files such as JPEG has been a route of attack in older versions. So a web site that lets people upload JPEGs could unintentionally distribute malicious code to other visitors. And then too there's actual hacking of innocent sites to make them dangerous. And interference with the domain name service, to make malicious servers be the ones that your own computer communicates with instead of genuine safe sites.
But are we still waiting to hear whether this particular story is true or false?
Does this mean the German Government will recommend not using Firefox like they did with IE?
I think not...
No, hand on, Secunia
If Secunia records a problem, is it real? Or just an alert, without verification of a real prooblem?
(Firefox on 3.6 still, why izzit reported for "3.6.*" ? Perhaps including next development edition.)