Critical vulnerability in Firefox 3.5 and Firefox 3.6

Brandon Sterne

33

Update (Oct 27, 2010 @ 20:12):
A fix for this vulnerability has been released for Firefox and Thunderbird users.

Firefox 3.6.12 and 3.5.15 security updates now available
Thunderbird 3.1.6 and 3.0.10 security updates now available

Issue:
Mozilla is aware of a critical vulnerability affecting Firefox 3.5 and Firefox 3.6 users. We have received reports from several security research firms that exploit code leveraging this vulnerability has been detected in the wild.

Impact to users:
Users who visited an infected site could have been affected by the malware through the vulnerability. The trojan was initially reported as live on the Nobel Peace Prize site, and that specific site is now being blocked by Firefox’s built-in malware protection. However, the exploit code could still be live on other websites.

Status:
We have diagnosed the issue and are currently developing a fix, which will be pushed out to Firefox users as soon as the fix has been properly tested.

In the meantime, users can protect themselves by doing either of the following:

Credit:
Morten Kråkvik of Telenor SOC


Brandon Sterne
Man-in-the-middle

33 responses

  1. Holly wrote on :

    Have you assigned a CVE yet?

  2. CNN Newsroom wrote on ::

    http://www.norman.com/about_norman/press_center/news_archive/2010/129223/en-us
    http://www.norman.com/security_center/virus_description_archive/129146/

  3. mvario wrote on :

    Does that mean Minefield/FF4 is unaffected?

  4. Daniel Veditz wrote on :

    @Holly: CVE-2010-3765

    @mvario: Firefox 4 beta users appear safe for the moment. The underlying problematic code does exist, but other code changes since Firefox 3.6 seem to be shielding us from the vulnerability. It is more effective–now that we’ve identified the problem–to simply patch it and be sure than to spend hours trying to prove FF4 is safe.

  5. dave wrote on :

    Eta on a fix ? Is there a patch we can apply now?

  6. Sean Kerner wrote on ::

    by Firefox built-in malware protection – do you mean the Google SafeBrowsing API?

  7. Daniel Veditz wrote on :

    @Sean: yes, we got the site blocked by Google’s SafeBrowsing within a couple of hours of learning about the exploit.

  8. dave wrote on :

    Is this the fix … http://hg.mozilla.org/mozilla-central/rev/85fb4bc01a71

  9. Jason wrote on :

    Here are some articles about this:

    http://www.theregister.co.uk/2010/10/26/firefox_0day_report/
    http://blog.trendmicro.com/firefox-zero-day-found-in-compromised-nobel-peace-prize-website/

  10. pal-moz wrote on :

    @dave

    no, bug is #607222
    http://isc.sans.edu/diary.html?storyid=9817

  11. Arthur Norton wrote on :

    “that exploit code leveraging this vulnerability” – what does that mean in English?

  12. Lonyl wrote on :

    Is this a windows only exploit?

  13. Sug wrote on :

    I have been using Microsoft EMET 2.0, with all the “mitigation techniques” on, is this a good measure until the patch comes out?

  14. Lloyd Budd wrote on ::

    It would be great if you would include the most recent version #s for affected major versions in the post for reference. They appear to be
    Firefox 3.6.11
    Firefox 3.5.14

  15. Sreedharan wrote on :

    Is Mozilla 3.0 version safe then?

  16. Mark wrote on :

    @Sug only if it’s a buffer overflow exploit. It could be a privilege escalation exploit in which case UAC will offer some protection but you’ll need some sort of sandbox like sandboxie for full protection since this will prevent firefox from touching anything outside the sandbox.

  17. DADSGETNDOWN wrote on :

    If you disable javascript you can not access hotmail.

  18. Daniel Veditz wrote on :

    Is Mozilla 3.0 version safe then?

    Absolutely not! In addition to this problem 3.0.19 is vulnerable to most of the advisories issued since March 2010 when Mozilla ended support for it. See http://www.mozilla.org/security/announce/

  19. Daniel Veditz wrote on :

    @dave: no, the patch is
    http://hg.mozilla.org/mozilla-central/rev/cfb2ad811457

    @Lonyl: The exploit “in the wild” affects only users of recent 3.6 versions running Windows XP (not Vista or Win7). The vulnerability (bug) in Firefox also exists on older versions and on other platforms but this particular group of criminals chose not to bother with the effort of making the exploit there.

  20. John wrote on :

    @Arthur Norton: in the phrase “exploit code”, “exploit” is an adjective, not a verb.

