Zero-day Firefox vulnerability by Peter

Firefox logo

Slashdot has the story that Mischa Spiegelmock and Andrew Wbeelsoi revealed at the ToorCon hacker conference a vulnerability in Firefox that allows someone to take over a computer.

The vulnerability is so-called ‘zero day’ because no patch for the exploit is currently available and malicious hackers are using this in the wild.

Apparently, the exploit uses the way JavaScript is handled in Firefox and some malicious JavaScript code can cause a malicious hacker to gain control of the computer, regardless of whether it’s running Windows, Linux or Mac OS X.

You can mitigate this attack by either switching off JavaScript in Tools > Options (Win) / Edit > Preferences (Linux) / Firefox > Preferences (Mac), then choosing Content and unticking the relevant JavaScript option.

This is a bit limiting in that no website will be able to use legitimate JavaScript (for example, all Ajax applications will use it). Alternatively, you could use the NoScript extension for Firefox to only allow JavaScript on sites that you specify. This is what I do all the time, and although it is slightly irritating on some sites, it’s fairly quick and easy to add a site to your ‘whitelist’. Note that this would prevent the attack, but not if the malicious code got onto a site that you had trusted.

What is interesting about this is that it proves Firefox isn’t invulnerable to this type of exploit. However, we are very likely to see a patch and new Firefox version from Mozilla in the next few days. When you compare that to how long Microsoft usually takes to patch up Internet Explorer (with a few notable exceptions recently with the worst exploits), it usually takes at least the rest of the month for MS to get round to it in its patching schedule.

Firefox is, generally, secured pretty quickly (provided that users upgrade to the latest version).

In the meantime, I’d recommend you use NoScript and upgrade to Firefox 1.5.0.8 as soon as it’s released.

UPDATE: Apparently this was a hoax and the vulnerability isn’t nearly as bad as it was first reported (it seems it can crash your browser, but nothing more).
Posted in Browsers. October 1, 2006

3 Comments »

  1. For the sake of balance, IE7 has a really bad vulnerability which will allow the execution of arbitary code (installing spyware, trojan- whatever) through some vector displaying thing. This is also unpached the moment, although there is a simple command line fix for it.

    I would be prepared to put money on Firefox patching the vulnerability before Microsoft patches theirs - even though the MS one was discovered about a week ago.

    Comment by Huw — October 1, 2006 @ 7:53 pm

  2. Huw: Microsoft released a patch for that vulnerability two days ago. See:
    http://blogs.msdn.com/ie/archive/2006/09/29/777193.aspx
    for details.

    Comment by Nick Fitzsimons — October 1, 2006 @ 8:57 pm

  3. I stand corrected! It appears that MS really is making the effort to give IE7 a great reputation of being secure.

    Fortunately, I didn’t actually put any money on it, so my mistake didn’t cost me anything!

    Comment by Huw — October 3, 2006 @ 7:43 pm

Subscribe to comment feed

Leave a comment