• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Mozilla Plugs Zero Day Hole With Firefox 3.6.12

October 28, 2010 By The Editor

Summary:

  • This vulnerability affects: Firefox 3.6.x and 3.5.x for Windows, Linux, and Macintosh
  • How an attacker exploits it: By enticing one of your users to visit a malicious web page
  • Impact: An attacker executes code on your user’s computer, potentially gaining complete control of it
  • What to do: Upgrade to Firefox 3.6.12 (or 3.5.15), or let Firefox’s automatic update do it for you

Exposure:

In a WatchGuard Wire post yesterday, we warned you of a new zero day Firefox exploit that attackers had planted onto the Nobel Peace Prize web site. If you visited the infected site with Firefox 3.5 or 3.6 running on an XP computer, the exploit would silently download and install the Belmoo trojan onto your computer. At the time of the Wire post, Mozilla was aware of the zero day flaw but had not yet had time to fix it.

Luckily, Mozilla works fast. In an impressive display of development speed, Mozilla has already released Firefox 3.6.12 to fix this critical zero day vulnerability. According to their Known Vulnerabilities page, the zero day vulnerability was due to a heap buffer overflow flaw within Firefox’s DOM component. By enticing one of your users to a specially crafted web page, or by sneaking malicious code onto a legitimate web page that your user visits, an attacker can leverage this vulnerability to execute malicious code on that user’s machine, with that user’s privileges. If the user happens to be a local administrator or have root privileges, the attacker gains total control of the victim’s computer.

This is a very critical update for Firefox users. The bad guys found this serious vulnerability first, and are already exploiting it in the wild (like with the Nobel Peace Prize web site). As such, we consider it a very serious risk. If you use Firefox, we highly recommend you install the latest update immediately.

Solution Path:

Mozilla has released Firefox 3.6.12 and 3.5.15, to correct this zero day flaw. If you use Firefox in your network, we recommend that you download and deploy version 3.6.12 immediately, or let Firefox’s automatic updater do it for you. If, for some reason, you must remain with Firefox 3.5.x, make sure to upgrade to 3.5.15.

Note: The latest version of Firefox 3.6.x automatically informs you when a Firefox update is available. We highly recommend you keep this feature enabled so that Firefox receives its updates as soon as Mozilla releases them. To verify that you have Firefox configured to automatically check for updates, click Tools => Options => Advanced tab => Update tab. Make sure that “Firefox” is checked under “Automatically check for updates.” In this menu, you can configure Firefox to always download and install any update, or if you prefer, only to inform the user that an update exists.

As an aside, attackers cannot leverage this vulnerability, nor many other web-based flaws, without JavaScript. Disabling JavaScript by default is a good way to prevent many web-based attacks in general. If you use Firefox, we highly recommend you also install the NoScript extension, which will disable JavaScript (and other active scripts) by default.

For All Users:

This attack arrives as normal-looking HTTP traffic, which you must allow through your firewall if your network users need to access the World Wide Web. Therefore, the patches above are your best solution.

Status:

The Mozilla Foundation has released Firefox 3.6.12 to fix these vulnerabilities.

References:

  • Firefox 3.6.12 Release Notes
  • Vulnerabilities Fixed in Firefox 3.6.12

This alert was researched and written by Corey Nachreiner, CISSP.

 

Share This:

Related

Filed Under: Security Bytes Tagged With: firefox, mozilla, nobel peace prize, trojan

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • US National Cybersecurity Strategy
  • Here Come The Regulations
  • Cybersecurity’s Toll on Mental Health

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
  • US National Cybersecurity Strategy
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use