Updated: Using firefox v1.0.3? Time to disable javascript.
- Thread starter n0cmonkey
- Start date
The holes being exploited exist in both Firefox and Mozilla. However, remote code execution (the most critical issue) requires that the attacker can get you to load a trusted page. Mozilla, by default, ships with an empty whitelist (i.e. it trusts nothing); Firefox ships with a whitelist that trusts Mozilla Update. On Saturday, we made changes to the Mozilla Update website which stopped all published exploits we could find. The published exploits depended on certain Mozilla Update functionality which we changed. On Sunday, we made more drastic changes to move Mozilla Update to an untrusted domain; when an attacker now attempts to use the security hole to run code with Mozilla Update's permissions, it runs as an untrusted page, and thus is blocked.
Long story short:
1. published exploits no longer work
2. simple modifications to published exploits will no longer work (as far as I know, remote code execution shouldn't be possible any more on a default Firefox install)
3. remote code execution requires that you have sites in your whitelist, and have software install enabled (it is enabled by default). Our modifications to Mozilla Update mean it is effectively not on your whitelist, so a default Firefox install now effectively has an empty whitelist.
4. there is still a way to exploit the security hole to steal cookies; disabling javascript may be the only way to prevent this (however, I consider cookie-stealing signficantly less severe).
Long story short:
1. published exploits no longer work
2. simple modifications to published exploits will no longer work (as far as I know, remote code execution shouldn't be possible any more on a default Firefox install)
3. remote code execution requires that you have sites in your whitelist, and have software install enabled (it is enabled by default). Our modifications to Mozilla Update mean it is effectively not on your whitelist, so a default Firefox install now effectively has an empty whitelist.
4. there is still a way to exploit the security hole to steal cookies; disabling javascript may be the only way to prevent this (however, I consider cookie-stealing signficantly less severe).
lol yeah I found it odd that I was being asked to patch to 1.03 again when I already patched to 1.03 yesterday. Oh well at least I'm patched
Not yet. However, this morning, we (some Mozilla Update & Mozilla developers) realized there may be a way to completely prevent the hole from being exploitable, and have been working on it for most of the day.
Originally posted by: rh71
Fix ? Where ? I still see it labeled as 1.0.3 on mozilla.org still...Originally posted by: CTho9305
New fix is live
We mitigated the exploit by making changes to Mozilla Update. The exploit depended on the elevated privileges of whitelisted sites (Mozilla Update is whitelisted by default), so we did some work to stop that. The exploit now runs only with normal privileges, so Firefox blocks it. See also Mozilla Update.
rh71
No Lifer
- Aug 28, 2001
- 52,844
- 1,049
- 126
Thanks, but in plain English, what do I need to do to patch up ? Don't see anything I can use on that site either. This is a client-side problem, still, no ?Originally posted by: CTho9305
Originally posted by: rh71
Fix ? Where ? I still see it labeled as 1.0.3 on mozilla.org still...Originally posted by: CTho9305
New fix is live
We mitigated the exploit by making changes to Mozilla Update. The exploit depended on the elevated privileges of whitelisted sites (Mozilla Update is whitelisted by default), so we did some work to stop that. The exploit now runs only with normal privileges, so Firefox blocks it. See also Mozilla Update.
how is that owned? I really don't give two sh|ts about all this security mumbo jumbo. A good number of sites are programmed towards IE compatibility, and until that changes, neither will I. i've never once had any sort of spyware on my computer, and i don't plan on getting any in the future. I stick to legitimate websites, hell i don't even get popups on most places I visit. You can call pwned on all the idiots with spyware infested computers, not me.
Originally posted by: rh71
Thanks, but in plain English, what do I need to do to patch up ? Don't see anything I can use on that site either. This is a client-side problem, still, no ?Originally posted by: CTho9305
Originally posted by: rh71
Fix ? Where ? I still see it labeled as 1.0.3 on mozilla.org still...Originally posted by: CTho9305
New fix is live
We mitigated the exploit by making changes to Mozilla Update. The exploit depended on the elevated privileges of whitelisted sites (Mozilla Update is whitelisted by default), so we did some work to stop that. The exploit now runs only with normal privileges, so Firefox blocks it. See also Mozilla Update.
The hole is client-side. Fully exploiting the hole requires that the attacker can get you to load a trusted page - what the published exploits do is load Mozilla Update in an <iframe>. By moving Mozilla Update to an untrusted domain, we effectively nullified the default whitelist (which only contains Mozilla Update) - now no trusted pages exist. If you still have a popular site like extensionsmirror.nl whitelisted, you should remove that.
Note that apparently there is also a way to steal cookies, which can only be stopped by disabling javascript.
TRENDING THREADS
-
Discussion Zen 5 Speculation (EPYC Turin and Strix Point/Granite Ridge - Ryzen 9000)- Started by DisEnchantment
- Replies: 25K
-
Discussion Intel Meteor, Arrow, Lunar & Panther Lakes Discussion Threads
- Started by Tigerick
- Replies: 22K
-
Discussion Intel current and future Lakes & Rapids thread- Started by TheF34RChannel
- Replies: 23K
-
Facebook
Twitter