Firefox zero-day under attack at Nobel Prize site

http://www.zdnet.com/blog/security/firefox-zero-day-under-attack-at-nobel-prize-site/7550

 

Another FF 0 day lolz

 

I luv IE9.

 

but what about their offer giving away 10 grands for anyone can find a 0day exploit in FF

 

lol, payable through here I hope.

 

10 grand? You're kidding. It's $2-3k at most.

Good malware writers with sufficient resources at their disposal can easily earn that amount in a day or less by maliciously exploiting the bug in the wild instead of reporting it to Mozilla.

 

http://blog.mozilla.com/security/2010/10/26/critical-vulnerability-in-firefox-3-5-and-firefox-3-6/

 

Does it come with a spelling checker?

 

Who has managed to hack the Nobel Site ??
I'm not going there to check, but what servers are they on, what OS and what other pages hosted ??

There is little doubt if I had visited I would have likely allowed scripts to run.
Nasty.

Any detection for this mal ??
Anyone know if the usual tools would have blocked this ?

Heh

 

Me luv NoScript.

 

You mean you "luv" to cripple your Internet experience, and allow Javascript only on supposedly safe sites - only to get pwned?

 

Yep, but I don't cripple anything. Default deny, that's it.

 

It'd be nice if mozilla (and others when this happens) would say which OS-native security protections their various memory mismanagement exploits bypass.

Does this just affect people too dumb to enable DEP?

Or is it bypassing every EMET trick in the book from SEHOP to ASLR? Doesn't seem likely.

A buffer overflow in 500,000 lines of C code isn't news. Nobody expects a programming language designed in the 1970s to not be a horrible pile of crap.

Breaking 21st century security mitigations is however, news.

 

You can achieve fine grain script control in IE just fine, even without installing an extension, without requiring to cripple your browsing experience.

Not yet, a big !!

Fingers crossed for beta 2.... or maybe the spellcheck plugin will be updated.

 

http://blog.trendmicro.com/firefox-zero-day-found-in-compromised-nobel-peace-prize-website/

 

Seems like that's only because the exploit deliberately skips non-XP systems after checking the UA string. I wonder why...

 

A default-deny policy should stop this cold.

 

Efficient coding. You're better off checking the OS in the script rather than downloading the malware and performing the check, assuming the malware doesn't run properly on later systems.

Educated guess...

 

That's rather unlikely. If anything, Windows has GREAT backward compatibility. Simply change the paths that the trojan writes to on the filesystem and registry to bypass UAC, and chances are you're good to go.

 

I don't see what backwards compatability has to do with new technologies in Windows 7 that prevent such attacks.

 

Which technologies, exactly?

 

My signature elaborates.

 

There's no evidence that either the exploit or trojan uses buffer overflows, so DEP and SEH are irrelevant. An antivirus and firewall is irrelevant as these can easily be present on XP as well. The only thing that might matter is UAC, but even then you can redirect the paths to user locations, and there's no harm trying anyway given the number of idiots out there.

So, as I was asking, which technologies, exactly?

 

Err, what? There is no evidence that the trojan doesn't use them, so what point are you trying to make? Are you seriously trying to make an argument out of my guess? With 0 factual information from either of us?

My signature elaborates.

 

Apart from the fact that anti-buffer overflow solutions weren't mentioned at all as mitigation methods?

No, I was just trying to get you to clarify what you based your guess on. If it was based on - as you say - 0 factual information, then that's that. We're all grown men, there's hardly a need to be so defensive about it.