Mozilla Security Blog
Categories: Firefox Security

Secunia Advisory SA38608

Lucas Adamski

14 responses

Mozilla is aware of the claim of a zero-day in Firefox as posted here: http://secunia.com/advisories/38608/.  We cannot confirm the report as we have received no details regarding the reported vulnerability, such as a proof-of-concept or steps to reproduce.  We’ve attempted to contact the researcher who discovered the issue but have not received a response.

Mozilla takes all reports of security vulnerabilities seriously.  As always, if you have information about security issues, please send details to security@mozilla.org.
Lucas Adamski, Mozilla Security

14 comments on “Secunia Advisory SA38608”

  1. jenett wrote on

    Maybe this would be helpful to you:
    http://www.h-online.com/security/news/item/Zero-day-exploit-for-Firefox-3-6-936124.html

  2. SperlT wrote on

    @jenett: The reported exploit is a hoax, and secunia and several other websites believed it without testing by themselves. They spread the wrong message and helped that blackhat hacker to sell his product (which does NOT contain a firefox exploit).

  3. blog.psi2.de wrote on

    You will find a statement of Secunia CSO Thomas Kristensen at my security-blog:
    http://blog.psi2.de/en/2010/02/20/going-commercial-with-firefox-vulnerabilities/comment-page-1/#comment-666

  4. ran wrote on

    well can someone do something?????

  5. Daniel Veditz wrote on

    One blogger speculated that an apparent extreme peek of crashes on February 12 and 13 might indicate a new exploit being used. It was in fact the report that was buggy, we don’t see order-of-magnitude jumps from day to day. The real crash count was available in other queries on the site, and the buggy report has now been fixed.

    https://bugzilla.mozilla.org/show_bug.cgi?id=547269

  6. Morgoth wrote on

    Hi, are there any new indications, if this is a hoax or a real vulnerability ? Is there anything out in the wild or a proof-of-concept ?

    Its very quiet about that exploit and i wonder what to do ?

    1. Daniel Veditz wrote on

      Haven’t heard anything new. Definitely not seeing any attacks so you can keep browsing with Firefox with confidence. We’re keeping an eye out and if we spot anything we’ll announce it and fix it.

  7. blog.psi2.de wrote on

    Secunia released its Secunia 2009 Report. The Internet Explorer belongs to the “Top 10 most secure products 2009” and it is the wining product with the minimum “2009 average unpatched rate for browsers”:

    http://blog.psi2.de/en/2010/03/01/secunia-2009-report-internet-explorer-as-security-winner/

  8. emv x person wrote on

    This smacks of hoax.

  9. Concerned User wrote on

    Hi there, I’m a long time Firefox user. I’ve been following the Secunia thread for quite some time. The black hatter/hacker has posted a response at his blog here. I got this link from the Secunia Site:

    http://intevydis.blogspot.com/2010/03/firefox-hoax-or-not_04.html

    He claims that this exploit is “real” and that he will not disclose it. In other words “Buy my software and discover this vulnerability for yourself.”:(….What a Nice guy!:)

    The least you guys could do is to issue a statement or something reassuring users (especially the non-tech ones)that there is no need for panic.

    Many non-technical users get easily scared and will not hesitate to switch browsers.

    At the end of the day, it’s just “bad press” which makes or breaks a product:(…

    My question (please correct me if I’m wrong): Why can’t Mozilla buy the VulnDisc software package and check out the vulnerability claims themselves?

    I am aware of the fact that this “Evgeny Legerov”, the Russian blackhatter wants to make money out of his software and that he could be a big liar and worse still, a blackmailer.

    However, as a Windows user, I’m quite concerned since this “flaw” is supposed to affect Windows and I use Firefox as my primary browser.

    Disclaimer: I do not work for Microsoft, Mozilla, Apple or Intevydis for that matter:)…I’m just a web user like the rest of you.

  10. Sarah wrote on

    I’m an ordinary old lady, who uses Firefox, Chrome, the Sea Monkey, and Internet Explorer in the order listed. I am also a passionate advocate of Secunia’s PSI. I feel betrayed. Brace yourselves. I’m going to tell you why.

    Reporting a software vulnerability directly to it’s open-source creator–namely, Mozilla–is commonly accepted as best practice by today’s internet community. This is widely understood to be responsible disclosure, because it minimizes exposure of the end user to malicious attacks while Mozilla is developing, testing, and deploying a patch.

    I dare speculate that most ordinary computer users believe the positive verification of the alleged security flaw in Firefox 3.x means both Secunia and the Russian blackhatter have knowledge of either
    1.) The steps required to reproduce a specific exploit, or
    2.) Specific proof of the concept that supports exploitation. (A convincing demonstration which, in principle, clearly shows how Firefox 3.x can be compromised without constructing a complete, functioning code for that purpose.)

    The publication of a security advisory, assignment of a highly critical vulnerability rating to that advisory, and Secunia’s widely respected reputation–all combine to inform belief that the alleged flaw is real. On the other hand, Mozilla’s own security researchers indicate the nature of the alleged exploitable flaw is unknown to them. They have no facts to act upon–namely, neither the steps required to reproduce the alleged exploit, nor a proof-of-concept pointing to an exploitable coding error. I do not doubt Mozilla’s word, because very few software vendors, if any, can claim to exceed Mozilla’s dedication to writing secure code, and Mozilla’s open record of diligence in fixing security holes in a timely manner.

    For anyone wishing to be well-informed in this matter, the following link will take you to a story reported by Brian Krebs and posted to his blog, 11 January, 2010:

    http://www.krebsonsecurity.com/2010/01/firm-to-release-database-web-server-0days/

    I am shocked by those, who believe the open-source community should pay thousands of dollars in extortion for software that might tell them if the Russian blackhatter with an axe to grind has discovered a zero-day exploit in Firefox, or not.

    Secunia appears to have unwittingly supported a flagrant and unprecedented attack on open-source software, which could do great harm to the free and open internet in the future. Secunia needs to review its corporate intelligence-gathering policies and make adjustments to reduce the probability of another shameful stalemate like this one.

    Anyone–whether he lives in Moscow, Copenhagen, or elsewhere–who seeks recognition as a source of reliable vulnerability intelligence, and who possesses evidence that the Firefox 3.x code contains a security hole defined by the broad brush of SA38608, has an ethical obligation to slip the proof under Mozilla’s doormat, or to withdraw the accusation. To repeat: It is called responsible disclosure. Anything less is unacceptable.

  11. mikey wrote on

    The Firefox3.6 exploit is quite real.
    I got hit by it last night, from a porn site — crashed all Firefox windows/tabs at once and dropped TDSS/Alureon rootkit on my XP-pro.
    Post-mortem Avast detected “HTML:RedirME” & “Prontexi” in the Firefox Cache files; some info is available here: http://blog.avast.com/2010/02/18/ads-poisoning-%E2%80%93-jsprontexi/
    I didn’t have Avast running at the time, and McAfee didn’t see anything. Not a pretty sight.

  12. Daniel Veditz wrote on

    There is no evidence JS:Prontexi is using this particular exploit, and in fact the one avenue specifically mentioned in the blog was out of date PDF readers (but it apparently uses others as well). Please load Adobe Reader and make sure you have version 9.3.1, and if not use their built-in updater. To check the rest of your plugins please visit https://www.mozilla.com/en-US/plugincheck/

  13. Roger wrote on

    Having been blindsided myself with advisories published contrary to Secunia’s own public policy, I can fully understand the frustration. I have to wonder how it is they get away with such an obvious MS bias.