On TechRepublic: 10 things every geek should know
BNET Business Network:
BNET
TechRepublic
ZDNet

October 28th, 2009

Firefox hit by multiple drive-by download flaws

Posted by Ryan Naraine @ 7:34 am

Categories: Arbitrary Code Execution, Botnets, Browsers, Data theft, Denial of Service (DoS), Exploit code, Firefox, Malware, Mozilla, Open source, Passwords, Patch Watch, Privacy, Responsible disclosure, Vulnerability research

Tags: Mozilla Firefox, Attacker, Flaw, Vulnerability, Web Browser, Mozilla Corp., Web Browsers, Security, Internet, Ryan Naraine

Mozilla’s flagship Firefox browser is vulnerable to at least 11 “critical” vulnerabilities that expose users to drive-by download attacks that require no user interaction beyond normal browsing.

The open-source group shipped Firefox 3.5.4 with patches for the vulnerabilities, which range from code execution risk to the theft of information in the browser’s form history.

One of the critical issues affect media libraries introduced in Firefox 3.5 when audio and video capabilities were added.

Here’s the skinny on the high-risk issues in this Mozilla Firefox patch batch:

  • MFSA 2009-64 (Critical) — Crashes with evidence of memory corruption.  Four different vulnerabilities were documented. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code.
  • MFSA 2009-63 (Critical) — Mozilla upgraded several third party libraries used in media rendering to address multiple memory safety and stability bugs identified by members of the Mozilla community. Some of the bugs discovered could potentially be used by an attacker to crash a victim’s browser and execute arbitrary code on their computer. liboggz, libvorbis, and liboggplay were all upgraded to address these issues.  Three different vulnerabilities were documented.
  • MFSA 2009-59 (Critical) — A heap-based buffer overflow in Mozilla’s string to floating point number conversion routines allows an  attacker to  craft some malicious JavaScript code containing a very long string to be converted to a floating point number which would result in improper memory allocation and the execution of an arbitrary memory location. This vulnerability could thus be leveraged by the attacker to run arbitrary code on a victim’s computer.
  • MFSA 2009-57 (Critical) — The XPCOM utility XPCVariant::VariantDataToJS unwrapped doubly-wrapped objects before returning them to chrome callers. This could result in chrome privileged code calling methods on an object which had previously been created or modified by web content, potentially executing malicious JavaScript code with chrome privileges.
  • MFSA 2009-56 (Critical) — A heap-based buffer overflow in Mozilla’s GIF image parser. This vulnerability could potentially be used by an attacker to crash a victim’s browser and run arbitrary code on their computer. This flaw does not affect products built on the Gecko 1.8 browser engine such as Thunderbird 2.
  • MFSA 2009-54 (Critical) — Recursive creation of JavaScript web-workers can be used to create a set of objects whose memory could be freed prior to their use. These conditions often result in a crash which could potentially be used by an attacker to run arbitrary code on a victim’s computer. Web Workers were introduced in Firefox 3.5 so this vulnerability did not affect earlier releases such as Firefox 3.

The Firefox 3.5.4 update will be distributed via the browser’s automatic update mechanism.  It should be deployed within the next 24 to 48 hours.  Alternatively, users can use the “Check for Updates” tool to manually apply the update.

Ryan NaraineRyan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.


Email Ryan Naraine

For daily updates on Ryan's activities, follow him on Twitter.

Subscribe to Zero Day via Email alerts or RSS.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?

  • Talkback
  • Most Recent of 284 Talkback(s)
Message has been deleted by user.

