Firefox zero-day under attack at Nobel Prize site

Discussion in 'other security issues & news' started by Eice, Oct 26, 2010.

Thread Status:
Not open for further replies.
  1. Eice

    Eice Registered Member

    Joined:
    Jan 22, 2009
    Posts:
    1,413
  2. fsr

    fsr Registered Member

    Joined:
    Jul 26, 2010
    Posts:
    190
    Another FF 0 day lolz
     
  3. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    I luv IE9. :D
     
  4. SUPERIOR

    SUPERIOR Registered Member

    Joined:
    Dec 10, 2007
    Posts:
    161
    Location:
    Syria
    but what about their offer giving away 10 grands for anyone can find a 0day exploit in FF
     
  5. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    lol, payable through here I hope.;)
     
  6. Eice

    Eice Registered Member

    Joined:
    Jan 22, 2009
    Posts:
    1,413
    10 grand? You're kidding. It's $2-3k at most.

    Good malware writers with sufficient resources at their disposal can easily earn that amount in a day or less by maliciously exploiting the bug in the wild instead of reporting it to Mozilla.
     
  7. fsr

    fsr Registered Member

    Joined:
    Jul 26, 2010
    Posts:
    190
    http://blog.mozilla.com/security/2010/10/26/critical-vulnerability-in-firefox-3-5-and-firefox-3-6/
     
  8. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,152
    Does it come with a spelling checker? ;)
     
  9. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
    Who has managed to hack the Nobel Site ??
    I'm not going there to check, but what servers are they on, what OS and what other pages hosted ??

    There is little doubt if I had visited I would have likely allowed scripts to run.
    Nasty.

    Any detection for this mal ??
    Anyone know if the usual tools would have blocked this ?

    Heh
     
    Last edited: Oct 27, 2010
  10. burebista

    burebista Registered Member

    Joined:
    Mar 4, 2010
    Posts:
    208
    Location:
    Romania
    Me luv NoScript. :argh:
     
  11. Eice

    Eice Registered Member

    Joined:
    Jan 22, 2009
    Posts:
    1,413
    You mean you "luv" to cripple your Internet experience, and allow Javascript only on supposedly safe sites - only to get pwned?
     
  12. burebista

    burebista Registered Member

    Joined:
    Mar 4, 2010
    Posts:
    208
    Location:
    Romania
    Yep, but I don't cripple anything. Default deny, that's it.
     
  13. brosephjames

    brosephjames Registered Member

    Joined:
    Sep 5, 2010
    Posts:
    9
    It'd be nice if mozilla (and others when this happens) would say which OS-native security protections their various memory mismanagement exploits bypass.

    Does this just affect people too dumb to enable DEP?

    Or is it bypassing every EMET trick in the book from SEHOP to ASLR? Doesn't seem likely.

    A buffer overflow in 500,000 lines of C code isn't news. Nobody expects a programming language designed in the 1970s to not be a horrible pile of crap.

    Breaking 21st century security mitigations is however, news.
     
  14. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,856
    You can achieve fine grain script control in IE just fine, even without installing an extension, without requiring to cripple your browsing experience.

    Not yet, a big :thumbd: !! :mad:

    Fingers crossed for beta 2.... or maybe the spellcheck plugin will be updated.
     
  15. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,677
    Location:
    George, S.Africa
  16. Eice

    Eice Registered Member

    Joined:
    Jan 22, 2009
    Posts:
    1,413
    Seems like that's only because the exploit deliberately skips non-XP systems after checking the UA string. I wonder why...
     
  17. wat0114

    wat0114 Guest

    A default-deny policy should stop this cold.
     
  18. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,856
    Efficient coding. You're better off checking the OS in the script rather than downloading the malware and performing the check, assuming the malware doesn't run properly on later systems.

    Educated guess...
     
  19. Eice

    Eice Registered Member

    Joined:
    Jan 22, 2009
    Posts:
    1,413
    That's rather unlikely. If anything, Windows has GREAT backward compatibility. Simply change the paths that the trojan writes to on the filesystem and registry to bypass UAC, and chances are you're good to go.
     
  20. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,856
    I don't see what backwards compatability has to do with new technologies in Windows 7 that prevent such attacks.
     
  21. Eice

    Eice Registered Member

    Joined:
    Jan 22, 2009
    Posts:
    1,413
    Which technologies, exactly?
     
  22. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,856
    My signature elaborates.
     
  23. Eice

    Eice Registered Member

    Joined:
    Jan 22, 2009
    Posts:
    1,413
    There's no evidence that either the exploit or trojan uses buffer overflows, so DEP and SEH are irrelevant. An antivirus and firewall is irrelevant as these can easily be present on XP as well. The only thing that might matter is UAC, but even then you can redirect the paths to user locations, and there's no harm trying anyway given the number of idiots out there.

    So, as I was asking, which technologies, exactly?
     
  24. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,856
    Err, what? There is no evidence that the trojan doesn't use them, so what point are you trying to make? Are you seriously trying to make an argument out of my guess? With 0 factual information from either of us?


    My signature elaborates.
     
  25. Eice

    Eice Registered Member

    Joined:
    Jan 22, 2009
    Posts:
    1,413
    Apart from the fact that anti-buffer overflow solutions weren't mentioned at all as mitigation methods?

    No, I was just trying to get you to clarify what you based your guess on. If it was based on - as you say - 0 factual information, then that's that. We're all grown men, there's hardly a need to be so defensive about it.
     
Loading...
Thread Status:
Not open for further replies.