navigation bar left navigation bar right

navigation left tab Advisories navigation right tab
navigation left tab Research navigation right tab
navigation left tab Forums navigation right tab
navigation left tab Create Profile navigation right tab
navigation left tab Our Commitment navigation right tab
Database
Search
Advisories by Product
Advisories by Vendor
Terminology
Report Vulnerability
Insecure Library Loading
Highly critical

Mozilla Firefox Multiple Vulnerabilities

-

Release Date:  2010-02-18    Last Update:  2010-04-07    Views:  126,650

Secunia Advisory SA38608

Where:

You need to log in to view this

Impact:

You need to log in to view this

Solution Status:

You need to log in to view this

Software:

You need to log in to view this

CVE Reference(s):

You need to log in to view this

Description


Some vulnerabilities have been reported in Mozilla Firefox, which can be exploited by malicious people to manipulate certain data, bypass certain security restrictions, disclose sensitive information, or compromise a user's system


You need to log in to the Secunia Community to view the full description of this advisory

If you are not a member of the Secunia community, you can sign up here for free.

Do you have additional information related to this advisory?

Please provide information about patches, mitigating factors, new versions, exploits, faulty patches, links, and other relevant data by posting comments to this Advisory. You can also send this information to vuln@secunia.com

Subject: Mozilla Firefox Multiple Vulnerabilities

User Message
[+]

jasasecunia

RE: Mozilla Firefox Unspecified Code Execution Vulnerability
This reply has been minimised due to a negative Relevancy Score.

RobertMaier

RE: Mozilla Firefox Unspecified Code Execution Vulnerability
[+]
This reply has been minimised due to a negative Relevancy Score.
azbob RE: Mozilla Firefox Unspecified Code Execution Vulnerability
Member 23rd Feb, 2010 03:52
Score: 13
Posts: 2
User Since: 23rd Feb 2010
System Score: N/A
Location: US
Last edited on 23rd Feb, 2010 03:52

From the Mozilla Security Blog:

Mozilla is aware of the claim of a zero-day in Firefox as posted here: http://secunia.com/advisories/38608/. We cannot confirm the report as we have received no details regarding the reported vulnerability, such as a proof-of-concept or steps to reproduce. We’ve attempted to contact the researcher who discovered the issue but have not received a response.

Mozilla takes all reports of security vulnerabilities seriously. As always, if you have information about security issues, please send details to security@mozilla.org.
Lucas Adamski, Mozilla Security
Was this reply relevant?
+5
-1

Dr Zen

RE: Mozilla Firefox Unspecified Code Execution Vulnerability
[+]
This reply has been minimised due to a negative Relevancy Score.

drfeedback

RE: Mozilla Firefox Unspecified Code Execution Vulnerability
[+]
This reply has been minimised due to a negative Relevancy Score.
Anthony Wells RE: Mozilla Firefox Unspecified Code Execution Vulnerability
Expert Contributor 23rd Feb, 2010 17:45
Score: 2454
Posts: 3,345
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

Lack of co-operation on a security matter from whatever site has unpleasant overtones for me/us the common user . I feel fairly secure as I run my browsers in a sandbox ("Sandboxie") ; but I would expect Secunia to comment further on this problem having put out an Advisory on a "muddy" situation , especially if they can confirm the exploit and Mozilla don't seem able .

Take care
Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+3
-1

jeng1111

RE: Mozilla Firefox Unspecified Code Execution Vulnerability
[+]
This reply has been minimised due to a negative Relevancy Score.

0puns0r3s

RE: Mozilla Firefox Unspecified Code Execution Vulnerability
[+]
This reply has been minimised due to a negative Relevancy Score.