(Read the rest)
Posted by: joe.smetona@... Posted on: 11/12/09  (Edited: 11/26/09 @ 04:16) You are currently: a Guest | | Terms of Use
Thank god I am still using 3.0.xxx  jacarter3 | 10/28/09
Bigger is always better...  Fark | 10/28/09
Sadly, that really is the attitude of most software makers nowadays.  AzuMao | 10/28/09
Ummmm....except that Microsoft permits this stuff!  No More Microsoft Software Ever! | 10/28/09
Put down the Apple Kool-Aid fanboi  Cayble | 10/28/09
Ya.  AzuMao | 10/29/09
Drive by downloads?  joe.smetona@... | 10/29/09
No ISP Oversight  smitheo1@... | 10/29/09
What OS are you using?  joe.smetona@... | 10/29/09
What happens with Linux and viruses.  joe.smetona@... | 10/30/09
"A complex system that doesn't work...  914four | 10/29/09
Not always..  AzuMao | 10/29/09
Snow Leopard, Windows 7  smitheo1@... | 10/29/09
3.5.X versions are safe too  AzuMao | 10/28/09
False...  Ceridan | 10/28/09
I agree  ArnoldZiffle | 10/28/09
Not quite  wombatlove | 10/28/09
That would only be so if..  AzuMao | 10/28/09
Windows libraries  honeymonster | 10/29/09
Ugh  AzuMao | 10/29/09
He's right...  Ceridan | 10/29/09
It'll be magic...once you Purchase a Mac! (NT)  No More Microsoft Software Ever! | 10/28/09
I can prove  akulkis | 10/28/09
Prove away  honeymonster | 10/29/09
"But what about reading/modifying user files - you know the most valuable"  AzuMao | 10/29/09
... fanbot?????  Ceridan | 10/29/09
Yes, FANBOT!!  AzuMao | 10/29/09
Is Mozilla Itself Not Open Source? And SAFE?????  PMC-CON | 10/29/09
Neither way  AzuMao | 10/29/09
Current user  martian@... | 10/30/09
Three words  Ceridan | 11/02/09
No comparison  AzuMao | 11/02/09
Where did you get that information?  DevGuy_z | 10/28/09
That's weird  AzuMao | 10/29/09
Vulnerabilities and exploits  honeymonster | 10/29/09
There is in this case;  AzuMao | 10/29/09
Ummm...  Ceridan | 10/29/09
Okay..  AzuMao | 10/29/09
Definitely not true  DevGuy_z | 10/28/09
Not safe at 3.0.xx  PeterBoyles | 10/29/09
3.0.xx  btljooz | 10/29/09
IE still more secure than FF 3.5.4  Johnny Vegas | 10/28/09
Links?  James T. Kirk | 10/28/09
Does IE have "NoScript"?  jacarter3 | 10/28/09
Yes they do...  Ceridan | 10/28/09
IE with Protected Mode is the default.  ye | 10/28/09
What about the browser?  AzuMao | 10/28/09
I'm not following your question.  ye | 10/28/09
I think...  Ceridan | 10/28/09
@Ceridan: You are mistaken.  ye | 10/28/09
It was a pretty simple (and redundant) question.  AzuMao | 10/28/09
@ye  Ceridan | 10/28/09
@AzuMao: You already answered the question.  ye | 10/28/09
@Ceridan: Glad I could help you out. nt  ye | 10/28/09
@ye Why don't you just get a dictionary already and look up "rhetorical  AzuMao | 10/28/09
@AzuMao: Why don't you just write more clear?  ye | 10/29/09
@ye I write at a level anyone who knows English as a first language,  AzuMao | 10/29/09
@AzuMao: Look up the word "context" and...  ye | 10/29/09
The context was..  AzuMao | 10/29/09
@AzuMao: Wrong context.  ye | 10/29/09
I'm sorry, I didn't know you really had such big problems with English.  AzuMao | 10/29/09
@AzuMao: I see you're still having problems with the word...  ye | 10/29/09
@AzuMao: Any facts to back this up?  ye | 10/29/09
@ye  AzuMao | 10/29/09
@AzuMao: I know that feeling.  ye | 10/29/09
@ye You're the one who keeps asking for clarification of simple things.  AzuMao | 10/29/09
@AzuMao: Still trying to figure out that word context eh?  ye | 10/29/09
Stop randomly changing the subject for no reason.  AzuMao | 10/29/09
@AzuMao: It seems you're incapable of understanding...  ye | 10/29/09
Okay, looks like an explanation on the proper use of pronouns is in order.  AzuMao | 10/29/09
@ye and @AzuMao: grow up, please.  Earthling2 | 10/30/09