  21. Brian wrote on :

    How does this manifest itself? My computer was attacked yesterday when I tried to view the Lesner fight, but Norton appeared to block it. However, when I booted up this morning, Firefox wouldn’t work; something about a proxy server. Using my son’s laptop, I got on line and found a fix that involved adjusting my internet settings regarding proxy servers. Could this be related? Thanks.

  22. James Roper wrote on ::

    Why is this exploit being called a “trojan”? Trojan horse malware is a piece of software that an attacker tricks a user into installing. The user knows they are installing it, but they think it is something else. It requires no vulnerability in the browser to exploit. It sounds like this particular exploit however requires no user interaction, it exploits a vulnerability in the browser to install itself without the user knowing, so it should not be called a trojan.

  23. Nicolas wrote on :

    While I appreciate very much the warning, the blog itself is really not serious.

    If this is a blog targeted to a security audience, less information than this is needed.
    But if is meant for end-users, you do need more information.

    Namely, which platforms *could* be affected. I don’t care for instance if the vulnerability can only cause privilege escalation on Win98. I need to know the extent of the problem on Unix. If we’re talking of LFI, cross scripting, etc… Know how severe the vulnerability can be.
    As others pointed out, the latest affected version is useful, as well as an estimate of the next release fixing this bug, and of how long it could take.

    The blog recommends turning off Javascript. But let’s say there’s this sysadmin, that needs to know what to do of 500 users under 3.6 and [your favorite Unix distro]. Should he worry because all his users will get compromised due to privilege escalation? Should he ask everyone to use Chromium until a security release for Firefox comes up?

    I mean, come on, this blog is scary but does not give any useful information. I love Firefox: please, allow me to stay on your boat.

  24. Brian wrote on :

    Forgot to mention: At the same time I was having the “proxy server” issue with Firefox, I got an error message when I booted up about not being able to find C:Documents . . . mwd.exe
    Related?
    Thanks again.
    BAB

  25. Daniel Veditz wrote on :

    @James Roper: we called it a “trojan” because Norman ASA called it one in the “Belmoo” description (see comment 2 above). You’re right, though: this thing isn’t the Trojan Horse, it’s the Greek Soldiers hiding inside. Is there a term for that? The only other terms commonly used for malware are Virus, Worm, and Rootkit. It’s not really any of those either.

  26. Daniel Veditz wrote on :

    @Brian: Norton wasn’t detecting this yesterday so I think that was an unrelated attack. Taking comment 21 and 23 together you may have been hit by the Graps worm, which installs a mwd.exe and messes with proxy settings. It’s been around a long time, when first identified it was spreading through network shares. It may have mutated since the following descriptions were written.

    http://www.f-secure.com/v-descs/graps.shtml
    http://vil.nai.com/vil/content/v_100467.htm

  27. Odysseus wrote on :

    Was this _again_ only a windows version problem?

  28. sam45623 wrote on :

    @Odysseus

    it affects all platforms
    http://www.theregister.co.uk/2010/10/28/firefox_zeroday_patched/

    and obviously its is not patched = D

  29. Skolko Mozhno Tyanut wrote on :

    SANDBOX SECURITY in FIREFOX?

    Where is it??? Where is it already?! It is year 2010 already…

    Not only chrome, but even IE already implemented it. If it was present in FF, exploiting 0-day vulnerabilities in JS engine would be way harder.

    Does the World Cup Of Most Popular Browser come with Poison Of Least Secure Browser inside?

    When will firefox devs finally understand the need to secure users’ computers from the browser, a program that will always have a lot of security flaws, unless no new features are being implemented in it?

    Does anyone hear me? Anyone at all?

  30. Daniel Veditz wrote on :

    @Skolko: We have been working on a sandbox for quite a while, see
    https://wiki.mozilla.org/Electrolysis

    It’s easier to build in a sandbox from the ground up than to retrofit–re-architecting the browser can’t safely be done all at once. Firefox 3.6.4 took the first steps with Out of Process Plugins (OOPP). The Firefox 4 codebase has support for electrolysis, but for now it’s only used in the Mobile version with it’s much simpler user-interface. Slow steps, but we should be there by the next major version (after 4).

  31. Sam45632 wrote on :

    Sorry I meant to it is now patched

  32. Spintos wrote on ::

    Is Mozilla 3.0 version safe then?

  33. Daniel Veditz wrote on :

    @Spintos: No, see comment 18.