TiMow

RE: Mozilla Firefox Unspecified Code Execution Vulnerability
[+]
This reply has been minimised due to a negative Relevancy Score.
0puns0r3s RE: Mozilla Firefox Unspecified Code Execution Vulnerability
Member 27th Feb, 2010 17:36
Score: -5
Posts: 22
User Since: 27th Feb 2010
System Score: N/A
Location: IN
Last edited on 27th Feb, 2010 18:56
@ TiMow: I've been sandboxing any browser I use for a very long time:). To be very honest, I don't think that anyone should downgrade because:

1. If it's affecting 3.6, it could be affecting 3.5 and earlier versions.
2. A good combination of addons like no script and safe browsing should take care of any threats around
3. Sandboxing the browser is one good step towards securing it.
4. To make things even more safer, I won't be doing stuff like netbanking or paying online bills (guess I'm more paranoid:) using Firefox.

If you can, please let me and others reading this thread on how exactly this vulnerability could affect users. That would be very,very helpful. Thanks!
Was this reply relevant?
+2
-1
TiMow RE: Mozilla Firefox Unspecified Code Execution Vulnerability
Dedicated Contributor 27th Feb, 2010 19:40
Score: 737
Posts: 728
User Since: 26th Jun 2009
System Score: N/A
Location: CH
@0puns0r3s

I am unsure if your last question re. vulnerability was directed specifically at me, or the wider community in general.

As I implicated above,my feelings are to question the authenticity of this vulnerability, and not to prove its existence.

But I try to base my decisions / choices on the available information. If as PSI users we believe in the benefits that it offers in reporting on insecurities, then we should therefore act on the information provided - which is what I have done re. changing from 3.6 back to 3.5.8 - which as of a scan today, still shows as secure (according to Secunia).

But I too have seen reports telling of multiple vulnerabilities in other versions - 3.0, 3.5; and in one case listing 3.5.8.

I think there is a lot of scaremongering going on, and almost to levels of conspiring against Mozilla.

I take on board your other points, and this is the 2nd time that the issue of sandboxing has been brought up. As of yet I dont use one, but this will probably have to change. I also try to avoid add-on overload, but will look into your recommendations.

TiMow

--
Computing is not yet a perfect science - it still requires humans.
Was this reply relevant?
+2
-1

0puns0r3s

RE: Mozilla Firefox Unspecified Code Execution Vulnerability
[+]
This reply has been minimised due to a negative Relevancy Score.
mAkree RE: Mozilla Firefox Unspecified Code Execution Vulnerability
Member 28th Feb, 2010 10:40
Score: 1
Posts: 1
User Since: 28th Feb 2010
System Score: N/A
Location: UK
Last edited on 28th Feb, 2010 10:40
I appreciate that Secunia flags the unconfirmed threat. A discussion is triggered which I find beneficial . For example now I will look into the option of instaling a sandbox sw although I am concerned of its effect on my already overloaded system.

Regarding the "fuss" about issueing alarms for unconfirmed threats or not, both sides of the question are right, In my view - and wish list - would be that Secunia inserts a further column in the Unsecure Overview Screen entitled "Confirmed/Unconfirmed Status" and that the concept of "confirmed" be explicitely stated eg, tested by Secunia or tested by other reliable organisation.

I want to know of possible security threats AND if they are confirmed or unconfirmed.

@0puns0r3s, thanks for the practical advice you put in your comment.
Was this reply relevant?
+2
-1
Anthony Wells RE: Mozilla Firefox Unspecified Code Execution Vulnerability
Expert Contributor 28th Feb, 2010 12:12
Score: 2454
Posts: 3,345
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 28th Feb, 2010 12:19
I fell into a sandbox at the start of my PC ownership thanks to Ian "Gizmo" Richards and his late (much lamented) newsletter . He now has a very well (volunteer) run website where you can find "unbiased" advice on as much FREE software as you need to bring your system to a grinding halt :))

Following his advice , my security is based aruond an Internet Security suite , a sandbox and a "vulnerability" checker ; with back up "on demand" A/V , A/S and rootkit scanners - enough overkill to satiate my paranoia ,which does not preclude crossing fingers , smiling at the PC Wizard , etc. - you can read his ideas for yourself , if you have time :-

http://www.techsupportalert.com/how-to-secure-your...