@Earthling2  AzuMao | 10/30/09
Not on XP... [nt]  jacarter3 | 10/28/09
XP is two generation old.  ye | 10/28/09
Who's arguing? I was stating a fact.  jacarter3 | 10/28/09
@jacarter3: So if I use an eight year old version of...  ye | 10/28/09
But an eight year old version of Trusted Solaris 8...  914four | 10/29/09
@914four: The only one's being silly are those who insist...  ye | 10/29/09
@Ye - the MS fanboy  jacarter3 | 10/29/09
"eight year old OS when discussing the state of today's operating systems"  jacarter3 | 10/29/09
@jacarter3: I don't care what OS you use.  ye | 10/29/09
@jacarter3: I was discussing a feature of IE which...  ye | 10/29/09
@ye  AzuMao | 10/29/09
@AzuMao: Which OSes are you referring to?  ye | 10/29/09
@jacarter3  Ceridan | 10/29/09
@ye  AzuMao | 10/29/09
@AzuMao: No, that would not be a better comparison.  ye | 10/29/09
Were that actually the case..  AzuMao | 10/29/09
@Ceridan  jacarter3 | 10/29/09
@jacarter3  AzuMao | 10/29/09
@AzuMao: And some would argue that it is.  ye | 10/29/09
I guess we'll just have to agree to disagree, then.  AzuMao | 10/29/09
@jacarter3  Ceridan | 10/29/09
@ Ceridan  AzuMao | 10/29/09
@AzuMao  Ceridan | 10/29/09
@Ceridan  AzuMao | 10/29/09
Congratulations...  akulkis | 10/28/09
Shh!  AzuMao | 10/29/09
Wrong.  ye | 10/29/09
Maybe not since its absolute inception..  AzuMao | 10/29/09
@AzuMao: MAC was added to Linux in 2003.  ye | 10/29/09
I meant Linux has had it for a long time, not Windows.  AzuMao | 10/29/09
@AzuMao: I don't consider three years a long time given..  ye | 10/29/09
That is a long time..  AzuMao | 10/29/09
@AzuMao: The reference point is not to the previous...  ye | 10/29/09
@ye  AzuMao | 10/29/09
@What part of:  ye | 10/29/09
@ye  AzuMao | 10/29/09
@AzuMao: So the part giving you trouble is...  ye | 10/29/09
@ye  AzuMao | 10/29/09
@AzuMao: Not from my point of view.  ye | 10/29/09
@ye  AzuMao | 10/29/09
@AzuMao: What part of:  ye | 10/29/09
@ye What part are you stuck on now? Just tell me.  AzuMao | 10/29/09
@AzuMao: It seems my attempts to help you on this have failed too.  ye | 10/29/09
Okay..  AzuMao | 10/29/09
Gee, that's sounds a lot more  jacarter3 | 10/28/09
That's why I use firefox  voska1 | 10/28/09
Sad when you have to say that  cmkconsulting | 10/28/09
Basically it works like this..  AzuMao | 10/29/09
Some interesting math...  jasonp@... | 10/28/09
You are right, that math IS interesting  honeymonster | 10/28/09
Yes but..  afawcett@... | 10/28/09
Speculation, deflection and apologies  honeymonster | 10/29/09
Ah, the good old "but.. maybe the exploits in other software were known for  AzuMao | 10/29/09
Yes, that is exactly  honeymonster | 10/29/09
Nice double non sequitur there, honeymonster.  AzuMao | 10/29/09
insane lunatics still on the loose  ljenux-23043766007667558234416105604265 | 10/29/09
Nope, IE still exploitable  PeterBoyles | 10/29/09
RE: Firefox hit by multiple drive-by download flaws  Loverock Davidson | 10/28/09
only affected on windoze  Linux Geek | 10/28/09
Why bother posting? You are as bad as Loverock on a Linux post!...  DevJonny | 10/28/09
"Windoze"...never heard that before.  ye | 10/28/09
You're so right  akulkis | 10/28/09
As yes, the 50's  rtk | 10/28/09
Ya so basically  AzuMao | 10/29/09
wha huh?  rtk | 10/29/09
Which one?  AzuMao | 10/29/09
As I said, yours.  rtk | 10/29/09
You're the only one buying that.  AzuMao | 10/29/09
errrm... uh?  Ceridan | 10/28/09
Stupidity or outright lie  honeymonster | 10/28/09
History says the 1st one...nt  ItsTheBottomLine | 10/28/09
They aren't mutually exclusive. I vote "both". (nt)  James T. Kirk | 10/28/09
Some degree of cognition is implicitly required to believe something is  AzuMao | 10/29/09
