CanSecWest 2009 Pwn2Own Exploit and XSL Transform Vulnerability

Lucas Adamski

16

Issue

The pwn2own bug that Nils discovered at CanSecWest 2009 and the XSLT vulnerability recently made public by Guido Landi (http://www.securityfocus.com/bid/34235) are both critical issues that can result in malicious code execution.

Impact

These issues can be exploited by tricking a user into visiting a malicious web page hosting the exploit code. The pwn2own bug can be mitigated by disabling JavaScript.

Status

Both issues have been investigated and fixes have been developed which are now undergoing quality assurance testing. These fixes will be included in the upcoming Firefox 3.0.8 release, due to be released by April 1. You can follow our work in bugzilla.

Credit

The pwn2own bug was reported to Mozilla by Nils via the Zero Day Initiative (ZDI). The XSLT issue was discovered on http://www.milw0rm.com/exploits/8285, credited to Guido Landi.

16 responses

  1. Ross wrote on :

    See, this is why I want better corporate management of firefox. I want company wide policies regarding which add-ons are installed and configured, so that I can enforce the installation of NoScript across the board.

    NoScript already has central management capability, it’s firefox that’s letting us down.

    Right now, IE is more secure than Firefox purely because we have that ability to secure it, blocking javascript in a way that users can’t disable.

  2. Kurt wrote on :

    Noscript won’t protect you from the XSLT transform vulnerability. But yeah I agree, centralized management capabilities would make Firefox a much easier sell.

  3. Angus Scott-Fleming wrote on ::

    Firefox admin options:

    CCK Wizard :: Firefox Add-ons
    https://addons.mozilla.org/en-US/firefox/addon/2553

    Firefox 1.5/2.0 CCK (Client Customization Kit) Wizard
    http://www.mozilla.org/projects/cck/firefox/

    FirefoxADM project! | FirefoxADM website
    http://firefoxadm.sourceforge.net/

  4. Ross wrote on :

    Thanks for the links Angus, but we’ve been down that road before. None of them compare to IE and Group Policy for the ability to secure the browser, and do so easily:

    CCK Wizard – a firefox add on, so users can remove it. Useless for central management.

    Client Customzation Kit – sounds nice, but only supports Firefox 2 according to that page. We want to be on the latest version for the security fixes. It also appears to be an extension, so I’m not sure if that means users can remove it.

    FirefoxADM – sounds like it’s improved since we last saw it, but this was effectively a beta last time I looked at it, and today the web site has no download links, nor details on the products.

  5. Colin wrote on :

    keep policy’s out of Firefox. If you want control freekery use IE in your cooperate networks. I know IE is more secure on Windows because of policies but it is a compromise between functionality and security.
    Users if these admins do lock down your desktop then use firefox portable.

  6. Evan L wrote on :

    I don’t understand the technical details of this. Why would the solution: “disabling javascript” not be able to be done by using NoScript?

  7. Nikolai wrote on :

    Where to download firefoxADM:
    http://sourceforge.net/project/showfiles.php?group_id=129699

    Installation manual for FirefoxADM:
    http://homepages.ed.ac.uk/mcs/FirefoxADM/ADM_Deploy.pdf

  8. Phil wrote on :

    For the latest info on FirefoxADM, seen the developer’s blog:

    http://ick2.wordpress.com/

  9. Hugo wrote on :

    Is it true, that XSL PoC was provided to FireFox team 6month ago as Guido said in noscript blog?
    If so, why didn’t you fix that mutch earlyer?

  10. RyanVM wrote on :

    Hugo, it was certainly reported at some point prior. It even had a patch that sat around without getting checked in.
    https://bugzilla.mozilla.org/show_bug.cgi?id=460090

    I hope some serious thought goes into figuring out what went wrong, as it’s certainly an embarrassing situation.

  11. Daniel Veditz wrote on :

    The earlier XSL crash was reported as a stability problem. Since it looked like a non-exploitable null dereference on the surface it was not treated as an urgent issue. It was a stability problem in an edge case in a little-used feature and the developers were busy with release-blocking bugs (remember we were supposed to have finished “3.1″ by now).

    Likewise when this was reported by Guido he’s had to defend it against people who think it’s a non-exploitable null deref. I have personally gotten mail from respected security researchers doubting our judgment on whether this is exploitable, and they may be right — we haven’t demonstrated that it’s exploitable. But with the complex paths available to an attacker we can’t prove that all of them result in a null being left on the stack in the right place.