Hope this helps .

Take care
Anthony

PS: I have Ff as default , but also run Chrome in my sandbox - even though it has it's own sandbox system - with no noticeable slowdown , apart from the initial sandbox start up ; I can live and surf "happily" with that .

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+1
-1
0puns0r3s RE: Mozilla Firefox Unspecified Code Execution Vulnerability
Member 28th Feb, 2010 19:30
Score: -5
Posts: 22
User Since: 27th Feb 2010
System Score: N/A
Location: IN
Last edited on 28th Feb, 2010 19:38
(unknown source)
I fell into a sandbox at the start of my PC ownership thanks to Ian "Gizmo" Richards and his late (much lamented) newsletter . He now has a very well (volunteer) run website where you can find "unbiased" advice on as much FREE software as you need to bring your system to a grinding halt :))

Following his advice , my security is based aruond an Internet Security suite , a sandbox and a "vulnerability" checker ; with back up "on demand" A/V , A/S and rootkit scanners - enough overkill to satiate my paranoia ,which does not preclude crossing fingers , smiling at the PC Wizard , etc. - you can read his ideas for yourself , if you have time :-

http://www.techsupportalert.com/how-to-secure-your...

Hope this helps .

Take care
Anthony

PS: I have Ff as default , but also run Chrome in my sandbox - even though it has it's own sandbox system - with no noticeable slowdown , apart from the initial sandbox start up ; I can live and surf "happily" with that .


@ Anthony: You sound even more "paranoid" than me:)....But yes, it's each man for himself and each of us will have a different definition of what "computer security" is . I use a combination of Comodo Internet Security (just the firewall and Defense +) with Microsoft Security Essentials and gmer.

If I do have to run any unknown programs which I think could be a security risk, I use sandboxie.

I also do not store passwords relating to online banking. I simply store those in my pendrive.

This addon is best when it comes to auto login in Firefox (this is similar to Opera Wand):

https://addons.mozilla.org/en-US/firefox/addon/442...

best
0puns0r3s
Was this reply relevant?
+2
-2

Anthony Wells

RE: Mozilla Firefox Unspecified Code Execution Vulnerability
[+]
This reply has been minimised due to a negative Relevancy Score.

0puns0r3s

RE: Mozilla Firefox Unspecified Code Execution Vulnerability
[+]
This reply has been minimised due to a negative Relevancy Score.

bjm__

RE: Mozilla Firefox Unspecified Code Execution Vulnerability
[+]
This reply has been minimised due to a negative Relevancy Score.

gtatler

RE: Mozilla Firefox Unspecified Code Execution Vulnerability
[+]
This reply has been minimised due to a negative Relevancy Score.

gtatler

RE: Mozilla Firefox Unspecified Code Execution Vulnerability
[+]
This reply has been minimised due to a negative Relevancy Score.
0puns0r3s RE: Mozilla Firefox Unspecified Code Execution Vulnerability
Member 4th Mar, 2010 10:41
Score: -5
Posts: 22
User Since: 27th Feb 2010
System Score: N/A
Location: IN
The Inquirer has a slightly better article than most news sites about the vulnerability:

http://www.theinquirer.net/inquirer/news/1593564/f...


I seriously hope that Mozilla issues some kind of public statement or something of that sort to all users of Firefox.

