Firefox 3.5 new exploit - confirmed

Published: 2009-07-14
Last Updated: 2009-07-16 17:54:23 UTC
by Swa Frantzen (Version: 4)
8 comment(s)

Updated story, thanks to for helping figure it out!

The mozilla security blog confirms an exploit against an unpatched vulnerability Firefox 3.5 exists and has been made public.

Do note that Heisse tried to confirm the vulnerability and only managed a crash on Vista and can't seem to make it work on Windows 7 RC1
http://www.h-online.com/security/First-Zero-Day-Exploit-for-Firefox-3-5--/news/113761

The mozilla blog above has a workaround by temporary disabling the javascript.options.jit.content setting in about:config

Alternatively one could install and use NoSCript to disable all javascript by default.

--
Swa Frantzen -- Section 66

UPDATE

Dean wrote in to say that this exploit has been spotted in the wild. The attacked just used Metasploit to create it and put a PoisonIvy client as the payload. Unfortunately, the payload has been packed with a packer that prevented some AV vendors so the detection isn't all that great.

Good news is that NoScript will protect you against it, but also that it takes some time for the exploit to execute (in a lot of cases the user is prompted by Firefox that a script on the page is running too long); it also does not appear to be 100% reliable.

--
Bojan
 

Keywords: Firefox
8 comment(s)

Comments

how about the mozilla blog?
http://blog.mozilla.com/security/2009/07/14/critical-javascript-vulnerability-in-firefox-35/
@drew: Thanks! That hit the spot and I updated the entry completely.
no problem! i actually received an alert from watchguard before it even hit sans. :)
Note, Heisse and others are incorrectly reporting this as a 0-day. I haven't been able to find any references to active exploits (although code exists). Not a true 0-day unless the vulnerability is discovered as the result of a compromise (ie - you got hacked via a previously undisclosed vuln).
@Halibut it all depends on the definition of 0-day you use
It's in MSF trunk and has been for a couple of days people.
The sample I provided to the handlers used the milw0rm code and was it was provided before msf released the module for the exploit. I've also not seen it used in any other malware sites or kits yet. I'm sure this will (or has) changed. @cyberpix, we realise it's in the trunk, we're simply notifying people that it's being actively exploited.
After I have followed some of the links given in one of the yesterday's post, I was abble to access to many javascripts files exploiting FF 3.5 ... So, be careful, exploits are really in the wild and ready to compromise !

Diary Archives