Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Mozilla First To Patch Pwn2Own Browser Vulnerability

Posted by Soulskill on Sat Mar 28, 2009 10:46 AM
from the comparatively-quick dept.
Security Bug Mozilla The Internet
Constantine the Less writes "Mozilla has released Firefox 3.0.8 to fix a pair of code execution holes that put users of the browser at risk of drive-by download attacks. It includes a fix for one of the flaws exploited during this year's CanSecWest Pwn2Own hacker contest. The update also fixes a separate zero-day flaw disclosed earlier this week on a public exploit site. Both issues are rated 'critical,' Mozilla's highest severity rating."
+ -
story

Related Stories

[+] First Pwn2Own 2009 Contest Winners Emerge 98 comments
mellowdonkey writes "Last year's CanSecWest hacking contest winner, Charlie Miller, does it again this year in the 2009 Pwn2Own contest. Charlie was the first to compromise Safari this year to win a brand spankin new Macbook. Nils, the other winner, was able to use three separate zero day exploits to whack IE8, Firefox, and Safari as well. Full detail and pictures are available from the sponsor, TippingPoint, who acquired all of the exploits through their Zero Day Initiative program."
Firehose:Firefox 3.0.8 Patches Pwn2Own Vulnerability by Anonymous Coward
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Mozilla First To Patch Pwn2Own Browser Vulnerability 25 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • Seen how insecure web browsers are... (Score:4, Interesting)

    by Anonymous Coward on Saturday March 28, @11:11AM (#27370153)

    Seen how insecure web browsers are, what would be a good way to surf under Linux?

    I have an account that I use only for GMail and my bank's website (the latter using a physical device answering cryptographic challenge so nobody is abusing that [when wiring money to a new account number, the account number of the recipient itself is part of the cryptographic challenge, there's no MITM, no nothing that can work against that]).

    Then I have an account only for browsing. The user owning this account on my machine has user ID 1007.

    This user is not even allowed to connect to localhost. I don't want to know. All he can do is surf the web, using iptables like this:

    iptables -I OUTPUT -m owner --uid-owner 1007 -j REJECT
    iptables -I OUTPUT -m owner --uid-owner 1007 -p tcp --dport 80 -j ACCEPT
    iptables -I OUTPUT -m owner --uid-owner 1007 -p tcp --dport 443 -j ACCEPT
    iptables -I OUTPUT -m owner --uid-owner 1007 -p udp --dport 53 -j ACCEPT

    Are there others simple things I could do to deal with security hazard that these browsers are?

    Things I could do about this user's home directory permissions? Disable his SSH? etc.

    Basically I think I'd like to have an account that can "do nothing but run Firefox".

    Or is there an easy, lightweight (lightweight as in "I don't necessarily want to virtualize a full OS just to run a browser", way to sandbox a browser?

    In other words, I consider the "security" of all the browsers to be a bad joke and I regard running a browser basically the same as executing "omgWindozeServer2012Crack.exe" on my machine and I'd like any hint from people who are surfing in a "safer" way.

    • Re:Seen how insecure web browsers are... (Score:5, Interesting)

      by siride (974284) on Saturday March 28, @11:39AM (#27370325)

      You could try not freaking the fuck out about browser security, unless you plan on visiting Russian spam sites and whatnot. I use Firefox on Linux and I've never had an issue. I use Flashblock, Adblock and occasionally Noscript. Just exercise reasonable caution and you should be fine. Heck, even under Windows I never got viruses or spyware, and I used IE!

      • Not exactly true. You never got viruses, that you knew of.

        Under Windows, with IE, this is no hard thing to achieve. Think of the Sony rootkit. Or about the tons of trash that average people get on their systems, despite having a anti-virus and a firewall software running.
        I know of many people who completely turn them both off, when they play games. For performance reasons. Even when the games allow the usage of browsers while running.

        • Re:Seen how insecure web browsers are... (Score:4, Interesting)

          by siride (974284) on Saturday March 28, @03:01PM (#27371973)
          I didn't get viruses. I had no slowdowns, nothing showing up in process explorer, no weird behavior, nothing from ZoneAlarm (worthless though it otherwise be). Of course, if you go the route of "you can't ever truly be sure of xyz", then I suppose you are right. I probably did get viruses. And even though I think I'm running Linux, it's probably actually just a rootkit that's infected my Windows XP installation to make it look like some other OS. How can I really know?

    • Re: (Score:3, Interesting)

      by 0xFCE2 (859134)

      Or is there an easy, lightweight (lightweight as in "I don't necessarily want to virtualize a full OS just to run a browser", way to sandbox a browser?

      Have a look at the Linux extensions like SELinux or AppArmor. At least the latter one can be set up comparatively easy, and is useful to protect a few selected processes such as FF from doing harm. Certainly not perfect, but it should be able to stop an exploit from taking over the whole account.

      However, the weak link will then probably be X and your window environment (KDE/gnome), so full virtualization is still much better. Of course, even that doesn't offer perfect protection.

