TippingPoint Digital Vaccine Laboratories
DID YOU KNOW... DVLabs team members gave 20 presentations throughout 2010. Abstracts and slides are available here.

Mozilla Firefox 3.0 Vulnerability

A number of people who monitor our Zero Day Initiative's Upcoming Advisories page noticed yesterday that we reported a vulnerability to Mozilla (ZDI-CAN-349).  Taking into account the coincidental timing of the Firefox 3.0 release, many are asking us if this is the first reported critical vulnerability in the latest version of the popular open source browser.

What we can confirm is that about five hours after the official release of Firefox 3.0 on June 17th, our Zero Day Initiative program received a critical vulnerability affecting Firefox 3.0 as well as prior versions of Firefox 2.0.x. We verified the vulnerability in our lab, acquired it from the researcher, then promptly reported the vulnerability to the Mozilla security team shortly after. Successful exploitation of the vulnerability could allow an attacker to execute arbitrary code. Not unlike most browser based vulnerabilities that we see these days, user interaction is required such as clicking on a link in email or visiting a malicious web page.

While Mozilla is working on a fix, we wont be divulging anything else until a patch is available, adhering to our vulnerability disclosure policy.  Once the issue is patched, we'll be publishing an advisory here. Working with Mozilla on past security issues, we've found them to have a good track record and expect a reasonable turnaround on this issue as well.

For more information on the Zero Day Initiative, you can read an intro.



Tags:
Published On: 2008-06-18 14:58:14

Comments post a comment

  1. Anonymous commented on 2008-06-18 @ 18:07

    Why did you not find it in the Release Candidates

  2. Zero Day Initiative commented on 2008-06-18 @ 18:52

    @Anonymous
    The vulnerability was submitted to us by a researcher that prefers to remain anonymous. Even though the issue affects older 2.0.x versions, as to why he didn't find the vulnerability earlier is something we don't presume to know.

  3. Anonymous commented on 2008-06-19 @ 03:40

    Easy to change Opera 9.5, has no bugs ;).

    Opera 9.5
    Opera 9.5
    Opera 9.5

  4. Anonymous commented on 2008-06-19 @ 05:28

    Yea, why didn't research for it during the Release Candidate stage?
    This is a plain conspiracy!

  5. Harry commented on 2008-06-19 @ 05:36

    Would using the NoScript add-on provide protection in the interim?

  6. NK commented on 2008-06-19 @ 06:15

    "Why did you not find it in the Release Candidates"

    Probably they did find it but kept it secret until now... Everyone likes publicity.

    I find the fact that the vulnerability was discovered only 5 hours after the release VERY hard to believe... Especially considering that the latest RCs are almost identical to the final version...

  7. NK commented on 2008-06-19 @ 06:22

    "Probably they did find it but kept it secret until now... Everyone likes publicity."

    I 'd like to correct myself... probably it was the anonymous researcher who kept it secret on purpose, and not TippingPoint's Zero Day Initiative, since they seem to be a serious organization.

    [Conspiracy mode]
    Regarding that researcher... since he is anonymous... maybe a Microsoft agent?
    [\Conspiracy mode]
    Hey, I'm kidding! Still hard to swallow though.

  8. Anonymous commented on 2008-06-19 @ 06:28

    I expect the researcher sat on this bug for a few weeks to get maximum publicity when FF3 was finally released.

  9. Anonymous commented on 2008-06-19 @ 07:31

    IF, and only IF, this was a new flaw that had not affected prior versions, I would buy the 5 hours history...

    Most probably the researcher who found the error, decided to wait until the final version to be released in order to get more attention.

    If he had deployed the information before, the FF team would be able to fix it prior to launch, and the researcher's name would, most probably, be kept anonymous. Now he is "the guy who first found a flaw in FF3", good punch line to apply for a tech job.

  10. Anonymous commented on 2008-06-19 @ 08:02

    Can you at least confirm whether the vunerability affects both MSWindows and Mac O/S or just one?