    Incidentally, the patch languishing in bug 460090 matched our initial fix from bug 485217, which stopped the published crashes but did not in fact fix the vulnerability if you looked a little closer. Our shipping release contains a different patch from bug 485286 which fixes the vulnerability properly, not just the PoC crash.

  12. Giorgio Maone wrote on ::

    @Kurt:

    NoScript did protect against exploitation of this vulnerability (even though could not prevent the crash itself from happening): http://hackademix.net/2009/03/26/lock-down-firefox-for-the-weekend/

    Now (since 1.9.1.5, http://noscript.net/getit#devel ), it protects also against any XSLT issue triggered by malicious sites, because it regards XSLT as active content and blocks it if comes from untrusted sources:
    http://hackademix.net/2009/03/27/firefox-light-speed-update-and-noscript-xslt-protection/

  13. Eddie Johnson wrote on :

    I too am looking for better corporate deployment of NoScript. Back in a prior version I’d done some hacking around with installing the extensions globally but because I switch versions often as I roam from machine to machine with a roaming profile I found a bunch of crazy conflicts with global settings versus user profile stuff, it seemed like Firefox would drop your user settings when they coincided with the globals (for that particular version), then when I roamed to another machine with slightly different globals I didn’t have the user settings needed. I gave up without a resolution and just backed away from global customization.

    So that’s my long way of saying, “yes, please give us better control of global settings.”

  14. Michael Tero wrote on ::

    This last week I’ve been noticing a change in the way Google search is reacting. When I make my usual searches on Google and click on the links I’ve click on many times before, am being redirected or hijacked to some other site, usually advertising or spam like.
    I click the back arrow, click again on the same link and it usually takes me to the correct site, but it some times takes a couple more tries.

    First though was to check my extensions and I noticed a Java Quick Starter which I disabled, I’ll see if that works.

    Any suggestion let me know.
    And by the way I have the latest Firefox update 3.0.8

  15. Lori Coffman wrote on ::

    I have had 27 count them 27viruses since i started using firefox and not one in 5 years of using IE and anytime i try to research a patch or fix or anything for this problem at firefox i find wordy useless articles that basically say yeah we can’t do anything about that but only after offering every suggestion most of them ridiculous and the interesting thing is that the ads popups what ever you want to call them that are giving me the viruses, trojans , malware, spyware AND worms are all the ones that i have filters set for in the useless friggin’ ad blocker plus i have all the firefox updatesz and patches and fixes and blah blah blah i have had to close thre windows in the 2 minutes since i started typing this and found 7 mal spy troj virwomrs in 2 frigging minutes!!!! and anytime i do your alsop useless reports i get nadda except more viruses i have 5 virus programs on my pc now and after cleaning the hundreds of objects off that mozilla and ad blocker let through within five minutes of signing through firefox 3.0.8 i haver at least25 more

    so bye firefox i will be telling everyone i know how much you suck and care nothing about your users,,and hey i would stop myself but there’s just nothing i can do about that…………

    lcoffbaby@hotmail

    [Lucas]: Lori, I have two suggestions. a) there are lots of fake virus scanning sites, that claim to find viruses to trick users into downloading… a virus posing as a virus scanner. If you get “scanned” by a website, its a scam b) most people get viruses from downloading random programs off the web that are infected. In the 15+ years of using various browsers (mostly Mozilla & Firefox) I’ve never gotten a virus.

  16. PC.Tech wrote on :

    This is the usual scenario, although I’m sure there are others:

    - http://en.wikipedia.org/wiki/Rogue_software
    “…Most of the time, they will display a message such as “WARNING! Your computer is infected with Spyware/Adware/Viruses! Buy [software name] to remove it!”, a variant of which will say “Click OK to scan your system” instead of asking the user to outright buy the software. Another variant on this method involves telling the user their “Computer/Internet Connection/OS is not optimized and to Click Here to scan now”. Usually, when the dialog box’s OK button is clicked, this will (re)direct the user to a malicious website, which will install the program. Sometimes, even clicking the upper right hand X button to close the dialog box will produce the same effect. (Pressing Alt+F4 or using Task Manager with Ctrl-Alt-Delete can circumvent that trick)…”

    “Using Task Manager” for some variants is the only way to get out of this situation, by terminating the BROWSER session entirely. Any other course of action may lead to a redirect and install of the malware, since the code for the redirect is already in the browser’s cache. ‘Problem is that the user has to recognize exactly what’s happening, and invoke Task Manager to quit the browser session – if they don’t, they’re hosed. This isn’t just a Firefox problem.

    .