Overclock.net banner

1 - 9 of 9 Posts

·
Banned
Joined
·
15,763 Posts
Discussion Starter #1
Quote:
The first major security flaw in the release branch of Firefox 3.5 may have been fixed, but the fun isn't over yet: another serious flaw has been discovered in the browser.

Despite being recently updated to version 3.5.1, SecurityFocus is reporting on a stack buffer overflow vulnerability which affects both the original 3.5 release of Firefox as well as the latest 3.5.1 release.

The vulnerability, which comes about from the software's Unicode text handling system, allows a remote attacker to execute arbitrary code simply by embedding it into a web site: as soon as the visitor hits the affected page, the software crashes â€" leading to a denial of service attack â€" and under certain conditions the code will be executed by Windows.

With a simple exploit already available, it's fair to say that if the ne'er-do-wells aren't already using this as an attack vector it won't take them long to wise up.

The vulnerability is the second in the last week to target the latest release branch of the popular open-source browser, and again there is no patch yet available from the Mozilla Foundation. Worse still, there appears to be no easy workaround for the issue this time â€" although once again something like the NoScript plugin would protect you from attack by untrusted pages, as the exploit relies on Javascript in order to execute.

Are you starting to question just how much work was done checking the security of this latest Firefox branch or is the Mozilla Foundation just having a bad week? Share your thoughts over in the forums
http://www.bit-tech.net/news/bits/20...ty-confirmed/1
 

·
Registered
Joined
·
3,102 Posts
Quote:


Originally Posted by jinja_ninja
View Post

Oh no, not again! Now I might get exploited by this totally unimportant vulnerability which never effects anyone ever.

So true. How many of these vulnerabilities are actually exploited?
 

·
Registered
Joined
·
471 Posts
Quote:


Originally Posted by timw4mail
View Post

So true. How many of these vulnerabilities are actually exploited?

Well this one is getting used a fair bit:
2009-07-13 Mozilla Firefox 3.5 (Font tags) Remote Buffer Overflow Exploit 53569

53k downloads is from milw0rm in a few days means its doing pretty well.

http://milw0rm.com/exploits/9137

Code:
Code:
Firefox 3.5 Vulnerability
Firefox 3.5 Heap Spray Vulnerabilty

Author: SBerry aka Simon Berry-Byrne

Thanks to HD Moore for the insight and Metasploit for the payload

Loremipsumdoloregkuw

Loremipsumdoloregkuwiert

Loremikdkw

# milw0rm.com [2009-07-13]
I'll try testing it in a sec, need install forfox 3.5 first
(3.0 ftw)
 

·
Premium Member
Joined
·
4,687 Posts
Quote:


Originally Posted by hokage
View Post

Slightly off-subject one might claim but, does anyone not even have an antivirus installed?

I don't have any on the three computers I use.
 

·
Registered
Joined
·
3,102 Posts
Quote:

Originally Posted by Dockery View Post
How many vulnerabilities does IE8 have? No, seriously, how many does it have?

P.S. I use IE8.
How many of them are serious in comparison? It's not a 1:1 comparison.
 
1 - 9 of 9 Posts
Top