*extremely critical* notices about Firefox 1.x

Discussion in 'Computer Security' started by DJ Code, May 8, 2005.

  1. DJ Code

    DJ Code Guest

    http://secunia.com/advisories/15292/

    I signed up to get these for all systems at Secunia, and
    I get a bunch of these notices every day. Mostly for
    variations of linux and linux software.

    But Secunia never issues security flaw findings until they've
    given the software producer time to fix it so that the user
    can apply a patch or upgrade to a more sucure product,
    and so that the use of exploits might be minimized.

    I don't know where to turn now for functionality! Apparently
    the open source people haven't been able to find a fix for this.
    DJ Code, May 8, 2005
    #1
    1. Advertising

  2. DJ Code

    xsr Guest

    DJ Code Wrote:
    > http://secunia.com/advisories/15292/
    >
    > But Secunia never issues security flaw findings until they've
    > given the software producer time to fix it so that the user
    > can apply a patch or upgrade to a more sucure product,
    > and so that the use of exploits might be minimized.
    >
    > I don't know where to turn now for functionality! Apparently
    > the open source people haven't been able to find a fix for this.


    Have you even tested it to work like it should? As it failed even with
    the official PoC's here.... I beleive, since the poc links back to the
    mozilla site, that mozilla has at least disabled the public pocs from
    working, but thats just speculation for now.

    anyway the best explanation to date which i have found about this is
    http://greyhatsecurity.org/firefox.htm


    --
    xsr
    896c e197 a881 7af3 a9ca bad5 b83d 0ae9 4de6 00fa
    usenet [at] http://www.research-labs.net
    xsr, May 9, 2005
    #2
    1. Advertising

  3. DJ Code

    DJ Code Guest

    xsr wrote:
    > DJ Code Wrote:
    >
    >>http://secunia.com/advisories/15292/
    >>
    >>But Secunia never issues security flaw findings until they've
    >>given the software producer time to fix it so that the user
    >>can apply a patch or upgrade to a more sucure product,
    >>and so that the use of exploits might be minimized.
    >>
    >>I don't know where to turn now for functionality! Apparently
    >>the open source people haven't been able to find a fix for this.

    >
    >
    > Have you even tested it to work like it should? As it failed even with
    > the official PoC's here.... I beleive, since the poc links back to the
    > mozilla site, that mozilla has at least disabled the public pocs from
    > working, but thats just speculation for now.
    >
    > anyway the best explanation to date which i have found about this is
    > http://greyhatsecurity.org/firefox.htm
    >
    >
    > --
    > xsr
    > 896c e197 a881 7af3 a9ca bad5 b83d 0ae9 4de6 00fa
    > usenet [at] http://www.research-labs.net
    >


    I followed your link, then their link to see if i'm vulnerable. It
    says to click anywhere inside the page and a harmless batch file will
    run, but it doesn't say what the result should be in either case. The
    page reloaded, but looked the same.
    DJ Code, May 9, 2005
    #3
  4. DJ Code

    xsr Guest

    DJ Code Wrote:
    > I followed your link, then their link to see if i'm vulnerable. It
    > says to click anywhere inside the page and a harmless batch file will
    > run, but it doesn't say what the result should be in either case. The
    > page reloaded, but looked the same.


    From what i could read in the code, it shoud write c:\booom.bat with
    the following contents:
    --------------------------
    @ECHO off
    cls
    ECHO If I wasnt so nice, this could have been a virus...
    PAUSE
    --------------------------
    But i didn't find this file either being executed or being written on
    my system.


    Secunia also claims that there is a temporary fix,
    ---------------------
    NOTE: A temporary solution has been added to the sites
    "update.mozilla.org" and "addons.mozilla.org" where requests are
    redirected to "do-not-add.mozilla.org". This will stop the publicly
    available exploit code using a combination of vulnerability 1 and 2 to
    execute arbitrary code in the default settings of Firefox.
    ---------------------

    Anyway, non public exploits can probally circumvent this temporary
    fix. As it can be as simple as changing the dns in the PoC and upload
    the required files on that new site.
    Lets hope the update is almost done...


