Services Products About us Partners Investment Training & Internship Recruitment Contacts Tiếng việt
0-Day Exploit for Critical Firefox Vulnerability Released (28/03/2009 - 0:00:49 AM)

[Softpedia] The release of proof-of-concept exploit code for an unresolved critical bug that allows for remote arbitrary code execution on the latest stable version of Mozilla Firefox has put developers on alert. A fix will be included in the 3.0.8 version of the browser, which is scheduled for release in a few days.

The vulnerability is described on SecurityFocus as a "Boundary Condition Error" and allows an attacker to execute potentially malicious code by calling a malformed XML file from a Web page. Parsing a specially crafted "root" XML tag in an XSL file results in a memory-corruption error.

These drive-by types of attacks have become the weapon of choice for many of today's malware distributors. Cross-site scripting (XSS) weaknesses are used to inject rogue exploit-serving IFrames into legitimate pages. These exploits target vulnerabilities in popular software such as Adobe Reader, Flash Player, or the browsers themselves.

This particular vulnerability affects multiple versions of Firefox running on all operating systems and exploitation failure results in a denial of service condition. Guido Landi is credited with publishing the PoC exploit code on March 25, 2009, however it looks like the bug is much older.

A user identified only as "andre" reported the same flaw on Ubuntu's Launchpad on July 31, 2008. It was then subsequently picked up and reported to Mozilla by Michael Rooney on October 15, 2008, and a patch for it was even coded by a developer named "Martin," but for some reason it was never deployed. "This bug seems to have fallen through the cracks, not sure what bugzilla incantation is the right one to get it noticed again, so asking for review of changed patch," Martin wrote on February 14, 2009.

"The past few months have been extremely hectic at Mozilla as we've tried to push Firefox 3.5 out the door and there has been a conscious effort to focus on bugs that directly block the release (i.e. blocking1.9.1+). Unfortunately, nobody noticed the severity of your bug and in the heat of the moment when the 0-day vulnerability hit the waves, that same nobody (of which I'm a part, not ducking responsibility) looked for a duplicate bug that might already contain a patch," Blake Kaplan wrote to Martin after a new bug report and patch had been created.

The fix for the issue will finally be shipped out to users as part of Firefox 3.0.8, which is described on Mozilla Wiki as "a high-priority firedrill security update to Firefox 3.0.x." According to the Wiki article, Firefox 3.0.8 will be released between March 30 and April 1.

The execution of arbitrary code can be prevented until 3.0.8 is out by using the NoScript Firefox extension, which blocks JavaScript code on Web pages by default. "[...] Reliable exploitation requires scripting to 'spray the heap,' i.e. to inject the malicious payload at the right places of your memory for execution," Giorgio Maone, the creator of NoScript, explains. However, disabling JavaScript will not prevent Firefox from crashing.


Canonical Announces Ubuntu Server Training Course (24/03/2009 - 21:21:45 PM)
Viet Nam government to use open source stuff (06/01/2009 - 12:12:58 PM)
Nhan Corp to actively join the GNOME.Asia Summit 2009. (08/10/2009 - 19:19:43 PM)
SystemRescueCD 1.3.0 Has Linux Kernel 2.6.31 (15/09/2009 - 21:21:55 PM)
Windows 7 Sins: The case against Microsoft and proprietary software (30/08/2009 - 16:16:07 PM)
Windows Loses Money, Linux Nears the $1 Billion Mark (26/08/2009 - 16:16:08 PM)
40 Years of Unix (22/08/2009 - 23:23:05 PM)
Computex 2009: Ubuntu Moblin Remix Announced (05/06/2009 - 16:16:25 PM)
Windows 7 putting users at risk (08/05/2009 - 17:17:03 PM)
Linux Kernel 2.6.29 Includes the Btrfs Filesystem (28/03/2009 - 0:00:54 AM)
0-Day Exploit for Critical Firefox Vulnerability Released (28/03/2009 - 0:00:49 AM)
Nhan Corp completed Heineken Green Planet website for Heineken (24/08/2010 - 13:13:52 PM)
Nhan Corp has done Dam Me Ghi Ban website for Tiger Beer (24/08/2010 - 13:13:42 PM)
National holiday notice (22/04/2010 - 14:14:58 PM)
Holidays notice (28/12/2009 - 22:22:31 PM)
Nhan Corp welcomes new staff (08/10/2009 - 19:19:40 PM)
Nhan Corp welcome new employees (22/08/2009 - 23:23:08 PM)
Nhan Corp to join "Earth Hour" (27/03/2009 - 23:23:35 PM)
Off for Vietnamese Tet Holidays (06/01/2009 - 12:12:49 PM)
© 2007 - 2015 Nhan Communications Corporation Services | Products | Abouts | Partners | Investment | Training & Internship | Recruitment | Contacts