Secunia, maybe you can change the status of the vulnerability to "less severe" or perhaps something like "unconfirmed"?
Was this reply relevant?
+1
-0
bjm__ RE: Mozilla Firefox Unspecified Code Execution Vulnerability
Member 4th Mar, 2010 17:24
Score: 64
Posts: 374
User Since: 9th Mar 2009
System Score: 100%
Location: US
How can or why should Secunia change their reporting....
as per this Secunia post below...Secunia has verified the threat....
as the threat has been verified by Secunia ....Secunia reported it and has no reason to modify their assessment. I hope Mozilla has reached out to Secunia.
Mozilla has been unable to verify the threat....Since Secunia has verified the threat...logically Mozilla would be reaching out to Secunia.
Question to Secunia: Has Mozilla asked for your help?
__________________________________________________ ___
E.Petersen Firefox patch
forgetaboutit45 24th Feb, 2010 08:42
Posts: 171
User Since: 1st Jul 2009
System Score: N/A
Location: Copenhagen, DK
Hi,
The Secunia researchers verify all exploits before issuing advisories.

Please refer too:
http://secunia.com/research/about/
http://secunia.com/products/corporate/VIF/

--

Kind regards,

Emil R. Petersen
Secunia PSI Support

Secunia PSI
http://secunia.com/vulnerability_scanning/personal
__________________________________________________ _______
Respectfully submitted
bjm-
Was this reply relevant?
+1
-0
RichardD RE: Mozilla Firefox Unspecified Code Execution Vulnerability
Member 4th Mar, 2010 19:20
Score: 7
Posts: 5
User Since: 4th Mar 2010
System Score: N/A
Location: UK
Last edited on 4th Mar, 2010 19:20
"Verified" in this context doesn't mean what you think it means. Look at the title of the "Report Reliability" element:

"Secunia always verify the reports and the majority of reports are also tested by Secunia staff."

The fact that the report has been verified does not mean that Secunia have tested the vulnerability, or been able to reproduce it.
Was this reply relevant?
+1
-0

dmtj4125

RE: Mozilla Firefox Unspecified Code Execution Vulnerability
[+]
This reply has been minimised due to a negative Relevancy Score.
bjm__ RE: Mozilla Firefox Unspecified Code Execution Vulnerability
Member 5th Mar, 2010 18:27
Score: 64
Posts: 374
User Since: 9th Mar 2009
System Score: 100%
Location: US
Hello Richard D

Thanks for your feedback...I apologize I am unable to locate the info you post..
I do locate the following
Secunia Research Team

The Secunia Research team is comprised of a number of Secunia security specialists, who besides testing, verifying, and validating public vulnerability reports, also conduct their own vulnerability research in various products.

Since the inauguration of Secunia it has been our goal to be the most accurate and reliable source of Vulnerability Intelligence. We have achieved just that!

Being the world's best Vulnerability Intelligence source requires skilled and dedicated staff with a passion for vulnerabilities.

To reward our staff for their persistent efforts in verifying vulnerability reports and to ensure that they possess and hone their skills necessary to find vulnerabilities, we have awarded certain Secunia staff dedicated time to conduct vulnerability research.

The Secunia Research Team members spend some of their time researching various high-profile closed source and open source software using a variety of approaches, but focusing mainly on thorough code audits and Binary Analysis.

This allows them to sometimes discover hard-to-find vulnerabilities that are not normally found via e.g. fuzzing techniques and the approach has definitely paid off! Members of the Secunia Research Team have discovered critical vulnerabilities in many popular products from various vendors including: Microsoft, Symantec, IBM, Adobe, RealNetworks, Trend Micro, HP, Blue Coat, Samba, CA, Mozilla, and Apple.
__________________________________________________ ______
I read no Secunia text to indicate that "verified" does not mean "verified"
I read no Secunia text to indicate that... The fact that the report has been verified does not mean that Secunia have tested the vulnerability, or been able to reproduce it.
__________________________________________________ __________
How might Secunia verify a report absent testing to reproduce it.
Why would Secunia issue an insecure that has not been tested , verified and reproduced.
Secunia clearly states their mission:
The Secunia Research team is comprised of a number of Secunia security specialists, who besides testing, verifying, and validating public vulnerability reports, also conduct their own vulnerability research in various products.
Testing, Verifying, and Validating ~ As per Secunia the FF3.6 vulnerability has been tested , verified and validated.
My point is ~ How can / Why should Secunia change the insecure status of FF3.6 after all that testing, verifying and validating.
If Secunia processes are as diligently accurate as claimed then FF3.6 is insecure. Do you expect Secunia to rescind the insecure based on user complaints.
If I were Mozilla ... I would be reaching out to Secunia for help. Mozilla claims they are unable to gather any info from the person that reported the threat.
If Secunia has not reproduced this vulnerability then how can Secunia assign it a category level.
Mozilla is quiet and Secunia is sure they have a valid insecure Cat4 and reported as such.
Regards
bjm-
anytime Secunia official would care to chime in and correct / clarify this issue ...please !
Was this reply relevant?
+0
-0
RichardD RE: Mozilla Firefox Unspecified Code Execution Vulnerability
Member 5th Mar, 2010 21:01
Score: 7
Posts: 5
User Since: 4th Mar 2010
System Score: N/A
Location: UK
Last edited on 5th Mar, 2010 21:01
"I am unable to locate the info you post.."

