Network News

X My Profile
View More Activity

Exploit Released for Firefox, Netscape Flaw

Computer code that could let attackers take complete control over computers cruising the Web with unpatched versions of the Firefox Internet browser has been released, so if you're using Firefox and haven't upgraded to the latest version, do it now.  The exploit also applies to the latest version of Netscape, but Netscape has not yet released a fix for this problem.

This is not your run-of-the-mill proof of concept exploit code. It appears to be quite comprehensive, and would allow any attacker to use it with only slight modifications. According to the advisory, the code is designed to be embedded in a Web site so that any computer visiting the evil site with Firefox or Netscape would open up a line of communication with another Internet address of the attacker's choice, effectively letting the bad guys control the victim computer from afar.

Dave Kennedy over at Cybertrust had roughly the same impression that I did about the severity of this exploit and flaw.

"If this were [Microsoft's Internet Explorer], I'd expect to see [the exploit] in spyware," Kennedy said. "With Firefox it's possible someone could try to make a point by doing something big."

Kennedy was referring to the heated debate in the security community over whether Firefox is any more secure than IE, a debate fanned by the release last week of a report pointing out that Firefox has fixed twice as many security flaws as IE so far this year.

If you haven't upgraded to the latest version of Firefox, you can get it here.

By Brian Krebs  |  September 22, 2005; 10:39 AM ET
Categories:  Latest Warnings  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: A Parent's Role as Net Cop?
Next: Beware Hurricane Rita Scams

Comments

Why is it that the simple solution is to just upgrade to the latest version, rather than an expose on why software was released in a vulnerable form ?

Posted by: outfoxed | September 22, 2005 11:38 AM | Report abuse

If this was IE, all the geeks/MS haters/media would be having a field day.

Posted by: Wanax | September 22, 2005 12:01 PM | Report abuse

I have firefox 1.5 beta. Do I need a patch? Is there even one available?

Posted by: boz | September 22, 2005 12:12 PM | Report abuse

There is no such thing as invulnerable software. Our only protection is vigilance, or else disengagement.

Posted by: infoxed | September 22, 2005 1:21 PM | Report abuse

Does this Firefox warning apply to Mac users as well? Or just PCs? I'm not clear and it seems things don't always apply to both.

Posted by: shrlckhlms | September 22, 2005 2:04 PM | Report abuse


This potential exploit was fixed about 2 weeks ago with a patch or manually with a few mouse clicks.

It is very important to note that this is a theoretical vulnerability since no one has ever created a sucessful exploit.

Posted by: TechMason | September 22, 2005 2:12 PM | Report abuse

The vulnerability itself I believe applies on Mac versions of the browser. The exploit however does not.

Posted by: Brian Krebs | September 22, 2005 2:23 PM | Report abuse

Could you distinguish the risk of using "Mozilla 1.7.1" VS. "Firefox 1.0.7" as recommended here? They both appear to be Mozilla products, and my Mozilla 1.7.1 carries a 2004 copyright date. Is the bug that threatens older versions of Firefox also a risk for my Mozilla 1.7.1?

Posted by: Randy | September 22, 2005 3:55 PM | Report abuse

I'm very glad to hear that the Firefox team has fixed more bugs this year than the IE team. This reassures me that I am truly correct in my decision to use Firefox exclusively.

So, Brian, what is the flaws reported vs flaws fixed ratio for both Firefox and IE? That would be an insightful comparison whereas the statements made here are simply, in your own words, fanning the debate.

Posted by: perplexedInCA | September 22, 2005 4:03 PM | Report abuse

"an expose' on why software was released in a vulnerable form" wouldn't be very interesting, since all complex software written by humans contains security vulnerabilities.

Posted by: theo | September 22, 2005 4:05 PM | Report abuse

I just had a most disconcerting experience. I just installed the updated Firefox (as recommended), even though I already have Mozilla 1.7.1 and have generally been satisfied. I not have both, plus IE (6.0.2900.2180.xpsp_sp2_gdr...) installed.

