Summary:
- This vulnerability affects: Firefox 3.6.x and 3.5.x for Windows, Linux, and Macintosh
- How an attacker exploits it: By enticing one of your users to visit a malicious web page
- Impact: An attacker executes code on your user’s computer, potentially gaining complete control of it
- What to do: Upgrade to Firefox 3.6.12 (or 3.5.15), or let Firefox’s automatic update do it for you
Exposure:
In a WatchGuard Wire post yesterday, we warned you of a new zero day Firefox exploit that attackers had planted onto the Nobel Peace Prize web site. If you visited the infected site with Firefox 3.5 or 3.6 running on an XP computer, the exploit would silently download and install the Belmoo trojan onto your computer. At the time of the Wire post, Mozilla was aware of the zero day flaw but had not yet had time to fix it.
Luckily, Mozilla works fast. In an impressive display of development speed, Mozilla has already released Firefox 3.6.12 to fix this critical zero day vulnerability. According to their Known Vulnerabilities page, the zero day vulnerability was due to a heap buffer overflow flaw within Firefox’s DOM component. By enticing one of your users to a specially crafted web page, or by sneaking malicious code onto a legitimate web page that your user visits, an attacker can leverage this vulnerability to execute malicious code on that user’s machine, with that user’s privileges. If the user happens to be a local administrator or have root privileges, the attacker gains total control of the victim’s computer.
This is a very critical update for Firefox users. The bad guys found this serious vulnerability first, and are already exploiting it in the wild (like with the Nobel Peace Prize web site). As such, we consider it a very serious risk. If you use Firefox, we highly recommend you install the latest update immediately.
Solution Path:
Mozilla has released Firefox 3.6.12 and 3.5.15, to correct this zero day flaw. If you use Firefox in your network, we recommend that you download and deploy version 3.6.12 immediately, or let Firefox’s automatic updater do it for you. If, for some reason, you must remain with Firefox 3.5.x, make sure to upgrade to 3.5.15.
Note: The latest version of Firefox 3.6.x automatically informs you when a Firefox update is available. We highly recommend you keep this feature enabled so that Firefox receives its updates as soon as Mozilla releases them. To verify that you have Firefox configured to automatically check for updates, click Tools => Options => Advanced tab => Update tab. Make sure that “Firefox” is checked under “Automatically check for updates.” In this menu, you can configure Firefox to always download and install any update, or if you prefer, only to inform the user that an update exists.
As an aside, attackers cannot leverage this vulnerability, nor many other web-based flaws, without JavaScript. Disabling JavaScript by default is a good way to prevent many web-based attacks in general. If you use Firefox, we highly recommend you also install the NoScript extension, which will disable JavaScript (and other active scripts) by default.
For All Users:
This attack arrives as normal-looking HTTP traffic, which you must allow through your firewall if your network users need to access the World Wide Web. Therefore, the patches above are your best solution.
Status:
The Mozilla Foundation has released Firefox 3.6.12 to fix these vulnerabilities.
References:
This alert was researched and written by Corey Nachreiner, CISSP.