  11. I agree with NK commented on 2008-06-19 @ 08:12

    I agree with NK... thanks Mr or Mrs/Miss Anonymous Researcher [who works for Opera, Microsoft, or Apple] for stepping up to the plate to make the world a safer place while Firefox 3 was still in Alpha, Beta, and Release Candidate status. Oh, that's right. You didn't step up to the plate until Firefox 3 was Final so you could be popular, like a teenager in High School. Good job.

  12. Anonymous commented on 2008-06-19 @ 08:17

    "I expect the researcher sat on this bug for a few weeks to get maximum publicity when FF3 was finally released."

    I don't know... the researcher wanted to remain anonymous, so I don't think that publicity was an issue.

  13. Dearon commented on 2008-06-19 @ 08:21

    Wow, do you guys sound like a group of ungrateful bastards.
    Here this guy can make a nice lump of cash by selling his discovery to shady people but instead decides to do the right thing and you people talk crap like this?
    I'm sorry but maybe it is possible that he has only come across a way to reliably exploit the hole now, or maybe he does it for the glory (while wanting to remain anonymous :/), what does it matter?
    He gave the information to the right group and made life better for all of us Firefox users and that is all that matters.

  14. Anonymous commented on 2008-06-19 @ 12:26

    Oh silly FF fans getting all up in arms over this one, sad thing is Firefox still has vulnerabilities from 2006 they still have yet to address (don't believe me, check Secunia or any of your favorite Vuln Reporting Site).

    Firefox security over the last 2 years has historically been poor. To proove my point, how many people using firefox have to use 'noscript' and similar plugins just to navigate the mind field known as the internet on a day to day basis.

    I don't blame them, if I ran Firefox daily I'd use that too. Hopefully the vulnerability will be related to HTML rendering or Image processing, I'd really like to see those NoScript people be even more paranoid than they currently are.

    Why are you blaming the researcher for finding the vulnerability? Sounds like poor code auditing and recycling of legacy code on the developers part to me.

    As for the RC vs Final release debate...there were a few publicly released exploits and vulnerabilities for FF3 betas back in 2007 in case you didnt remember...(because it was RC and no one cared)


    Point is, good job to the researcher for responsibly disclosing it. FF Fans your lucky he's not selling this to 's hackers so they could SQL Inject it into 100,000 poorly designed sites to host it as a zer0-day present for you.

    I bet that using that method they could probably beat FF3's world record attempt, since rootkits downloaded by shellcode counts as software too, right Guiness?

  15. Neo@NHNG commented on 2008-06-19 @ 13:44

    I personally don't use NoScript because it makes me more safe (it's more like a positive side effect) I use it because it protects me against misguided web designers, layer ads and other crap you have to look at if you're browsing the web nowadays (where the crime weapon is in most cases JavaScript), while allowing me to access those places where JavaScript is used in a reasonable way (youtube, etc.).

    What browser do you use?
    - Opera? It's free but not open source and it doesn't have a big user base, so there probably are quite a few vulnerabilities but they haven't been discovered yet because it's not worth the effort (too less victims) and blackbox testing is much more ineffective
    - Konqueror? The too less victims rule does also apply here.
    - Safari? Uses the same engine as Konqueror but the browser itself is AFAIK also closed source so again the blackbox.
    - IE? You're joking right?

    Why I use Firefox:
    Because it's open (so the code can be reviewed), it has a big developer and user base (so the code is actually reviewed quite a few times and well-tested), it's extendible and it has been ported to the most popular platforms (so I don't need to switch my behaviour if I have to work on Windows for some reason).
    There are some valid points against using Firefox (e.g. Mozilla's relation to Google) but I don't think the points you mentioned are.

    I also don't think the Firefox devs did a bad job in code auditing, every software complex enough does have bugs and reinventing the wheel every time is just plain stupid (you would probably introduce more bugs with the new code than the old one had and you do the same thing twice).

    I also don't blame the researcher for revealing the vulnerability although I have to admit that it is somewhat mistimed with regards to bad publicity. So if he really discovered it the day he claims he has, it's just bad luck for us Firefox people, if he has discovered it earlier and delayed the disclosure for some reason (e.g. more publicity or to harm the Firefox community) then he has done something wrong (that he could have done it wronger by selling it to some people is no excuse).
    Yes, you can benefit from publicity although staying anonymous, although not in a financial way. You can get much pleasure out of it.