HOWEVER, I was only runing Firefox and Mozilla, when I suddenly got an unprompted opening of IE "spam site" (some junk called NationalIssuePanel offering gifts of $500 IF I give my e-mail.

What's up with that?

Posted by: Randy | September 22, 2005 4:14 PM | Report abuse

To Boz: According to this thread (http://forums.mozillazine.org/viewtopic.php?t=320898&sid=64964a027c356db5023c78252ec1809b) over at Mozillazine.org, the 1.5 beta of Firefox is also vulnerable to this. Apparently, the latest branch builds for the beta can fix this problem. See the thread for links.

Posted by: Brian Krebs | September 22, 2005 4:15 PM | Report abuse

Is FireFox more secure than IE? Thats like comparing Washington Apples with Fuji apples. Both are the same but different. The answer is NO, FireFox is NOT more secure than IE. Why? There are two inherent reasons:

1) The software development process as a whole is flawed. When there are people involved, things break. And software is written by people. Software development is so complicated, its unimaginable that people won't make mistakes. So, comparing security of browsers is like asking: are the people behind Mozila better coders than the people at Microsoft? And of course, I'd say NO. Where Microsoft has an advantage is they have much more financial resources than these "open source" developers. If they really wanted to (and they have been pretty serious about it), they'll throw money at it and that helps.

2) Security of a software is inversely proportional to the popularity and AVAILABILITY of that software. This is probably otherwise known as security by obscurity in the security comunity. Why is Windows the most often hacked platform? Simply because there are hundreds of millions of PCs with Windows on it. When hackers can easily get their hands on software, they have access to finding out its weakness. If software is proprietary and unavailable, no hacker can even begin to find its weaknesses. Also, as a hacker, you'd want to make a big bang. Who wants to hack a platform being used by 10 people? Its just not worth the effort because there's just no reward. Well, unless those 10 people (or 10 banks) control the world. So, asking if FireFox is more secure than IE depends on FireFox's popularity. As its popularity increases and its installed base increases, the less FireFox becomes secure because it becomes the target by a larger number of hackers.

Security begins with the software community and ends with the end user. If you want a secure platform, don't do anything you shouldn't do. And keep yourself informed and up to date. But then again, who has time?

Posted by: Ben | September 22, 2005 4:16 PM | Report abuse

To PerpelxedinCA: I couldn't agree more with you on that point. The hard part would be getting MS to acknowledge all of the outstanding (reported but unfixed) flaws with the browser. Yes, we can go to places like eEye and see their list, but that's harly comprehensive. Thanks for the pointer. I will follow up.

Posted by: Brian Krebs | September 22, 2005 4:17 PM | Report abuse

You might want to fix the "get it here" link at the end of the story so that it doesn't hard link to the Windows version of Firefox.

Posted by: JH | September 22, 2005 4:18 PM | Report abuse


JH - Thanks for that. I thought I had sent it to the generic page, but I will fix now.

Posted by: BK | September 22, 2005 4:23 PM | Report abuse

Wanax: "if this was IE..." - the thing is, people are finding IE exploits all the time, just search the web. If it was every funny it stopped being so a long time ago.

The thing about open source is that typically the community fixes vulnerabilites as soon as they're discovered which is why I can go and download a fixed version of FireFox now. We don't believe in security through obscurity like Microsoft and our code is public and open to scrutiny by everyone (well intentioned or not). People who program as a hobby take more pride in their work than people who do it 9 to 5 and cut corners to meet deadlines.

Posted by: nick | September 22, 2005 4:24 PM | Report abuse

One of the points not picked up by the piece was that Microsoft tends to sit (and not fix) some vulnerabilites. Added to this is that Firefox vulnerabilites so far have tended to be minor. Also the recent (more major) vulnerability has some controversy around it. The reporter somehow decided to announce it after giving the Firefox team 2 days to try to fix it - this is unheard of (most announcements are after a patch has been made and tested) and seriously questions the professionality of said 'researcher'. From all this recent news I have to say that there is a suspicion of some foul play going on.

