Forgot your password?
typodupeerror
Security Bug Mozilla The Internet

Mozilla First To Patch Pwn2Own Browser Vulnerability 141

Posted by Soulskill
from the comparatively-quick dept.
Constantine the Less writes "Mozilla has released Firefox 3.0.8 to fix a pair of code execution holes that put users of the browser at risk of drive-by download attacks. It includes a fix for one of the flaws exploited during this year's CanSecWest Pwn2Own hacker contest. The update also fixes a separate zero-day flaw disclosed earlier this week on a public exploit site. Both issues are rated 'critical,' Mozilla's highest severity rating."
This discussion has been archived. No new comments can be posted.

Mozilla First To Patch Pwn2Own Browser Vulnerability

Comments Filter:
  • And good to see Mozilla patching things this quickly.

    • by MightyYar (622222) on Saturday March 28, 2009 @10:53AM (#27370069)

      Yeah, but internet browsing just doesn't feel as exciting without the risk. Back to unpatched XP with IE6 for me...

      • by purpledinoz (573045) on Saturday March 28, 2009 @11:56AM (#27370415)
        You finish installing Windows XP. You connect to the internet and fire up your browser. 4 minutes later, additional processes start appearing in your task manager. You've been pwnd! You frantically try to close the security holes by going to the Windows Update website, but all you get are ads for penis enlargement and free porn. As your PC slows to a crawl, the excitement fades...
        • Re: (Score:2, Interesting)

          by Anonymous Coward

          That is nothing. Once, during the second stage of a Windows XP installation, as soon as Windows brought up the network interface to configure the DHCP it got slammed by the blaster worm right in the middle of the installation! (The box was connected to a DOCSIS cable network.) I had to power off the modem, reformat, and restart the install. That is why I no longer use windows.

          • by asdfx (446164)

            You restarted the install, but you don't use windows anymore? So, is there a computer sitting somewhere with windows on it that you don't need? I could use a new server....

        • Re: (Score:1, Funny)

          by PNutts (199112)

          all you get are ads for penis enlargement and free porn

          For the love of Gods folks, cite your fracking references. So say we all!

          • by DavoMan (759653)

            all you get are ads for penis enlargement and free porn

            For the love of Gods folks, cite your fracking references. So say we all!

            Hook me up on that too. I can't for the life of me find anything about 'girls' or 'penis enlargement' on google.

            wouldnt mind a cheap rolex watch too.

      • Re: (Score:2, Interesting)

        by Vu1turEMaN (1270774)

        It would have been funny son, but the sad fact of the matter is that probably half of the XP systems out there are unpatched and use IE6...

        • Re: (Score:3, Interesting)

          by iminplaya (723125)

          That's because they're bootlegs, and updating will just install WGA

        • by maxume (22995)

          Putting 'son' in your posts makes you come off as a dildo. Just sayin'.

      • by RiotingPacifist (1228016) on Saturday March 28, 2009 @01:07PM (#27370785)

        untrusted extentions are the way of the future. they let YOU choose how much you get pwned.
        Only want a mild risk? install a few 3rd party extentions,
        Fancy taking your chances? look for ones with spelling mistakes in the discriptions,
        Unprotected sex with the internet? well start installing them from 3rd party sites
        Fuck it, pwn me already? install greasemonkeys and look for scripts that have the discription written in 1337 sp3/\k

      • by asdfx (446164)

        It's like unprotected sex! How do you know you're alive if you're certain she doesn't have herpes! Or something...

    • If I want to have Firefox download my exploit, umm, contribution to thousands of users worldwide, could I get such fast service and minimal vetting if I called it a security patch?

    • by 0xygen (595606)

      Although I do notice the Firefox 3.1 Beta 3 has no update yet - I just tried the PoC, it is definitely vulnerable.

      Maybe it's time to start using nightlies if you are a 3.1 beta user?

      • Re: (Score:3, Insightful)

        by Thinboy00 (1190815)

        The whole point of Betas is that they have bugs etc. and haven't been tested. If you care about security, you shouldn't use a Beta. If you don't care, why are you asking?

        • by 0xygen (595606)

          The officially released point betas actually have had testing.

          Security and stability are two very different things.

          Betas do not have deliberate mistakes - once an issue is known, it would seem sensible to fix it in active branches with an update mechanism, which notably includes the official beta.

          Fair enough, nightlies and stuff don't have such an update mechanism and I would not expect one.

