back to article Zero-day security flaw leaves Firefox wide open

Security researchers have disclosed a zero-day vulnerability in the latest version of Firefox that gives miscreants complete control of Windows-based computers when the Mozilla browser visits a booby-trapped website. The vulnerability resides in the way Firefox handles uniform resource identifiers, the protocols that allow the …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    No need for NoScript (it's a nice extension though)

    It should be sufficient to set all the network.protocol-handler.warn-external.* variables to true in about:config.

  2. Ed

    Doesn't work

    Couldn't get any of the examples to work on the latest firefox... Seems pretty unreliable.

  3. Don Pedro

    This is a Windows problem

    This URI problem is a result of the OS being unable to handle/sanitize requests properly. Letting any application (bugs and all) register itself as an arbitrary URI handler is kind of wacky at best. It's doubly dangerous because it happens without notifying the user.

    Please make it clear that this "Firefox problem" doesn't happen on any OS other than MS Windows. Then we can correctly judge if the application or the OS is to blame.

  4. Steve Roper

    @ No need for NoScript

    The first poster is correct; I tested the exploit on the site mentioned in the article and it did indeed operate as stated. When I went into about:config and set all of the network.protocol-handler.warn-external values to true (all but the first are false by default) and returned to the test site, Firefox issued a warning after clicking on the test links. Of course, if you ignore the warning and click OK anyway, then you still get attacked, but it does work as stated by the first poster and gives you a chance to abort the process.

    I noticed that these exploits work by launching an application that's already installed on your machine (in the case of the test site, Windows calculator is launched through a command console), so this exploit could only really work if your machine has already been compromised by malware.

  5. Shadow Systems

    FireFox + NoScript = Safer than IE.

    Running IE is already a security risk akin to driving over the speed limit sans safety belts, your eyes closed, & facing the wrong way in the seat.

    Even if you decide to run IE in a SandBox, (a virtual environment designed to stop malware's ability to infect the system it's being run on), the malware is being programed to figure out it's being run in one & actively defeat said security measures.

    Just do yourself a favour - install FireFox & the NoScript extension.

    99.999% of all the exploits no longer apply to you simply because, if you don't approve the site TO run things like ActiveX, Flash, Java, JavaScript, WindowsScriptingHost, or the URI links, then *they can't harm your system*.

    There's no SandBox for them to defeat, because your system never runs them in the first place.

    So it comes as NO surprise that the Editors had to DISable the NoScript functionality in order to verify that the demo links did as they claimed - NoScript refused to let the exploits run until they turned NoScript off!

    How much more proof of the security & viability of FF+NS do you need?

  6. Dan Goodin (Written by Reg staff)

    Re: @ No need for NoScript

    Steve,

    Although all the PoCs only launch calculator, Billy Rios assured me that an exploit very easily could run ANY code of an attacker's choosing, not just executables already loaded onto a machine's hard drive.

  7. amanfromMars Silver badge

    A Patch to a Dyke is a WakeUp Call for a New Defence System?

    "Mozilla's security team is aware of the flaw, which was reported on the Billy (BK) Rios blog, and is working on a patch, a spokesman for the open-source organization said."

    Strange that it is not considered as a facility which works on any and all OS? Don Pedro is not right to think that it can be OS specific whenever it is OS agnostic....... for that would be to think that it is limited in what IT can do, rather than Enabled in an Enlightened and Enlightening Space.

    And the added subtlety whenever the URI is both Uniform and Universal ensures that it is so versatile.

    And it is very misleading to assume and state that just because it triggers "interest" in a resource that can compromise systems that it is malware, for an Intelligently Designed packet of Information/Code/MetaData will merely explore exploitation of the malconfigurations which have been stealthily programmed into the OS from its very inception/before even its conception as well as tinkering with the vulnerable elements supplied by third party use and abuse.

    And that makes it much more the Virtual Scenario White Knight galloping 42 Slay the Dragon than a wicked Uncle Ernie delving below the sheets to fiddle about. And those daring Dan Dare MiSISions are always going to be as 42 Rescue the Damsel in Distress......with ITs Total Addiction to her Gratification as AIReward.

    Man has no Defence against such Attacks ....and neither do his Computerised Systems........ but all that they do, is to Prompt Internal Reconfiguration..... Self Healing via Virtual Means/MetaData Flows.

    Per Ardua ad MetaAstra....Een Team, een Taak.

  8. Anonymous Coward
    Anonymous Coward

    If....

    If it is the responsibility of the receiving application to validate all incoming data (Microsoft's argument for passing the buck for IE infecting Firefox) then

    (1) Are developers to also assume that Windows XP/Windows Vista et al are alien "applications" that cannot be trusted? No, the Developer would not be able to effectvely write programs if that were the case. Every call to the OS to obtain a handle of some sort would need to be called in two ways to make sure there's no Rootkit issues. OK, now cast your mind back. Didn't Microsoft once say that IE was an integral part of the OS that couldn't be removed? So where does the developer draw the line?

    (2) If Firefox were to pass something dodgy back to the OS, then surely the OS has to also accept a similar responsibility? In other words, shouldn't the OS do similar validation checks?

    The answer really should be that a computer OS should be designed in a heirarchical way. The responsibility for security should lie solely with the OS - the OS cannot expect any app to be 100% legit because these apps are written by third-parties who may have unethical intentions. I say "should". Unfortunately it is anything but true, and this is why we are in the mess we are in today.

  9. Anonymous Coward
    Anonymous Coward

    noscript is not stopping this

    Running Firefox 2.0.0.5 on XP SP2, with xs-sniper.com set to untrusted, noscript 1.1.6.08 is not blocking this. thankfully I always run with about:config configured as above anyway.