Posted by: johnadams | September 22, 2005 4:43 PM | Report abuse

Brian, do you think you could drop in just a sentence about the Mac-related impact of these vulnerabilities? Just say 'this applies to Mac users too' or 'this doesn't apply to Mac users' or even 'I don't really know yet if this applies to Mac users.'

I'm grateful that my iBook is less vulnerable than your average IE-running PC, but I'm trying to keep an eye out for threats. I realize that there are only a dozen or so Mac users in the whole world, but we'd appreciate the heads-up.

Posted by: bob | September 22, 2005 4:44 PM | Report abuse

Its easier to find holes in firefox, their code being open source. Firefox goes through the scrutiny of the entire developer community, which no amount of "money thrown by microsoft" can ever emulate. And so in the end we will be able to use a safer, better QAed web browser.

Posted by: techvik | September 22, 2005 4:53 PM | Report abuse

Good stuff - the FireFox guys released their new version of the browser before the first exploit was written. How long does Microsoft usually take?

Posted by: AC | September 22, 2005 5:02 PM | Report abuse

The flaw also affects the Mozilla series of browsers. Anyone running the Mozilla suite should upgrade to 1.7.12. *All* platforms, though I would agree with the poster above -- the public exploit only targets windows, but all platforms are vulnerable.

http://www.mozilla.org/releases/#1.7.12

Posted by: millibits | September 22, 2005 5:15 PM | Report abuse

Many other critical vulnerabilities were discovered in firefox 1.0.7 and Mozilla 1.7.12 :-(

http://www.frsirt.com/english/advisories/2005/1824

Posted by: Victor | September 22, 2005 11:06 PM | Report abuse

Sorry for the error in the previous post, replace "were discovered in" by "were patched in".

Posted by: Victor | September 22, 2005 11:08 PM | Report abuse

thanks for the firefox warning. when i clicked on the title of your article in my email 'Exploit Released etc.' it opened up your article and then the page quickly turned all white and an error message followed. it did this twice before letting me read your article. so now I'm afraid to click on the link to the firefox patch. do you think it's safe? thanks very much. jean murray

Posted by: Hi Brian | September 23, 2005 1:27 PM | Report abuse

I had a working version of this exploit about a MONTH AGO. just because something shows up on the web doesn't mean that it is new and recently discovered. you can thank your local exploit developer for keeping this low key until a fix could be made.

Posted by: 0day | September 24, 2005 4:37 PM | Report abuse

Like another poster, I wonder about the fixed to reported ratio. I seem to recall an SSL certificate bug that affected both KHTML and IE (shared code from a certificating authority?). The KHTML group announced a patch within 2 weeks, while IE took 18 months or so.

As to the idea of twice as many bug fixes for Moz/Ff as IE, how many should IE have? It's 5 years old with not even minor feature upgrades, shouldn't it be pretty much fixed by now?

Further, another poster suggested that exploits were related to the ubiquity of the target app. An FBI/CERT report (sorry, don't have the ref handy) laid the blame at the feet of vulnerability, stating that there was a high Correlation Coefficient between attacks and vulnerabilities, but not between attacks and number of opportunities (ubiquity). That would explain why Apache is seldom attacked while IIS is constantly bombarded, even though Apache has, what, 2 or 3 times the market share of IIS?

The open source philosophy of 'release early, release often' suits me just fine. Any non-trivial application will have bugs. It's just that open source brings to me a constant evolution toward better and safer apps.

cheers,

gary

Posted by: gturner | September 24, 2005 7:19 PM | Report abuse

Thanks for the information and making the
download available for me.

Posted by: Washeat | September 26, 2005 9:21 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company