Post a link that demonstrates that.  DevGuy_z | 10/28/09
You want a link? Here:  btljooz | 10/29/09
Get used to it. :P They'll never change.  AzuMao | 10/29/09
Aah, never say never... devil  btljooz | 10/30/09
of course it's safe  ljenux-23043766007667558234416105604265 | 10/29/09
Actually  btljooz | 10/29/09
Windows' way has some huge advantages though, for example;  AzuMao | 10/30/09
In Windows  Earthling2 | 10/30/09
BitLocker is useless in this regard, it has no deniable encryption, and  AzuMao | 10/30/09
But,  Ceridan | 11/02/09
RE: See this and this.  btljooz | 10/30/09
Not at all an answer  Narr vi | 10/28/09
This belongs under 'Yes they do'  Narr vi | 10/28/09
I noticed... NT  Ceridan | 10/28/09
Actually...  Ceridan | 10/28/09
MS should Block Foxfire!  Stan57 | 10/28/09
Oh, those flammable ZDNet titles...  Earthling2 | 10/28/09
So had Microsoft  honeymonster | 10/28/09
Mozilla was justified  eMJayy | 10/28/09
If Mz was justified  rtk | 10/28/09
There's no comparison whatsoever.  AzuMao | 10/28/09
You missed this line I guess.  Erroneous | 10/28/09
Um...It IS available!  eMJayy | 10/28/09
FF tried to update few days ago  rdcont95@... | 10/28/09
This fix is here as of 5pm, 10-29-09  btljooz | 10/29/09
Take a few minutes and read this...  Tshawn | 10/28/09
But...  Ceridan | 10/29/09
Yeh, RIGHT!!!  btljooz | 10/29/09
How do I download fixes to a Live CD?  Earthling2 | 10/28/09
Ask Adrian Kingsley Hughes  honeymonster | 10/28/09
Not a problem. You obviously already know how  frgough | 10/28/09
How do I download fixes to a Live CD  mrdt | 10/28/09
USE LIVE USB  calanor | 10/29/09
You can just run  prikkebeen | 10/28/09
Boot and run updates or make a custom Live CD  balaknair | 10/28/09
Puppy Linux Updates DVD-R, DVD RW, etc.  RandSec | 10/28/09
You dont...  Ceridan | 10/29/09
RE: Firefox hit by multiple drive-by download flaws  cjbacon@... | 10/28/09
RE: Firefox hit by multiple drive-by download flaws  NCWeber | 10/28/09
LOL !!  aktazdevil | 10/28/09
Give me more anti-MS stuff!  drobinow | 10/28/09
Probably because MS has major problems way more often.  AzuMao | 10/29/09
Probably because Windows is more usable by more people more often happy  jgwinner | 10/29/09
More usable by worms, I'll give it that much wink  AzuMao | 10/29/09
Is Seamonkey 1.1.18 at similar risk?  Regats | 10/28/09
No  akulkis | 10/28/09
Wow! Linux users, start using Epiphany or Konquerer  djchandler | 10/28/09
Firefox is becoming crap!!!!  monolithm | 10/28/09
SeaMonkey uses the Gecko engine too, genius.  AzuMao | 10/28/09
Opera is having its own issues.  Erroneous | 10/28/09
Opera has a fix  Agnostic_OS | 10/28/09
My 64-bit Linux says: LOL @ 32-bit Windows attacks!  cryptikonline | 10/28/09
Keep on laughing  jgwinner | 10/28/09
LOL x2  cryptikonline | 10/28/09
No but...  Ceridan | 10/29/09
The thing is..  AzuMao | 10/29/09
Wait....  Ceridan | 10/29/09
Actually we can.  AzuMao | 10/29/09
@AzuMao  Ceridan | 10/29/09
@Ceridan  AzuMao | 10/29/09
Exactly. Linux fanboi's might choke on that lol  jgwinner | 10/29/09
MFSA 2009-57 was patched in FF v3.0.15 & v3.5.4  ~doolittle~ | 10/29/09
Exactamundo!  btljooz | 10/30/09
To human is err.  phatkat | 10/28/09
What the hell is Mozilla doing with themselves?  JoeMama_z | 10/28/09
Becoming bigger.  CobraA1 | 10/28/09
Exactly.  AzuMao | 10/29/09
apparently they are implementing security patches to their prodcuts  ~doolittle~ | 10/29/09
BLAPSHEMY! TREASON!!  AzuMao | 10/29/09
And one more thing you forgot...  cryptikonline | 10/28/09
RE: Firefox hit by multiple drive-by download flaws  Rdewey | 10/28/09
The myths of open source  tonymcs@... | 10/28/09
let's compare an open source browser to a proprietary one  ~doolittle~ | 10/29/09
