Update on Secunia Advisory SA38608

Lucas Adamski

40

Mozilla was contacted by Evgeny Legerov, the security researcher who discovered the bug referenced in the Secunia report, with sufficient details to reproduce and analyze the issue.  The vulnerability was determined to be critical and could result in remote code execution by an attacker.  The vulnerability has been patched by developers and we are currently undergoing quality assurance testing for the fix.  Firefox 3.6.2 is scheduled to be released March 30th and will contain the fix for this issue.  As always, we encourage users to apply this update as soon as it is available to ensure a safe browsing experience.  Alternatively, users can download Release Candidate builds of Firefox 3.6.2 which contains the fix from here:  https://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/3.6.2-candidates/build3/

Update: To clarify, as originally claimed this issue affects Firefox 3.6 only and not any earlier versions. Thunderbird and SeaMonkey are based on earlier versions of the browser engine and are not affected. People testing “3.7” development builds should upgrade to 3.7 alpha 3 or the latest nightly build to ensure they have this fix.

40 responses

  1. Concerned User wrote on :

    Wonder why the guy took a sudden “u” turn and released the exploit code! Anyways, it is good that he has released the exploit and Mozilla is releasing the patch along 3.6.2.

    Just a small concern: How exactly would this work? Does this require user interaction i.e. someone clicks on some link, jpeg, something like that?

    I’m currently using 3.6 and don’t want to use the beta. Would love to upgrade directly. Therefore, I’m a little concerned:). Thanks!

  2. emv x man wrote on ::

    Are there any known issues with the 3.6.2 candidate that we should consider before going Beta?

  3. Lucas Adamski wrote on :

    This Beta is the Release Candidate build, so it should be identical to the final build of 3.6.2 that we will be shipping shortly. You should feel completely comfortable using it.

    The exploit itself does not require user interaction.

  4. freddy wrote on :

    what’s about firefox 3.5.8 ?

  5. Jesse Ruderman wrote on ::

    Firefox 3.5.x is not affected by this security hole.

  6. Julia wrote on :

    I’m sorry, is firefox 3.0.18 affected by this security hole?

  7. Daniel Veditz wrote on :

    Neither is 3.0.x — only Firefox 3.6 is affected.

  8. Cat wrote on :

    Daniel Veditz – thanks heaps for confirming that other versions of FF are safe from this vulnerability. I’m relieved. I had read a report somewhere that said it “may” affect other versions yet The Register and the Mozilla blog here only mentioned 3.6.

    I take it then there will be no update for version 3.5.8 at the end of March, or are some other FF issues being fixed with this particular security patch at the same time that affect other versions too?

  9. Concerned User wrote on :

    @ Mozilla: Maybe, just maybe this could have been handled in a much more professional manner?

    Initially there were denials from Mozilla’s side. Now all of a sudden, they admit it!

  10. devpreview user wrote on :

    what about firefox 3.7 devpreviews, i have been using alpha2 and now alpha3 for a while.

    —————–
    about:buildconfig

    Source

    Built from http://hg.mozilla.org/mozilla-central/rev/148b45c740fa
    Build platform
    target
    i686-pc-mingw32

    Build tools
    Compiler Version Compiler flags
    cl 14.00.50727.762 -TC -nologo -W3 -Gy -Fdgenerated.pdb -DNDEBUG -DTRIMMED -Zi -Zi -UDEBUG -DNDEBUG -GL -wd4624 -wd4952 -O1
    cl 14.00.50727.762 -GR- -TP -nologo -Zc:wchar_t- -W3 -Gy -Fdgenerated.pdb -DNDEBUG -DTRIMMED -Zi -Zi -UDEBUG -DNDEBUG -GL -wd4624 -wd4952 -O1

    Configure arguments
    –enable-application=browser –enable-update-channel=beta –enable-update-packaging –enable-jemalloc –enable-tests –with-branding=browser/branding/unofficial

    ————————

    am i affected? running it on win32. thanks for hints.

    does the 3.7 codebase (internals/core ?) still contain the bug as opposed to the 3.6 internals/core?

    thanks.

  11. XtC4UaLL wrote on :

    @Concerned User: there were no denials.
    Mozilla Devs can only fix reported issues and unless somebody reports the issue, there’s not much the Devs can do about it besides saying, that they don’t know about the issue. and that is no denial.

    rather the persons finding an issue (esp. on security related issues) should step fordward responsibly and report it (without delay!), so that the fixing process can start.

  12. graham wellbone wrote on :

    what about other mozilla derived products and subprojects, such as current thunderbird 3.x line? which if any are affected there? and what about thunderbird 2.0.0.x line?

    also important to us mozilla stuff users: what about seamonkey project? seamonkey 1.x affected? newer current seamonkey 2.0.x affected? 2.x affected?

    also: what about most current firefox 3.7alpha lines? which alpha is still affected and which is already fixed if any? is the 3.7line in general affected as well?

    please be more specific.

    thank you for your cooperations.
    best regards and hail to the planetary rulers.