  • by Anonymous Coward on Saturday March 28, 2009 @11:11AM (#27370153)

    Seen how insecure web browsers are, what would be a good way to surf under Linux?

    I have an account that I use only for GMail and my bank's website (the latter using a physical device answering cryptographic challenge so nobody is abusing that [when wiring money to a new account number, the account number of the recipient itself is part of the cryptographic challenge, there's no MITM, no nothing that can work against that]).

    Then I have an account only for browsing. The user owning this account on my machine has user ID 1007.

    This user is not even allowed to connect to localhost. I don't want to know. All he can do is surf the web, using iptables like this:

    iptables -I OUTPUT -m owner --uid-owner 1007 -j REJECT
    iptables -I OUTPUT -m owner --uid-owner 1007 -p tcp --dport 80 -j ACCEPT
    iptables -I OUTPUT -m owner --uid-owner 1007 -p tcp --dport 443 -j ACCEPT
    iptables -I OUTPUT -m owner --uid-owner 1007 -p udp --dport 53 -j ACCEPT

    Are there others simple things I could do to deal with security hazard that these browsers are?

    Things I could do about this user's home directory permissions? Disable his SSH? etc.

    Basically I think I'd like to have an account that can "do nothing but run Firefox".

    Or is there an easy, lightweight (lightweight as in "I don't necessarily want to virtualize a full OS just to run a browser", way to sandbox a browser?

    In other words, I consider the "security" of all the browsers to be a bad joke and I regard running a browser basically the same as executing "omgWindozeServer2012Crack.exe" on my machine and I'd like any hint from people who are surfing in a "safer" way.

    • by iminplaya (723125)

      when wiring money to a new account number, the account number of the recipient itself is part of the cryptographic challenge, there's no MITM, no nothing that can work against that

      Very confident you are.

      I'd like any hint from people who are surfing in a "safer" way.

      Use somebody else's computer.

    • by siride (974284) on Saturday March 28, 2009 @11:39AM (#27370325)

      You could try not freaking the fuck out about browser security, unless you plan on visiting Russian spam sites and whatnot. I use Firefox on Linux and I've never had an issue. I use Flashblock, Adblock and occasionally Noscript. Just exercise reasonable caution and you should be fine. Heck, even under Windows I never got viruses or spyware, and I used IE!

      • by Hurricane78 (562437) <deleted @ s l a s h d ot.org> on Saturday March 28, 2009 @02:41PM (#27371731)

        Not exactly true. You never got viruses, that you knew of.

        Under Windows, with IE, this is no hard thing to achieve. Think of the Sony rootkit. Or about the tons of trash that average people get on their systems, despite having a anti-virus and a firewall software running.
        I know of many people who completely turn them both off, when they play games. For performance reasons. Even when the games allow the usage of browsers while running.

        • by siride (974284) on Saturday March 28, 2009 @03:01PM (#27371973)
          I didn't get viruses. I had no slowdowns, nothing showing up in process explorer, no weird behavior, nothing from ZoneAlarm (worthless though it otherwise be). Of course, if you go the route of "you can't ever truly be sure of xyz", then I suppose you are right. I probably did get viruses. And even though I think I'm running Linux, it's probably actually just a rootkit that's infected my Windows XP installation to make it look like some other OS. How can I really know?
          • by AmiMoJo (196126)

            This is a bit like asking how you can ever know if you are living the the Matrix or not (or being fooled by evil demons for those who prefer the Descartes version).

            In the end it's really just a distraction from far more real and more likely assaults on your private data, like the random guy in India who gets to see all your bank records, or the government agency who looses a CD full of your unencrypted details in the post.

          • You can't. And that is why you should state something like "I did not notice any virus-like behavior. And I do/run X, Y and Z." and never "I did not get viruses."

            Same thing as the difference between "This program has no bugs." (impossible to prove) and "There are no known bugs in this program." (Suffices, if you or your users actually searched for them for some time.)

            • by siride (974284)
              I kind of assumed that was implicit, since the alternative is impossible. There's no need to explicitly state that I can't know 100% for sure. People who complain about that are just annoying pedants.
    • Re: (Score:3, Interesting)

      by 0xFCE2 (859134)

      Or is there an easy, lightweight (lightweight as in "I don't necessarily want to virtualize a full OS just to run a browser", way to sandbox a browser?