Fail  AzuMao | 10/29/09
Blah,,,blah.....um....who uses IE today anyway?  No More Microsoft Software Ever! | 10/28/09
Parent post is a troll. Please ignore it. (nt)  honeymonster | 10/29/09
Apple sucks  AzuMao | 10/29/09
Actually...  Ceridan | 11/02/09
Have you even SEEN the new ads from MS?  AzuMao | 11/02/09
I already got 3.5.4 in Windows, even though I'm using Google Chrome.  Grayson Peddie | 10/28/09
I guess it's just any non-microsoft product  frgough | 10/28/09
Achilles' Heels and Gaping Worm Holes  Earthling2 | 10/28/09
or..  Ceridan | 10/29/09
So How Do We Do It?  Earthling2 | 10/28/09
LOL, yes that is *exactly* how they do it  honeymonster | 10/29/09
vulnerability count != insecurity  ~doolittle~ | 10/29/09
LOL! It used to be when the ABMers thought...  ye | 10/29/09
Nice logic.  AzuMao | 10/29/09
You're not nearly as good with the english language as...  ye | 10/29/09
Simple; you obviously weren't laughing WITH him, since you like Windows.  AzuMao | 10/29/09
@AzuMao: IOW I never said what you claimed.  ye | 10/29/09
@ye  AzuMao | 10/29/09
@AzuMao: What I was doing was pointing out the...  ye | 10/29/09
@ye  AzuMao | 10/29/09
@AzuMao: No, it is not.  ye | 10/29/09
@ye  AzuMao | 10/29/09
@AzuMao: Winners don't have to try again.  ye | 10/29/09
@ye  AzuMao | 10/29/09
@AzuMao:Trying again I see.  ye | 10/29/09
Are you like this in real life, too?  AzuMao | 10/29/09
@AzuMao: Try not to be such a sore loser.  ye | 10/29/09
I guess that's a yes.  AzuMao | 10/29/09
@AzuMa: One would have thought you'd...  ye | 10/29/09
@y  AzuMao | 10/29/09
prudence vs gullibility  ~doolittle~ | 11/03/09
Also keep in mind..  AzuMao | 10/29/09
title is a dirty lie  ljenux-23043766007667558234416105604265 | 10/29/09
So every machine running a vulnerable Firefox is fixed?  PMC-CON | 10/29/09
Not dumb  Greenknight_z | 10/29/09
Well Firefox wasn't made by Microsoft..  AzuMao | 10/29/09
firefox is fixed  ljenux-23043766007667558234416105604265 | 10/29/09
Was hit by?  AzuMao | 10/29/09
RE: Firefox hit by multiple drive-by download flaws  smattix@... | 10/29/09
RE: Firefox hit by multiple drive-by download flaws  woomera | 10/29/09
welcome to children club  ljenux-23043766007667558234416105604265 | 10/29/09
Arguing on the internet suits us. If you don't like it stay out of it.  AzuMao | 10/29/09
MEH  woomera | 10/29/09
BLA  AzuMao | 10/29/09
I have noticed a LOT OF HITS  lynne1462@... | 10/29/09
RE: Firefox hit by multiple drive-by download flaws  sheevalazar | 10/29/09
Why is it...  sfrvn@... | 10/29/09
Why is it..  AzuMao | 10/29/09
Ryan - thanks for alerting us to the upgrade  WiredGuy | 10/29/09
RE: Firefox hit by multiple drive-by download flaws  mstevens@... | 10/29/09
RE: Firefox hit by multiple drive-by download flaws  raykaville@... | 10/29/09
RE: Firefox hit by multiple drive-by download flaws  Chorizotarian | 10/29/09
RE: Firefox hit by multiple drive-by download flaws  sfrvn@... | 10/29/09
May One Assume...  QueenMama | 10/29/09
Related to code execution - yes  Earthling2 | 10/29/09
Definitely easier in Windows 7  AzuMao | 10/29/09
Not as bad as you say it is  Earthling2 | 10/29/09
Not sure  AzuMao | 10/30/09
About configuring  Earthling2 | 10/30/09
Many ways  AzuMao | 10/30/09
@AzuMao  Earthling2 | 10/30/09
Already FIXED folks, No substance to this article  btljooz | 10/29/09
Agree, but then it's going to be boring.  Earthling2 | 10/29/09
And... how they actually did it.  Earthling2 | 10/30/09
Message has been deleted by user.  joe.smetona@... | 11/12/09

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

advertisement
Click Here

Recent Entries

advertisement
Click Here

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

SmartPlanet

Click Here