  13. Ilja Sekler wrote on :

    At a guess: does setting gfx.downloadable_fonts.enabled to ‘false’ work around the issue before a fixed build is officially shipped?

  14. emv x man wrote on ::

    @Lucas
    Thank you.

  15. cubefox wrote on :

    Why took it 4(!) weeks to tackle this zero day exploit? Why Mozilla didn’t simply buy the exploit software as secunia did? Too little money?

    I cannot believe this behaviour… :(

  16. Happy Firefox User wrote on :

    @cubefox
    Why should Mozilla buy it? How much should they pay? What if the next person wants twice that much? And then the next wants twice that… I applaud Mozilla for standing their ground and refusing to be extorted.

    Why didn’t you / Secunia / some other kind person buy it for Mozilla instead?

  17. H wrote on :

    @cubefox – paying people to give you details on vulnerabilities leads to people demanding more money over time.

  18. Concerned User wrote on :

    @ XtC4UaLL: Initially there was a huge confusion. A reputed company like Secunia gave a “CAT 4″ rating to this vulnerability about 4 weeks ago. Many users like me were confused. Did this vulnerability exist or not?

    Mozilla’s statement was not clear:

    Mozilla is aware of the claim of a zero-day in Firefox as posted here: http://secunia.com/advisories/38608/. We cannot confirm the report as we have received no details regarding the reported vulnerability, such as a proof-of-concept or steps to reproduce.

    The very least they (Mozilla) could have done was to contact Secunia in the first place and ask them on what basis they could have rated this vulnerability.

    Let me ask a simple question: If the hacker had said “I’m not going to release this vulnerability. You’ll have to pay up. End of story”, how would Mozilla have responded?

    Now let us assume that the hacker “sells” this vulnerability to interested parties and they end up with a few banking passwords, e-mail passwords, malware infections etc…..24-25% of the “alleged browser market” is not such a bad target!

    By this time, someone does realize how this flaw works and a patch is released. It would be too late and there goes the years of hard work put in by the Mozilla foundation…. :(

    Don’t get me wrong. Firefox is a great product and I still use it. But the Mozilla team needs to interact a lot more with their users at a time like this.

    “Mozilla Devs can only fix reported issues and unless somebody reports the issue, there’s not much the Devs can do about it besides saying, that they don’t know about the issue. and that is no denial.”

    Hmmmm….One question: If something like this were to happen in the future, would Mozilla be willing to pay to know about the vulnerability? Just asking :)

  19. Marc wrote on ::

    @Concerned User: I would hope that – in the scenario you provided – they would NOT pay for it. Once that is proven to work, you’ll give everyone who claims an exploit (real or not) free license to extort money from the Mozilla Foundation.

  20. Anon wrote on :

    Does ProPolice protect against this vulnerability?

  21. Bertrand wrote on :

    Firefox 3.6 sucks anyway: e.g. lots of buggy behavior, new tabs are opened in an unpredictable fashion, and there’s nothing better about 3.6 over 3.5. It doesn’t surprise me that there’s a critical vulnerability that was introduced in the 3.6 branch. I already reverted to the 3.5 branch weeks ago.

  22. Alhazred wrote on :

    I think what you have to do is put yourself in the devs shoes. All sorts of people make all sorts of claims about exploits all the time. What do they do, go around buying every ‘exploit’ that Tom, Dick, and Harry claim to have every week? Its simply not reasonable to expect this and it wouldn’t even make sense. Now, they might be able to pay someone for information sometimes, but its going to have to be solidly credible before that happens. Beyond that no organization can possibly be aware of everything floating around in the world, it still has to come through some channel.

    Thus it seems like what the devs said was exactly what the reality is, they can’t do squat about Internet rumors and claims of vulnerabilities. They can only work on fixing actual documented vulnerabilities that have been verified to exist where they have the information in hand. Period.

    Beyond that there are a lot of reasons why its not a great idea to run around buying exploits. Who’s hands are you putting this money in and what are they doing with it? It sounds great in theory but in practice it probably isn’t all that great an idea. At best it has to be looked into on a case-by-case basis, and again that means every random guy that claims to have an ‘exploit’ to sell can’t even be looked into and still have time to do any real work.

  23. catilley1092 wrote on :

    Look, at least Mozilla is advancing their browser every couple or so months. Look at the competition (IE8), they have all kinds of problems, where’s IE9 at? It’s fine for a billionaire corporation not to upgrade, but when Mozilla, a corporation that operates largely on donations and staffed by a lot of volunteers, misses something, people cry bloody murder. I remember when Firefox was an absolute RAM hog, but has came a long way from that. IE8 was released around a year ago, it’s still the same piece of crap it was when released. An open door to viruses and malware.

  24. Concerned User wrote on :

    @ all Mozilla guys in this thread:):

    Yes, I do understand that it is very difficult for the devs.