      Have a look at the Linux extensions like SELinux or AppArmor. At least the latter one can be set up comparatively easy, and is useful to protect a few selected processes such as FF from doing harm. Certainly not perfect, but it should be able to stop an exploit from taking over the whole account.

      However, the weak link will then probably be X and your window environment (KDE/gnome), so full virtualization is still much better. Of course, even that doesn't offer perfect protection.

      • by RiotingPacifist (1228016) on Saturday March 28, 2009 @01:53PM (#27371199)

        how is X the weak link? the weak link is whatever you let on the internet and whatever network aware daemons you have running. once on your system X MAY be the weak link but the pwm2own vulnerabilities dont need root, so X doesn't even matter (much like it matters little in modern security) where attackers don't need root. while SElinux & AppArmor MAY protect against use of these attacks, e.g killing firefox when it executes malicious code, but a fishing scam doesn't need to do anything malicious to your system (and Firefox has already been 'pwned' in the context of this competition).

        Full virtulization is useless, if the attack is advanced enough that it can is keylogging a separate user (has root), modifying your Firefox binaries (has root and then some) or modifying what you see (one hell of an exploit somewhere in your xorg stack), then the chances are the attacker can modify your virtualized os when its mounted,( there's nothing you can do that a kernel recompile cant beat and as the attacker has root, he can do that).

        you have 2 choices:
        1) stop being paranoid
        2) run a livecd and update it regularly enough (from your livecd using toram) that there are no known exploits for it. OFC this HAS to be done on multiple cd-rs as a cd-rw could be patched if its exploited. But wait they could actually exploit you and modify the iso before you managed to get it to the disk, so i refer you to point 1.

        Now assuming you that you've stopped being paranoid and just want a bit of extra security the GP post is about as good as you can get it protects against all user level exploits.

        • Re: (Score:2, Interesting)

          by 0xFCE2 (859134)

          how is X the weak link?

          Even if SELinux/AA are able to confine the actions of a pwned firefox or it is running as a different user, firefox can get access to keyboard and mouse actions and possible more via X (try xev).

          Full virtulization is useless, if the attack is advanced enough that it can is keylogging a separate user (has root), modifying your Firefox binaries (has root and then some) or modifying what you see (one hell of an exploit somewhere in your xorg stack), then the chances are the attacker can modify your virtualized os when its mounted,

          If the virtualization is good, the attacker still cannot break out of the VM. In practice there will be exploits allowing to break out, but at least now there are many barriers: the attacker has to exploit firefox, then possibly break out of SELinux/Apparmor and get root, after that it has to modify the kernel and b

    • I'd consider running the web browsing session inside a virtual machine. That's both more secure and more practical. :)

    • Re: (Score:3, Interesting)

      by Anonymous Coward

      On Windows, i sandbox my browsers using Sandboxie, such a fantastic little program.
      The newer versions are much better, more control over what a program can access, file-permissions, network, etc

      Not sure of any similar sandboxing programs for Linux, sadly.
      I second this request.

    • Seen how insecure web browsers are, what would be a good way to surf under Linux?

      I have an account that I use only for GMail and my bank's website (the latter using a physical device answering cryptographic challenge so nobody is abusing that [when wiring money to a new account number, the account number of the recipient itself is part of the cryptographic challenge, there's no MITM, no nothing that can work against that]).

      Then I have an account only for browsing. The user owning this account on my machine has user ID 1007.

      This user is not even allowed to connect to localhost. I don't want to know. All he can do is surf the web, using iptables like this:

      iptables -I OUTPUT -m owner --uid-owner 1007 -j REJECT iptables -I OUTPUT -m owner --uid-owner 1007 -p tcp --dport 80 -j ACCEPT iptables -I OUTPUT -m owner --uid-owner 1007 -p tcp --dport 443 -j ACCEPT iptables -I OUTPUT -m owner --uid-owner 1007 -p udp --dport 53 -j ACCEPT

      Are there others simple things I could do to deal with security hazard that these browsers are?

      Things I could do about this user's home directory permissions? Disable his SSH? etc.

      Basically I think I'd like to have an account that can "do nothing but run Firefox".

      Or is there an easy, lightweight (lightweight as in "I don't necessarily want to virtualize a full OS just to run a browser", way to sandbox a browser?