      • Re:Seen how insecure web browsers are... (Score:4, Interesting)

        by RiotingPacifist (1228016) on Saturday March 28, @01:53PM (#27371199)

        how is X the weak link? the weak link is whatever you let on the internet and whatever network aware daemons you have running. once on your system X MAY be the weak link but the pwm2own vulnerabilities dont need root, so X doesn't even matter (much like it matters little in modern security) where attackers don't need root. while SElinux & AppArmor MAY protect against use of these attacks, e.g killing firefox when it executes malicious code, but a fishing scam doesn't need to do anything malicious to your system (and Firefox has already been 'pwned' in the context of this competition).

        Full virtulization is useless, if the attack is advanced enough that it can is keylogging a separate user (has root), modifying your Firefox binaries (has root and then some) or modifying what you see (one hell of an exploit somewhere in your xorg stack), then the chances are the attacker can modify your virtualized os when its mounted,( there's nothing you can do that a kernel recompile cant beat and as the attacker has root, he can do that).

        you have 2 choices:
        1) stop being paranoid
        2) run a livecd and update it regularly enough (from your livecd using toram) that there are no known exploits for it. OFC this HAS to be done on multiple cd-rs as a cd-rw could be patched if its exploited. But wait they could actually exploit you and modify the iso before you managed to get it to the disk, so i refer you to point 1.

        Now assuming you that you've stopped being paranoid and just want a bit of extra security the GP post is about as good as you can get it protects against all user level exploits.

    • Re: (Score:3, Interesting)

      by Anonymous Coward

      On Windows, i sandbox my browsers using Sandboxie, such a fantastic little program.
      The newer versions are much better, more control over what a program can access, file-permissions, network, etc

      Not sure of any similar sandboxing programs for Linux, sadly.
      I second this request.

  • MS already patched in IE8 final build (Score:4, Informative)

    by Anonymous Coward on Saturday March 28, @11:19AM (#27370209)

    MS patched this on IE8 on Vista already before it published Mar 19. http://blogs.iss.net/archive/chicksdigIE8.html

    XP hasn't been patched yet. Doesn't support DEP, so will be a bit more work.

  • BAH! (Score:5, Insightful)

    by iminplaya (723125) <iminplaya@gmail.cNETBSDom minus bsd> on Saturday March 28, @11:27AM (#27370247) Journal

    The contestants already have next year's winning exploit waiting in the wings. Maybe we should have these contests every month instead of once a year.

  • Not only that (Score:3, Interesting)

    by Idiot with a gun (1081749) on Saturday March 28, @11:47AM (#27370385)
    But Ubuntu has already reviewed it, and pushed it out through the repositories, marking it as critical. I love open source.

    • Re:First post. (Score:5, Funny)

      by MightyYar (622222) on Saturday March 28, @10:53AM (#27370069)

      Yeah, but internet browsing just doesn't feel as exciting without the risk. Back to unpatched XP with IE6 for me...

      • Re:First post. (Score:5, Funny)

        by purpledinoz (573045) on Saturday March 28, @11:56AM (#27370415)
        You finish installing Windows XP. You connect to the internet and fire up your browser. 4 minutes later, additional processes start appearing in your task manager. You've been pwnd! You frantically try to close the security holes by going to the Windows Update website, but all you get are ads for penis enlargement and free porn. As your PC slows to a crawl, the excitement fades...

      • Re:First post. (Score:5, Funny)

        by RiotingPacifist (1228016) on Saturday March 28, @01:07PM (#27370785)

        untrusted extentions are the way of the future. they let YOU choose how much you get pwned.
        Only want a mild risk? install a few 3rd party extentions,
        Fancy taking your chances? look for ones with spelling mistakes in the discriptions,
        Unprotected sex with the internet? well start installing them from 3rd party sites
        Fuck it, pwn me already? install greasemonkeys and look for scripts that have the discription written in 1337 sp3/\k

    • I also thought that open source had a built in Plan B that if a hole was found, anyone could submit a patch and it would get folded in as soon as it was reviewed and approved.

      That's funny, this is a story about the Open Source browser being patched before every other browser, and you're not seeing a benefit?

      • That's funny, this is a story about the Open Source browser being patched before every other browser, and you're not seeing a benefit?

        I'm not. I can't download the upgrade. I'm running OSX 10.3.9, and Firefox 2.0.0.1. Firefox 3.x requires 10.4.

        OSS developers should think about those of us that are still happy with their older software! (or can't upgrade) I'm only 1 major version behind the current Firefox.

        I'm not sure if I'm in danger of a drive-by download though. I do remember getting a few "exe" programs downloaded to my HD while visiting some shadier sites. I just laugh, delete it, and move on.

        • Re:And this is a surprise? (Score:5, Informative)

          by makomk (752139) on Saturday March 28, @11:55AM (#27370411) Journal
          Well, it wouldn't work on Vista on the final release of IE8, except on Intranet pages. Apparently, it still works on IE8 running under XP, still works on Intranet pages. The underlying vulnerability is still present on IE8 on all platforms, it's just that there's not currently any way to exploit it thanks to DEP and ASLR.

    • Of having discrete components, and of modular operating systems.

      Mozilla isn't integrated into the OS, so they can just fix bugs. IE is "integrated into the OS" which means they can't simply fix bugs, they've got to make sure the rest of the big ball of mud OS continues to work as well.

       

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.