    --
    xsr
    896c e197 a881 7af3 a9ca bad5 b83d 0ae9 4de6 00fa
    usenet [at] http://www.research-labs.net
    xsr, May 9, 2005
    #4
  5. DJ Code wrote:

    > xsr wrote:
    >> DJ Code Wrote:
    >>
    >>>http://secunia.com/advisories/15292/
    >>>
    >>>But Secunia never issues security flaw findings until they've
    >>>given the software producer time to fix it so that the user
    >>>can apply a patch or upgrade to a more sucure product,
    >>>and so that the use of exploits might be minimized.
    >>>
    >>>I don't know where to turn now for functionality! Apparently
    >>>the open source people haven't been able to find a fix for this.

    >>
    >>
    >> Have you even tested it to work like it should? As it failed even with
    >> the official PoC's here.... I beleive, since the poc links back to the
    >> mozilla site, that mozilla has at least disabled the public pocs from
    >> working, but thats just speculation for now.
    >>
    >> anyway the best explanation to date which i have found about this is
    >> http://greyhatsecurity.org/firefox.htm
    >>
    >>
    >> --
    >> xsr
    >> 896c e197 a881 7af3 a9ca bad5 b83d 0ae9 4de6 00fa
    >> usenet [at] http://www.research-labs.net
    >>

    >
    > I followed your link, then their link to see if i'm vulnerable. It
    > says to click anywhere inside the page and a harmless batch file will
    > run, but it doesn't say what the result should be in either case. The
    > page reloaded, but looked the same.


    You need to look to see if the file was downloaded.

    It DOES NOT work on 1.0.3 on FreeBSD...I noticed a message on secunia that
    says:

    NOTE: A temporary solution has been added to the sites "update.mozilla.org"
    and "addons.mozilla.org" where requests are redirected to
    "do-not-add.mozilla.org". This will stop the publicly available exploit
    code using a combination of vulnerability 1 and 2 to execute arbitrary code
    in the default settings of Firefox.

    ....so it seems that firefox put a temp solution to stop the hack...unitl a
    patch is released...

    Michael
    --
    "Trusted Computing" is a SCAM
    http://www.gnu.org/philosophy/can-you-trust.html

    Protect your rights
    http://www.eff.org/
    http://www.publicknowledge.org/
    Michael Pelletier, May 10, 2005
    #5
  6. DJ Code

    DJ Code Guest

    Michael Pelletier wrote:
    > DJ Code wrote:
    >
    >
    >>xsr wrote:
    >>
    >>>DJ Code Wrote:
    >>>
    >>>
    >>>>http://secunia.com/advisories/15292/
    >>>>
    >>>>But Secunia never issues security flaw findings until they've
    >>>>given the software producer time to fix it so that the user
    >>>>can apply a patch or upgrade to a more sucure product,
    >>>>and so that the use of exploits might be minimized.
    >>>>
    >>>>I don't know where to turn now for functionality! Apparently
    >>>>the open source people haven't been able to find a fix for this.
    >>>
    >>>
    >>>Have you even tested it to work like it should? As it failed even with
    >>>the official PoC's here.... I beleive, since the poc links back to the
    >>>mozilla site, that mozilla has at least disabled the public pocs from
    >>>working, but thats just speculation for now.
    >>>
    >>>anyway the best explanation to date which i have found about this is
    >>>http://greyhatsecurity.org/firefox.htm
    >>>
    >>>
    >>>--
    >>>xsr
    >>>896c e197 a881 7af3 a9ca bad5 b83d 0ae9 4de6 00fa
    >>>usenet [at] http://www.research-labs.net
    >>>

    >>
    >>I followed your link, then their link to see if i'm vulnerable. It
    >>says to click anywhere inside the page and a harmless batch file will
    >>run, but it doesn't say what the result should be in either case. The
    >>page reloaded, but looked the same.

    >
    >
    > You need to look to see if the file was downloaded.
    >
    > It DOES NOT work on 1.0.3 on FreeBSD...I noticed a message on secunia that
    > says:
    >
    > NOTE: A temporary solution has been added to the sites "update.mozilla.org"
    > and "addons.mozilla.org" where requests are redirected to
    > "do-not-add.mozilla.org". This will stop the publicly available exploit
    > code using a combination of vulnerability 1 and 2 to execute arbitrary code
    > in the default settings of Firefox.
    >
    > ...so it seems that firefox put a temp solution to stop the hack...unitl a
    > patch is released...
    >
    > Michael


    If we're talking about the batch file, no it didn't download.
    thanks you guys
    DJ Code, May 10, 2005
    #6
  7. DJ Code

