On GameFAQs: The Top 10 Literature-Based Games
BNET Business Network:
BNET
TechRepublic
ZDNet

July 14th, 2009

Attack code posted for unpatched Firefox 3.5 flaw

Posted by Ryan Naraine @ 1:41 pm

Categories: Arbitrary Code Execution, Browsers, Data theft, Exploit code, Firefox, Hackers, Locally Running Web Servers, Malware, Mozilla, Open source, Patch Watch, Pen testing, Responsible disclosure, Viruses and Worms, Vulnerability research, Zero-day attacks

Tags: Mozilla Firefox, Flaw, Vulnerability, Web Browser, Attack, US-CERT, Web Browsers, Security, Internet, Ryan Naraine

Mozilla’s security response team is scrambling to respond to the release of exploit code for a gaping hole in the latest version of its flagship Firefox browser.

The flaw, rated “highly critical by Secunia, puts millions of Firefox users at risk of remote code execution attacks.

The vulnerability is caused due to an error when processing JavaScript code handling e.g. “font” HTML tags and can be exploited to cause a memory corruption.

Successful exploitation allows execution of arbitrary code.

The vulnerability is confirmed in version 3.5. Other versions may also be affected.

Exploit code has been published at Milw0rm.

In the absence of a fix, Firefox users and administrators should immediately disable JavaScript.   The US-CERT has a valuable document (Securing Your Web Browser) with instructions to  help mitigate the risks associated with browser vulnerabilities.

Ryan NaraineRyan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.


Email Ryan Naraine

For daily updates on Ryan's activities, follow him on Twitter.

Subscribe to Zero Day via Email alerts or RSS.

  • Talkback
  • Most Recent of 33 Talkback(s)
RE: Attack code posted for unpatched Firefox 3.5 flaw
Preferable instal a antivirus for example my antivirus bitdefender even after i selected to trusted zone the browser when i got the alert the the brower is conecting automaticly to diverse zone that ... (Read the rest)
Posted by: j0nnysmith Posted on: 07/29/09 You are currently: a Guest | | Terms of Use
A more effective mitigation  forrestgump2000@... | 07/14/09
Not going to work  Lerianis10 | 07/14/09
A much better solution: NoScript  wackoae | 07/14/09
Agreed, but...  pwn0tr0n | 07/15/09
I agree entirely  markflax | 07/16/09
Not entirely...  JCitizen | 07/19/09
... but stupidity is its own reward  oldbaritone | 07/16/09
RE: Attack code posted for unpatched Firefox 3.5 flaw  shellcodes_coder | 07/15/09
That must be true, at least for x64...  JCitizen | 07/15/09
Not so sure.  markflax | 07/16/09
True, but..  JCitizen | 07/19/09
'Many eyes' were obviously looking the other way!  Patanjali | 07/15/09
Yep...  storm14k | 07/15/09
ok...  Chorizotarian | 07/15/09
I think that storm14k was being sarcastic.  nbahn | 07/15/09
Make a browser with 0 security holes  goff256 | 07/15/09
Hell freezing over..  phatkat | 07/15/09
I wish other people would admit that...  goff256 | 07/16/09
And in other news  magcomment | 07/15/09
Or maybe Chrome..  JCitizen | 07/15/09
This Wasn't Always the Case  nbahn | 07/15/09
Less programs, less users  goff256 | 07/16/09
RE: Attack code posted for unpatched Firefox 3.5 flaw  eiverson@... | 07/15/09
that's what she said  RealGem | 07/15/09
Still...  melekali | 07/15/09
So therefore IE?  Tom6 | 07/16/09
Why change the subject?  blacksheepxlch | 07/16/09
Try it, you might find the same.  Tom6 | 07/16/09
Wait ... what?  quux | 07/17/09
reported rather than reported  Tom6 | 07/17/09
Was Linux vulnerable to this threat?  Tom6 | 07/17/09
RE: Attack code posted for unpatched Firefox 3.5 flaw  henrybill | 07/21/09
RE: Attack code posted for unpatched Firefox 3.5 flaw  j0nnysmith | 07/29/09

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

Essential Topics Click Here

advertisement

Recent Entries

advertisement

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

Meet Doc