    But in dubio pro reo (innocent until proven otherwise).

  16. Anonymous commented on 2008-06-19 @ 14:38

    It is quite clear he waited the final release to send the advisory.. As vulnerabilities in beta versions are not really considered by security databases, and you know it. You do not help anybody by doing this.

  17. Anonymous commented on 2008-06-19 @ 16:22

    You conspiracy people need to chill out.

    Maybe, just maybe, the researcher didn't finish his research until 5 hours after the official release. If he really just wanted to make a name for himself he would have notified someone within 5 minutes instead of 5 hours.

  18. Anonymous commented on 2008-06-19 @ 18:47

    Conspiracy? Who says the "researcher" who found the issue didn't already sell this to all sorts of hackers and has remained anonymous to collect the cash AFTER the hackers count how many computers they can get into through this? If he was smart enough he would remain anonymous forever and collect on each and every computer effected. If YOU did this would You give out your name or would You remain anonymous and collect all sorts of cash,(possibly millions)?
    If it was an IE vulnerability wouldn't there be hundreds of "techs" selling the info??? Just kidding, but we are talking IE now.....LOL.....so there would be thousands??

    OK, it was me! I am the anonymous researcher who did it. Where's all my glory? Where's my pay? Now anyone applying for a tech job can say, "it was me, I found it first". I should have just sold it to hackers worldwide.......LOL.

    Firefox might not be perfect......yet....but it's still the BEST and SAFEST choice we have!

  19. Some1 commented on 2008-06-20 @ 10:51

    This security issue cant do nothing on Linux. Well, it cant if you are running Firefox as ordinary user as most users do. So, Linux users, it cant harm us. :)

  20. hexjesus commented on 2008-06-20 @ 11:56

    @Some1: Nice double negative, so technically you are correct at first. Last statement == epic fail.

  21. Anonymous commented on 2008-06-23 @ 09:10

    I dont understand how you people are seeing "publicity" and "attention" as reason for realeasing that bug after 5 hours of firefox release. Since reporter is kept as anonymous, what "publicity" does happen in this case??

  22. Anonymous commented on 2008-06-23 @ 14:32

    Kudos to everyone badmouthing the researcher.

    I'm sure this mindless flak being thrown around is one of the reasons he decided to remain anonymous.

  23. Anonymous commented on 2008-06-24 @ 07:37

    Why do people always get their panties in a bunch because of something like this. So what, it was found 5 hours after release. As if that would help them, or help the researcher.
    Fact is a bug causes people to not trust software, why this would be a conspiracy makes no sense and if it is the people who thought up this conspiracy are below grade 3 for intelligence.

    I dont think it is a conspiracy, merely, a bug found after the fact and i can see why people remain anonymous, all people do is berate others anyways because behind their screen they are virtual gods....grow up people.

  24. Para commented on 2008-07-02 @ 05:52

    Glad to know that there are others out there that care to help keep Firefox safe. As for Opera... it will always be #3, never #2 for choice of browsers. Even when FF becomes #1, Opera will still be #3!!!

  25. Emphyrio commented on 2008-07-02 @ 06:25

    So, it's been 14 days now.
    Is the problem solved yet?

  26. Carlton Stedman commented on 2008-07-22 @ 07:25

    I believe this is handled in the new security/stability update, Firefox 3.0.1. Little over a month, not too bad.

  27. Grey Harris commented on 2009-01-08 @ 17:12

    Even the best applications have bugs, anyway Mozilla fixed is reasonably quickly compared to most software producers.

  28. NJ Web Design commented on 2009-03-29 @ 11:05

    This trend will always continue. Are they ever going to learn to test it properly before releasing it to the public?

  29. the darkfall gold commented on 2009-04-10 @ 02:49

    I believe this is handled in the new security,
    i dont think it is a conspiracy, merely, a bug found after the fact and i can see why people remain anonymous, all people do is berate others anyways because behind their screen they are virtual gods....grow up people.how understand it?