    Winged Guest

    DJ Code wrote:
    > http://secunia.com/advisories/15292/
    >
    > I signed up to get these for all systems at Secunia, and
    > I get a bunch of these notices every day. Mostly for
    > variations of linux and linux software.
    >
    > But Secunia never issues security flaw findings until they've
    > given the software producer time to fix it so that the user
    > can apply a patch or upgrade to a more sucure product,
    > and so that the use of exploits might be minimized.
    >
    > I don't know where to turn now for functionality! Apparently
    > the open source people haven't been able to find a fix for this.

    well the Mozilla site recommends turning off Javascript and don't allow
    sites to update pluggins until they get problem fixed. Todays build
    appear to have problem fixed and I haven't found issues yet. If this
    holds through testing, I would expect 1.04 to be released in next couple
    days.

    Mozillas recommendations are here for problem mitigation:
    http://www.mozilla.org/security/

    Winged
    Winged, May 10, 2005
    #7
  8. DJ Code wrote:

    > Michael Pelletier wrote:
    >> DJ Code wrote:
    >>
    >>
    >>>xsr wrote:
    >>>
    >>>>DJ Code Wrote:
    >>>>
    >>>>
    >>>>>http://secunia.com/advisories/15292/
    >>>>>
    >>>>>But Secunia never issues security flaw findings until they've
    >>>>>given the software producer time to fix it so that the user
    >>>>>can apply a patch or upgrade to a more sucure product,
    >>>>>and so that the use of exploits might be minimized.
    >>>>>
    >>>>>I don't know where to turn now for functionality! Apparently
    >>>>>the open source people haven't been able to find a fix for this.
    >>>>
    >>>>
    >>>>Have you even tested it to work like it should? As it failed even with
    >>>>the official PoC's here.... I beleive, since the poc links back to the
    >>>>mozilla site, that mozilla has at least disabled the public pocs from
    >>>>working, but thats just speculation for now.
    >>>>
    >>>>anyway the best explanation to date which i have found about this is
    >>>>http://greyhatsecurity.org/firefox.htm
    >>>>
    >>>>
    >>>>--
    >>>>xsr
    >>>>896c e197 a881 7af3 a9ca bad5 b83d 0ae9 4de6 00fa
    >>>>usenet [at] http://www.research-labs.net
    >>>>
    >>>
    >>>I followed your link, then their link to see if i'm vulnerable. It
    >>>says to click anywhere inside the page and a harmless batch file will
    >>>run, but it doesn't say what the result should be in either case. The
    >>>page reloaded, but looked the same.

    >>
    >>
    >> You need to look to see if the file was downloaded.
    >>
    >> It DOES NOT work on 1.0.3 on FreeBSD...I noticed a message on secunia
    >> that says:
    >>
    >> NOTE: A temporary solution has been added to the sites
    >> "update.mozilla.org" and "addons.mozilla.org" where requests are
    >> redirected to "do-not-add.mozilla.org". This will stop the publicly
    >> available exploit code using a combination of vulnerability 1 and 2 to
    >> execute arbitrary code in the default settings of Firefox.
    >>
    >> ...so it seems that firefox put a temp solution to stop the hack...unitl
    >> a patch is released...
    >>
    >> Michael

    >
    > If we're talking about the batch file, no it didn't download.
    > thanks you guys


    ....yup it seems the work around by mozilla prevents the exploit from
    working...

    Michael
    --
    "Trusted Computing" is a SCAM
    http://www.gnu.org/philosophy/can-you-trust.html

    Protect your rights
    http://www.eff.org/
    http://www.publicknowledge.org/
    Michael Pelletier, May 10, 2005
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Ron
    Replies:
    29
    Views:
    862
    Ed Mullen
    Nov 15, 2005
  2. TechNews

    Extremely Critical IE Vulnerability!!!

    TechNews, Jun 8, 2004, in forum: Computer Support
    Replies:
    3
    Views:
    492
    Duane Arnold
    Jun 9, 2004
  3. NIST.org
    Replies:
    38
    Views:
    1,440
  4. Au79
    Replies:
    5
    Views:
    437
    NotMe
    May 22, 2006
  5. Au79
    Replies:
    2
    Views:
    405
    Fuzzy Logic
    Nov 7, 2006
Loading...

Share This Page