Firefox zero-day under attack at Nobel Prize site

Well, regardless, at least they addressed this issue (bug 607222, I believe) pretty darn fast. RC1 of v3.6.12 was available for download last night:

ftp://ftp.mozilla.org/pub/firefox/nightly/3.6.12-candidates/build1/

 

How is asking you a question being defensive? People generally broadcast defensiveness as statements.

So that automatically means they are not? Does it explicitly state they are not? Nope.

Maybe they are not towards the exploits but are towards the malware? Again, guesses

If it's one thing great about Mozilla, it's their patching speed.

 

It is when you ask people whether they're trying to start arguments.

Do the articles explicitly state that a default-deny policy does not mitigate this threat? Nope. Looks like it's anyone's guess whether default-deny works, then.

 

You mean the act of asking a question now becomes being defensive?

Yup, sure is buddy

 

I'm not sure why you're trying to oversimplify it and set up a straw man. It depends on the question being asked, of course.

 

It could be a javascript privlidge escalation exploit. Firefox does have a history of letting code from untrusted domains run willy nilly with chrome privlidges.

All the more reason firefox should sandbox like google chrome.

 

Fx 3.6.12 is released.

http://releases.mozilla.org/pub/mozilla.org/firefox/releases/3.6.12/

 

Yeah it's not fair to compare that exploit with IE9.

IE9 only runs on a modern protected OS. The very same modern protected OS that (would have) prevented this exploit from running on firefox.

 

According to Mozilla's advisory, this security issue affected Firefox 3.5 and 3.6 on all operating systems and was addressed in the newly released Firefox 3.5.15 and 3.6.12.
http://news.softpedia.com/news/Extr...ased-for-Firefox-and-Thunderbird-163323.shtml

 

That's because they go for the lowest common denominator. DEP, SEHOP, and ASLR rely on various registry enables and hardware support so it's very possible to not have any protection from them on windows 7.

 

Oh, come on.

Give it up already. Those mechanisms kick in only on very specific types of intrusions, they're not some kind of magic cure-all for every exploit or trojan out there.

 

There is no known reliable way to overflow and execute code on an EMET protected system. There is no known way to escalate to admin privileges without a UAC prompt.

People get viruses because they do stupid things like disabling UAC, not forcing DEP, not using EMET, or worse yet, still using XP which btw is the only OS this exploit actually affected in the wild.

There are theoretical papers on bypassing all the above, but actually doing it is another thing. Find me a win 7 rootkit/system level trojan that doesn't need a UAC prompt and bypasses EMET and can run from a driveby confirmed in the wild. You can't so don't bother.

 

Yes, because we know that every exploit in the world uses overflows, and every trojan needs admin privileges.

You're right, I shouldn't bother wasting my time.

 

I Love Safari

 

I didn't mean to derail the thread but I just think security reporting is very very poor. How can people expect to take precautions against exploits when its constantly generically reported that every new minor stack overflow is stated as a complete break in the system.

It's just that it isn't particularly surprising when there's a memory mismatch in a hundred thousand lines of C code. I would be surprised if there wasn't. I don't even think it's possible for there not to be in that much code. The real question should be which security protections are being broken and what security protections could stop it from being broken in the future. This is never reported.

There's a new adobe reader zero day today. Does it bypass EMET protected machines? Would adobe or the press bother to do a simple test and possibly save thousands of infections? No. They never do. Ignorance breeds insecurity.

 

Is there a reference for this?

 

The version spotted in the wild did a UA check and didn't execute itself unless the user was on XP.

The exploit code itself apparently runs on windows 7 too but I guess nobody bothered to exploit in the wild (yet)

 

Except that the reports did tell people how to take precautions: disable Javascript, or install NoScript. Your whole argument is moot.

You seem to be assuming that this exploit was a stack overflow (evidence?). You also seem to be assuming that just because your favorite protection mechanism wasn't mentioned, automatically means it worked, just that nobody bothered to test it.

 

All I'm saying is there's way too much emphasis on helplessness and anti-virus software. Which is all junk and useless for security.

Anti-virus software isn't security software, it's just a check to see if your security precautions have been working.

Yes the firefox blog posted a fix but that's rare. And it's besides the point. How many memory safety bugs are still out there in firefox, adobe, everything else? Tons. Tons and tons. I don't know how many times I can say it but I'll say it again: it is impossible to write memory safe code. It cannot be done.

And yet all security is built around the fix and solution to problems as being memory safe code. No wonder practically half the world's computers are part of a botnet.

 

Now you can see all the gory details. Surprise, surprise, it was an overflow. A heap-based buffer overflow to be precise. Anyone care to test against a hardened system or is this thread just full of empty talk?

 

o rly?
I think you missed it by a few hundred percent but whatever.

 

http://www.symantec.com/connect/blogs/using-browser-cache-bypass-security

But you got your argument out of my guess (which was correct) already so I guess you won in that perspective, or at least I think that's why you browse these forums, I could be wrong.

 

Sorry but whom are you addressing, elapsed? (I see it's not me )

At any rate, good to see ASLR did its job.

 

Sorry, I was adressing Eice. You weren't trying to crucify me for taking a guess.

 

Classical HIPS FTW!