    However, please note that Secunia is a trusted organization and their attitude was worse:(….

    They simply gave a “CAT 4 rating” without any proof and after 4 weeks, the vulnerability was finally released:)….

    Some of us received no proper replies at the Secunia forum and now they’ve tried to justify themselves in a new blog post:):

    http://secunia.com/blog/90

    In the future, if such a situation were to occur, an e-mail to Secunia for Mozilla for further clarifications would not hurt, would it?

    The fact that (any) software company/entity/organization can be taken “hostage” by the words of a professional hacker is a very scary thought!

    best,
    Concerned User

  25. Lawrence wrote on :

    Please, its like I am already a victim. I my Firefox browser no longer opens,I keep getting the message ” Firefox has stopped working. What do I do?

    1. Daniel Veditz wrote on :

      @Lawrence: Contact the folks at http://support.mozilla.com/ for help — there could be a lot of different reasons for your symptoms. Most likely you incompatible software installed (which might include malware) and they’ll be able to help you narrow it down and resolve the issue.

  26. whatever wrote on :

    Mozilla could maybe speed up the release of 3.6.2 now?!
    What happened to 3.6.1 by the way?

    1. Daniel Veditz wrote on :

      “3.6.1” corresponded with the release of Firefox Mobile 1.0 (“Fennec”). Because there were no security fixes we skipped a desktop update. Those fixes will be rolled into the 3.6.2 release.

  27. Daniel Veditz wrote on :

    @Concerned User:

    > The very least they (Mozilla) could have done was to contact
    > Secunia in the first place

    Of course we did! They told us the reporter had a good track record (and they were right) but that didn’t help us figure out what needed fixing.

  28. Concerned User wrote on :

    @ Daniel: Many thanks for responding patiently to all my questions!

    Secunia could have posted something like this in their advisory:

    “We’ve also received an e-mail from the Mozilla team. Currently, there is no information available about this exploit.

    We’ll update our users when we have more information available.”

  29. Robert Carnegie wrote on :

    @18 A hypothetical researcher who demands money for supplying the exploit details to the software publisher versus supplying details to the world’s hackers would be, if they took the latter course, guilty in respect of all the hacking subsequently done using the data. And a respectable researcher has a known business or home address. So someone who tries to blackmail with an exploit is taking a considerable risk. Then again, making a deal with established professional Internet criminals is a risk, too.

    If I’m correctly reading http://www.theregister.co.uk/2010/03/12/ie_metasploit_0day_flaw/ (yeah, I know) it’s a case where non-criminal researchers became aware of one defect in Microsoft Internet Explorer because the bad guys found it and used it first. Or maybe one grey-hat researcher somewhere found it and decided to cash in on this one, then the exploits, then other researchers analyzed the exploits…

  30. Norman Burns wrote on :

    Does NoScript close this vulnerability?

    If earlier versions are not affected, could Mozilla offer a rollback feature in a future release so we could return to an unaffected version, if a similar situation should ever arise?

  31. David Dows wrote on :

    When in doubt, the simplest temporary (if not permanent) workaround is to protect yourself via SandBoxie, DropMyRights, or any other method that keeps the potential exploit from gaining Admin access.

    I do that all the time, except when I’m trying to make modifications to FF or TB that require admin access themselves. When I’m done with those changes, I close it and open FF or TB with restrictions in place.

    99% of the time, the limited rights allow me to browse in the same manner as I would with Admin rights. I also use NoScript and only allow whatever is necessary for my browsing.

    What’s the BFD?

  32. Nhs wrote on :

    Does this vulnerability affect only Windows based pcs or also those with linux?

  33. security war wrote on ::

    firefox the best browser

    and they fix all quickly no one worry

  34. Daniel Veditz wrote on :

    @Norman Burns: yes, NoScript can help:
    http://hackademix.net/2010/03/22/firefox-36s-0-day-and-you/

    @Nhs: The vulnerability (flaw in Firefox) exists on all platforms. We haven’t seen any exploits (attacks) in the wild but I believe the VulnDisco pack from the reporter contained only a windows-based exploit.

  35. Natanael L wrote on ::

    @32, Norman:
    I’d love a “QuickPatch” addon (or something like it) that would allow instant security fixes for exploits (it would allow rough fixes like disabling a certain feature completely until patched).

  36. Tomawoz wrote on :

    Several posters above have complained that Mozilla did not contact Secunia about this problem. It seems to me that if Secunia discovered and documented a problem with Firefox, that Secunia had an immediate obligation to provide all relevant information to the Firefox developers. To leave it up to Mozilla to take the initiative on this is totally irresponsible.

  37. happf_FF_user wrote on :

    I’ve just found the 3.6.2 update (German FF) and only want to say DANKESCHÖN.
    Andreas

  38. Dave wrote on :

    Does not install for me says there are other copies of firefox running!!