Links To This Post

  1. Code execution vulnerability found in Firefox 3.0 | Zero Day | ZDNet.com
    linked on 2008-06-18 @ 18:00 Show Comment

    According to ZDI’s alert, it should be considered a high-severity risk: Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code, permitting the attacker to completely take over the vulnerable process, potentially allowing the machine running the process to be completely controlled by the attacker. TippingPoint researchers continue to see these types of “user-interaction required ” browser-based vulnerabilities - such as clicking on a link in email or  inadvertently visiting a malicious web page.

  2. Security news roundup: New vulnerability affects Firefox 3 | IT Security | TechRepublic.com
    linked on 2008-06-23 @ 04:42 Show Comment

    According to the Tipping Point blog: “Successful exploitation of the vulnerability could allow an attacker to execute arbitrary code. Not unlike most browser based vulnerabilities that we see these days, user interaction is required such as clicking on a link in email or visiting a malicious web page.”

  3. Slashdot | A Few Firefox 3 Followups
    linked on 2008-06-19 @ 12:23 Show Comment

    "That didn't take long. In a blog posting from the TippingPoint DVLabs security team (of Kraken and CanSecWest hacking contest fame), they confirmed that they reported a vulnerability in Firefox 3.0 to Mozilla a mere five hours after it was released.

  4. TippingPoint reports Firefox 3.0 flaw — Security Bytes
    linked on 2008-06-20 @ 07:56 Show Comment

    In a blog post Wednesday, TippingPoint said its researchers verified the vulnerability it in its lab and quickly reported the flaw to Mozilla’s security team. The flaw could allow an attacker to execute arbitrary code, but a user would need to click on a link in an email or visit a malicious web page, according to TippingPoint. The vulnerability also affects prior versions of Firefox 2.0.x.

  5. Holding off on Firefox 3
    linked on 2008-06-21 @ 13:22 Show Comment

    And there’s a vulnerability report from Tipping Point about an arbitrary code execution weakness which affects you if you visit a malicious webpage. This problem however, is long overdue, just like other persistent security flaws with Firefox stemming back from Firefox 2. That said, these insecurities are easily sidestepped if you employ healthy surfing habits, and should not be an issue for most people.

  6. MacSlush » Blog Archive » First security bug on Firefox 3
    linked on 2008-06-20 @ 17:48 Show Comment

    Firefox 3 is has been published with record testing on this Tuesday. However, first security bug just came on the scene. Tipping Point announcing to confirm the Firefox 3’s first security bug after published 5 hours.  Bug is notified to Mozilla too. Window Snyder (Mozilla’s Security Manager) made a declaration about situation. Snyder told that bug details keeping private between ...

  7. Information Technology News, Reviews, and Previews » Firefox 3 Bugs Reported
    linked on 2008-06-20 @ 10:43 Show Comment

    The bug was reported to Mozilla, and no other details were released, in order to give the organization time to develop a patch. “Working withMozilla on past security issues, we’ve found them to have a good track record and expect a reasonable turnaround on this issue as well,” TippingPoint said in a statement.

  8. F-Secure | Firefox 3 Vulnerability Discovered
    linked on 2008-06-19 @ 12:44 Show Comment

    About five hours after its release, TippingPoint's Zero Day Initiative received a critical vulnerability affecting Firefox 3.0. Earlier versions of Firefox are also affected.

  9. Mozilla Security Blog » Blog Archives » New Security Issue Under Investigation
    linked on 2008-06-19 @ 10:28 Show Comment

    TippingPoint will also keep the details closed to protect Firefox users.  From their blog post: While Mozilla is working on a fix, we wont be divulging anything else until a patch is available, adhering to our vulnerability disclosure policy.  Once the issue is patched, we’ll be publishing an advisory here. Working with Mozilla on past security issues, we’ve found them to have a good track record and expect a reasonable turnaround on this issue as well.

  10. Web Trends Report on WBAL Radio « Web Trends Blog
    linked on 2008-06-19 @ 07:14 Show Comment

    Mozilla Firefox breaks world record for software downloads in one day, and a security flaw is already discovered.

  11. Firefox 3 Vulnerability Reported
    linked on 2008-06-19 @ 07:47 Show Comment

    Quote from Tipping point


Trackback