Hover your mouse over the "Available in Customer Area" text next to the "Report Reliability" label, and read the tool-tip:

"Vulnerability reports may vary in reliability depending on the sources. Secunia always verify the reports and the majority of reports are also tested by Secunia staff. Based on the findings during the verification and testing we also determine a reliability rating. E.g. reports from Microsoft are considered trusted and will be used directly in a Secunia advisory, however, Secunia may still choose to conduct further technical analysis and enhance / update the advisory based on this analysis."

Pay particular attention to the second sentence:
"Secunia always verify the reports and the majority of reports are also tested ..."

In other words, they have verified that the report looks genuine, but have not necessarily tested or reproduced the alleged vulnerability.

I don't expect Secunia to remove a vulnerability report based on user complaints, but I would expect them to make it clear whether they have reproduced the vulnerability, or even seen a believable demonstration of it.

At the moment, FF3.6 is listed as insecure because one person has claimed to have a working exploit. No details or demonstration has been made available, so nobody has any way of knowing whether this is genuine or a hoax. Given that Firefox is open-source, I find it hard to believe that there is only one person devious enough to find this supposed bug!
Was this reply relevant?
+0
-0

0puns0r3s

RE: Mozilla Firefox Unspecified Code Execution Vulnerability
[+]
This reply has been minimised due to a negative Relevancy Score.

monsignor

RE: Mozilla Firefox Unspecified Code Execution Vulnerability
[+]
This reply has been minimised due to a negative Relevancy Score.
0puns0r3s RE: Mozilla Firefox Unspecified Code Execution Vulnerability
Member 6th Mar, 2010 15:09
Score: -5
Posts: 22
User Since: 27th Feb 2010
System Score: N/A
Location: IN
Last edited on 7th Mar, 2010 10:42
To all those who have been following this thread:

Secunia has updated the links to include a blog post by the black hatter (who claimed to have discovered the vulnerability).

He says that the vulnerability does "exist" and furthermore he says "I've ignored emails from Nick Farrell and from Mozilla, please do not waste my and your time anymore".


In plain English, "I (may have ) found a vulnerability, however, since I'm a greedy guy:), I will not share this with Mozilla or the rest of the world. So if you want to know about it, pay up or shut up!"

However, he has also said "There are exists dozens of 0days in every browser, you can continue to use firefox as usual - I am writing this post using firefox.".

How nice:)....Bless you, sir!:)....So much for the open web.


Updated on March 7 2010: Looks like Evgeny Legerov has removed his blog about the Firefox Vulnerability. However, I've retrieved it through Google cache:)...For those interested here you go:

http://74.125.153.132/search?q=cache:4FlHH1qimvMJ:...


