July 14th, 2009
Remote code execution exploit for Firefox 3.5 in the wild
A zero day exploit (Firefox 3.5 Heap Spray Vulnerability) affecting Mozilla’s latest Firefox release has been published in the wild. Through an error in the processing of JavaScript code in ‘font tags’ malicious attackers could achieve arbitrary code execution and install malware on the affected hosts.
There’s no indication of its use on a global scale just yet, however due to the fact that the PoC is now public, it shouldn’t take long before cybercriminals embed it within the diverse exploits set of their web malware exploitation kits, allowing it to scale.
More details on the mitigation and the exploit itself:
“Mozilla Firefox is prone to a remote code-execution vulnerability. Successful exploits may allow an attacker to execute arbitrary code in the context of the user running the affected application. Failed attempts will likely result in denial-of-service conditions. The issue affects Firefox 3.5; other versions may also be vulnerable.
NOTE: Remote code execution was confirmed in Firefox 3.5 running on Microsoft Windows XP SP2. A crash was observed in Firefox 3.5 on Windows XP SP3.”
Additional testing courtesy of heise Security indicates the exploit crashed Firefox under Vista, and that when tested under Windows 7 RC1 a dialog abortion script appeared.
In terms of mitigation, NoScript works like charm, successfully detecting the PoC’s attempt to access file://.
Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog. See his full profile and disclosure of his industry affiliations.
Subscribe to Zero Day via Email alerts or RSS.