  10. Ivan Jones

    A simple solution

    Want a simple, generic solution to this problem?

    NEVER browse the Internet under Windows with anything more than basic user privileges, especially when logged in with Admin proviledges. Targeting just the specific processes of high risk applications such as IE and Firefox so that they run under the security-equvalent of a limited user will SIGNIFICANTLY reduce the attack surface for all kinds of (un)known exploits, including this one.

    For more info, see the blog by Michael Howard. http://blogs.msdn.com/michael_howard/archive/2005/01/31/363985.aspx

    The principle applies to any Internet-enabled application including IE, Firefox, Acrobat, Media Player, Quicktime, ITunes etc. The joy is that even with this added level of protection, you can still be logged on as an administrator and perform other tasks as normal.

  11. Anonymous Coward
    Anonymous Coward

    Again?

    Or, y'know, just use Opera. It's not perfect, but it seems a tad more robust than everyone's favourite open-sores browser ;)

  12. Anonymous Coward
    Anonymous Coward

    Re: @ No need for NoScript

    Strange enough - I have noscript installed but exploit works...

  13. Jon

    Unnecessary superlatives

    A "Zero day flaw" what exactly do you mean by this apart from getting a threating headline?

    A zero-day exploit, fair enough - that's an exploit that's in the wild that is using a previously unknown security flaw.

    This has been discovered by researchers, communicated to the developers and a work-around is available. There's nothing zero day about this.

  14. Morten Ranulf Clausen

    No previous compromise necessary

    cmd /c is all you really need...

  15. Phill Sacre

    NoScript

    Hmmm. I just tried the PoC site, with NoScript installed, and the site was able to launch Calculator.

    Then I updated to the latest version of NoScript, and it seems to block that exploit now. So if's worth checking if your NoScript is the latest version.

  16. Paul Stimpson

    Validation is common sense

    I make no secret of the fact that I dislike IE and consider using it to be a security risk. This is, however, one time when I kind of agree with MS.

    When I was taught to code one of the pearls of wisdom I was given was "Never trust input data you didn't generate yourself, errors happen, always check it." This seems like common sense to me, particularly when external programs can get version upgrades which may change their behaviour from the version you developed against.

    Mozilla was born from a group of people who probably didn't like IE very much and I'm sure would probably tell you how bad it is if you asked. That being true if Mozilla put their code on Windows and chose to accept input from every program under the sun without validating it then, even though those programs should behave better, I consider it Mozilla's fault. Come on guys, you're better than that. Bullet-proof your code.

  17. Nigel R

    Proof of Concept link always succeeds in launching OE even with NoScript installed

    Strange, while a host of blocked Java scripts show up on The Register's site, landing on xs-sniper.com does not show any scripts active. Can click on the proof of concept link eg the news one and it gets as far as launching Outlook Express - then maybe it seems to fail due to a "Not Recognized Format" error.

  18. Anonymous Coward
    Anonymous Coward

    Administrator Privileges Required?

    Is the exploit still effective if you aren't "running with administrator privileges".

    A judicial psexec.exe -l "anything that connects to the web" surely is in order?

  19. Anonymous Coward
    Anonymous Coward

    Won't get fooled again

    There's not a week goes by without yet another Firefox security chasm being discovered. It's no different to IE at the end of the day.

    Let's see how secure Firefox 1.00 still is on the web in 10 years time. If it was as secure as they said it was, it would just lack new features rather than be unsafe, right?

    Yeah...

  20. Dillon Pyron

    Firefox patches vs. Internet Explorer patches

    So we'll probably see a patch for this vuln by the end of today. When will we see a patch for the next IE vuln? In a month or so?

  21. Anonymous Coward
    Anonymous Coward

    Won't get fooled again - really!

    Bit Fiddler:

    You sound like an idiot who has no clue about security or worse a Microsoft shrill.

    Proper security is a evolving _process_ based on many layers e.g. NoScript is a security layer which all Firefox users should have, restricted accounts, anti-virus, firewalls and NAT routers are other layers.

    Don't expect applications to be 100% secure on their own, especially complex, interactive, pluggable software like browsers, which can be quite tough to secure, especially fatally insecure crud like IE!

    Mozilla and the authors of security plugins like NoScript and Adblock are doing a far better job overall than Opera and Microsoft, and tend to fix issues very quickly!

    A lot of these new security issues are being aggressively searched for by very smart security professionals, to make honest money and reputation, better they find them and force a fix before criminals find them and wreck your machine!

  22. Anonymous Coward
    Anonymous Coward

    Re: None of then recieved a heroes welcome.

    In response to the person above who unfortunately had to withhold their name, it's all very simple. If it's secure, it's secure. If Fire Fox 1.00 was as safe as they claimed then it would be perfectly safe to use in 10 years time. It may lack new features and there may be holes in the underlying operating system that are patched along the way, but there shouldn't be holes in the browser itself that render it unsafe. I say this only because of the great hype generated by Mozzila about security - live by the sword, die by the sword, and all that.

    Fire Fox 1.00 is, of course, already very unsafe and it was only out a couple of years ago. And Opera and Safari have much better track records in security than Fire Fox and IE, it's a statistical fact (just browse the stats on the Secunia website) that can only be overcome by the religious fervour of fanbois. Another fact is that Mozzila made fun of the 'patch' system IE uses and released complete versions until of course they rocketed through 1.0.xx releases due to regular security holes being discovered. Then they switched to the patch system which they said was 'an improvement', since which the number of security holes and patches continues to climb through double figures.

    But, them's all just browsers and it's the weekend, so chill. Though understand that when someone stands up and claims to be the worlds most intelegent person and then starts to get the pub quiz questions wrong, they're going to get more stick than those who just did their best...

This topic is closed for new posts.

Other stories you might like