Firefox zero-day under attack at Nobel Prize site

[Eice]

Quote:

Malicious hackers are exploiting a zero-day vulnerability in Mozilla’s Firefox browser to launch drive-by download attacks against visitors the Nobel Prize website.

http://www.zdnet.com/blog/security/f...rize-site/7550

[fsr]

Another FF 0 day lolz

[trjam]

I luv IE9.

[SUPERIOR]

Quote:

Originally Posted by fsr

Another FF 0 day lolz

but what about their offer giving away 10 grands for anyone can find a 0day exploit in FF

[trjam]

Quote:

Originally Posted by SUPERIOR

but what about their offer giving away 10 grands for anyone can find a 0day exploit in FF

lol, payable through here I hope.

[Eice]

Quote:

Originally Posted by SUPERIOR

but what about their offer giving away 10 grands for anyone can find a 0day exploit in FF

10 grand? You're kidding. It's $2-3k at most.

Good malware writers with sufficient resources at their disposal can easily earn that amount in a day or less by maliciously exploiting the bug in the wild instead of reporting it to Mozilla.

[fsr]

Quote:

Issue:
Mozilla is aware of a critical vulnerability affecting Firefox 3.5 and Firefox 3.6 users. We have received reports from several security research firms that exploit code leveraging this vulnerability has been detected in the wild.

Impact to users:
Users who visited an infected site could have been affected by the malware through the vulnerability. The trojan was initially reported as live on the Nobel Peace Prize site, and that specific site is now being blocked by Firefox’s built-in malware protection. However, the exploit code could still be live on other websites.

Status:
We have diagnosed the issue and are currently developing a fix, which will be pushed out to Firefox users as soon as the fix has been properly tested.

In the meantime, users can protect themselves by doing either of the following:

* Disabling JavaScript in Firefox
* Using the NoScript Add-on[/b]

Credit:
Morten Kråkvik of Telenor SOC

—
Brandon Sterne
Man-in-the-middle

http://blog.mozilla.com/security/201...d-firefox-3-6/

[vasa1]

Quote:

Originally Posted by trjam

I luv IE9.

Does it come with a spelling checker?

[Longboard]

Who has managed to hack the Nobel Site ??
I'm not going there to check, but what servers are they on, what OS and what other pages hosted ??

There is little doubt if I had visited I would have likely allowed scripts to run.
Nasty.

Any detection for this mal ??
Anyone know if the usual tools would have blocked this ?

Quote:

According to researcher, the trojan installer was created on Sunday and drops a file called symantec.exe in the %WINDOWS%\temp folder. The file name was clearly chosen to mislead users, and so is the “Microsoft Windows Update” name used for the start-up registry entries created under HKCU\Software\Microsoft\Windows\CurrentVersion\Run and HKLM\Software\Microsoft\Windows\CurrentVersion\Run.

Heh

[burebista]

Quote:

Originally Posted by trjam

I luv IE9.

Me luv NoScript.

[Eice]

Quote:

Originally Posted by burebista

Me luv NoScript.

You mean you "luv" to cripple your Internet experience, and allow Javascript only on supposedly safe sites - only to get pwned?

[burebista]

Yep, but I don't cripple anything. Default deny, that's it.

[brosephjames]

It'd be nice if mozilla (and others when this happens) would say which OS-native security protections their various memory mismanagement exploits bypass.

Does this just affect people too dumb to enable DEP?

Or is it bypassing every EMET trick in the book from SEHOP to ASLR? Doesn't seem likely.

A buffer overflow in 500,000 lines of C code isn't news. Nobody expects a programming language designed in the 1970s to not be a horrible pile of crap.

Breaking 21st century security mitigations is however, news.

[funkydude]

Quote:

Originally Posted by burebista

Me luv NoScript.

You can achieve fine grain script control in IE just fine, even without installing an extension, without requiring to cripple your browsing experience.

Quote:

Originally Posted by vasa1

Does it come with a spelling checker?

Not yet, a big !!

Fingers crossed for beta 2.... or maybe the spellcheck plugin will be updated.

[Ocky]

Quote:

According to Mozilla, the underlying flaw is present in both Firefox 3.5 and 3.6, but only recent versions of 3.6 were targeted by JS_NINDYA.A. In addition, if the user is running newer versions of Windows (such as Vista, Windows 7, Server 2008, and Server 2008 R2), the exploit will not be triggered either.

http://blog.trendmicro.com/firefox-z...prize-website/

[Eice]

Quote:

Originally Posted by Ocky

Quote:

http://blog.trendmicro.com/firefox-z...prize-website/

Seems like that's only because the exploit deliberately skips non-XP systems after checking the UA string. I wonder why...

A default-deny policy should stop this cold.

[funkydude]

Quote:

Originally Posted by Eice

Seems like that's only because the exploit deliberately skips non-XP systems after checking the UA string. I wonder why...

Efficient coding. You're better off checking the OS in the script rather than downloading the malware and performing the check, assuming the malware doesn't run properly on later systems.

Educated guess...

[Eice]

Quote:

Originally Posted by funkydude

Efficient coding. You're better off checking the OS in the script rather than downloading the malware and performing the check, assuming the malware doesn't run properly on later systems.

Educated guess...

That's rather unlikely. If anything, Windows has GREAT backward compatibility. Simply change the paths that the trojan writes to on the filesystem and registry to bypass UAC, and chances are you're good to go.

[funkydude]

Quote:

Originally Posted by Eice

That's rather unlikely. If anything, Windows has GREAT backward compatibility. Simply change the paths that the trojan writes to on the filesystem and registry to bypass UAC, and chances are you're good to go.

I don't see what backwards compatability has to do with new technologies in Windows 7 that prevent such attacks.

[Eice]

Quote:

Originally Posted by funkydude

I don't see what backwards compatability has to do with new technologies in Windows 7 that prevent such attacks.

Which technologies, exactly?

[funkydude]

Quote:

Originally Posted by Eice

Which technologies, exactly?

My signature elaborates.

[Eice]

Quote:

Originally Posted by funkydude

My signature elaborates.

There's no evidence that either the exploit or trojan uses buffer overflows, so DEP and SEH are irrelevant. An antivirus and firewall is irrelevant as these can easily be present on XP as well. The only thing that might matter is UAC, but even then you can redirect the paths to user locations, and there's no harm trying anyway given the number of idiots out there.

So, as I was asking, which technologies, exactly?

[funkydude]

Quote:

Originally Posted by Eice

There's no evidence that either the exploit or trojan uses buffer overflows, so DEP and SEH are irrelevant. An antivirus and firewall is irrelevant as these can easily be present on XP as well. The only thing that might matter is UAC, but even then you can redirect the paths to user locations, and there's no harm trying anyway given the number of idiots out there.

Err, what? There is no evidence that the trojan doesn't use them, so what point are you trying to make? Are you seriously trying to make an argument out of my guess? With 0 factual information from either of us?

Quote:

Originally Posted by Eice

So, as I was asking, which technologies, exactly?

My signature elaborates.

[Eice]

Quote:

Originally Posted by funkydude

Err, what? There is no evidence that the trojan doesn't use them, so what point are you trying to make?

Apart from the fact that anti-buffer overflow solutions weren't mentioned at all as mitigation methods?

Quote:

Originally Posted by funkydude

Are you seriously trying to make an argument out of my guess? With 0 factual information from either of us?

No, I was just trying to get you to clarify what you based your guess on. If it was based on - as you say - 0 factual information, then that's that. We're all grown men, there's hardly a need to be so defensive about it.