      In other words, I consider the "security" of all the browsers to be a bad joke and I regard running a browser basically the same as executing "omgWindozeServer2012Crack.exe" on my machine and I'd like any hint from people who are surfing in a "safer" way.

      Wow, if you're that paranoid, here's something you might want to try.
      Install PCLinuxOS 2007 onto a hard drive. Now update it, install your your favorite programs, tune your personal settings, add your bookmarks, email accounts, software updates, and such. When you get it to where you like it, then ( in PCLinuxOS ) do a remaster onto a CD or DVD. ( sudo, remasterme )
      When finished, remove your remastered CD/DVD and shut your machine down.

      You now have a live cd version of your operating system, WITH all

  • by Anonymous Coward on Saturday March 28, 2009 @11:19AM (#27370209)

    MS patched this on IE8 on Vista already before it published Mar 19. http://blogs.iss.net/archive/chicksdigIE8.html

    XP hasn't been patched yet. Doesn't support DEP, so will be a bit more work.

  • by Anonymous Coward

    Is Seamonkey affected by the same bugs? Are the updates ready?

    • by dryeo (100693)

      MFSA 2009-13: Security researcher Nils reported via TippingPointâ(TM)s Zero Day Initiative that the XUL tree method _moveToEdgeShift was in some cases triggering garbage collection routines on objects which were still in use. In such cases, the browser would crash when attempting to access a previously destroyed object and this crash could be used by an attacker to run arbitrary code on a victimâ(TM)s computer. This vulnerability does not affect Firefox 2, Thunderbird 2, or released versions of SeaMonkey.

      Don't know about the dailies though.

  • BAH! (Score:5, Insightful)

    by iminplaya (723125) <iminplaya.gmail@com> on Saturday March 28, 2009 @11:27AM (#27370247) Journal

    The contestants already have next year's winning exploit waiting in the wings. Maybe we should have these contests every month instead of once a year.

    • by v1 (525388)

      That's what I was thinking too. It'd be a bit like that Month of Bugs, quite a lot of progress was made in those 30 days.

      Though they'd start running out quick I bet. But for us, that's a good thing.

      • by iminplaya (723125)

        Unfortunately, it's the market that will decide how to deal with exploits. They will always go to the highest bidder. White hat, black hat, it doesn't mattah.

    • by kwabbles (259554)

      I dunno, I think there are enough script kiddie contests. I want to see more real hacker contests - like where the winner actually finds a new exploit, or even one where the winner fixes an exploit and provides a patch.

  • Not only that (Score:3, Interesting)

    by Idiot with a gun (1081749) on Saturday March 28, 2009 @11:47AM (#27370385)
    But Ubuntu has already reviewed it, and pushed it out through the repositories, marking it as critical. I love open source.
    • yes intrepid updated firefox earlier today for me, Hardy is downloading the updated version as I type this, my fault for not allowing it to update till now.

    • by rHBa (976986)
      Ubuntu had this update before the article appeared on /.
  • I'm surprised that nobody has mentioned that the XSL issue was reported 5 months ago [mozilla.org], and it had a patch ready to go [mozilla.org] 4 months ago. Why was a critical issue with a two-line patch not fixed immediately? A better question - if the "bad guys" searched bugzilla for unfixed critical issues, how long would it take them to strike gold?
    • by BZ (40346)

      Thing is, that patch fixes the particular crash but not the vulnerability. And no one at the time recognized that this was a security issue (unlike the numerous non-exploitable crashes)....

      It's still a problem, of course. I don't think anyone's happy that that patch didn't land. :(

    • by dryeo (100693)

      Bugzilla won't show certain critical bugs unless you have the right privileges. Hopefully the bad guys aren't developers with those privelages.

      • by maxume (22995)

        The linked bug was not hidden, it wasn't identified as a security issue (it was eventually identified as a duplicate of the bug that was fixed this week, but it was open for months; if you dig in, you will see that Mozilla is examining their processes a bit because of this).

        • by dryeo (100693)

          I guess I should of looked at the bug :) Usually security bugs are hidden from most of us.
          I've also seen the opposite, where a bug was hidden even though it was not a security risk.

  • by Cyanara (708075)
    Bah. My dodgy dial-up connection is so painfully slow that I find it amusing to install trojans and watch "hackers" try and control my computer.
  • "Both issues are rated 'critical,' Mozilla's highest severity rating."

    So that's above "ludicrous" then?

"Our reruns are better than theirs." -- Nick at Nite

Working...