I think this is a Windows only flaw (correct me if I'm wrong:). These would be our options for now until Mozilla responds:

1. Sandbox the browser.
2. Do not visit unknown sites (already mentioned by Secunia)
3. Use addons like noscript to block out javascript, flash and silverlight

One more thing: Why can't a company like Secunia or Mozilla simply buy the Vulndisc software package and check out the vulnerability themselves?
Was this reply relevant?
+1
-0

bjm__

RE: Mozilla Firefox Unspecified Code Execution Vulnerability
[+]
This reply has been minimised due to a negative Relevancy Score.

0puns0r3s

RE: Mozilla Firefox Unspecified Code Execution Vulnerability
[+]
This reply has been minimised due to a negative Relevancy Score.

bjm__

RE: Mozilla Firefox Unspecified Code Execution Vulnerability
[+]
This reply has been minimised due to a negative Relevancy Score.
0puns0r3s RE: Mozilla Firefox Unspecified Code Execution Vulnerability
Member 9th Mar, 2010 10:08
Score: -5
Posts: 22
User Since: 27th Feb 2010
System Score: N/A
Location: IN
Last edited on 9th Mar, 2010 10:14
@ bjm- I've sent an e-mail to Mozilla (security@mozilla.org).

Here is what I sent them:

I'm writing this e-mail in the hope that I could get some answers regarding the Firefox 3.6 vulnerability.

For the past two weeks, I've been reading that there is supposed to be a "zero-day" flaw in Firefox 3.6, reported by Evgeny Legerov(source: http://www.theregister.co.uk/2010/02/18/firefox_ze...)

I've seen many sites taking this "vulnerability" stuff and create unnecessary mud slinging:(.....

It would be great if the Firefox team or rather the Firefox Security team would issue a statement of some kind reassuring their users. At the end of the day, it's bad press that kills a product.

My questions (please note that I'm not a software developer or anything like that:)..I'm just a web user):

1. Why can't Mozilla purchase the Vulndisco software package? I'm aware of the fact that the black hatter guy (Evgeny Legerov) could be using "blackmail" tactics to force everyone to buy his software.

2. Is this a "Windows-only" vulnerability or does it affect the Macintosh and Linux platforms also? I'm a Windows user who is pretty tech savvy:), but I would still like to know how this vulnerability would affect Windows.

3. I've been following up on this issue at this secunia thread:
http://secunia.com/advisories/38608/

Secunia gives it a "Highly Critical" rating. The Firefox Team could approach Secunia and ask them on what basis they have rated this as a "Highly Critical" rating.

I don't expect them to reply to me, but heck it's better than nothing:)...If they do send me a response, I'll post it here.

0puns0r3s
Was this reply relevant?
+3
-0
coopa RE: Mozilla Firefox Unspecified Code Execution Vulnerability
Member 9th Mar, 2010 16:09
Score: 2
Posts: 7
User Since: 9th Mar 2010
System Score: N/A
Location: US
Last edited on 9th Mar, 2010 16:09
0puns0r3s,

The Mozilla Team already put out a note they were trying to get in touch with the alleged exploit finder with no success.

The problem with buying Vulndisco is that you set a precedent- if Mozilla did it, they would essentially be paying for exploit info. After caving once, how many people do you think would somehow package exploits for sale to Mozilla?

The first source link says XP SP3 and Vista, but there's no way to tell as no one has PoC code.
Was this reply relevant?
+2
-0
bjm__ RE: Mozilla Firefox Unspecified Code Execution Vulnerability
Member 9th Mar, 2010 19:01
Score: 64
Posts: 374
User Since: 9th Mar 2009
System Score: 100%
Location: US
@ coopa
coopa makes a valid point re > they would essentially be paying for exploit info. Open Source is supposed to allow the free flow of info.
Unfortunate that Mozilla is silent... I have search'd all over Mozilla for just a faint reference to Secunia. IDK Mozilla appears to have acknowledged the reported threat and has no other plans for now?.
Secunia has acknowledged the reported vulnerability and extends the reported vulnerability both credibility and severity.
Kudos to Opera for stepping up and reaching out to Secunia.
thanks to all for keeping this thread active...
No benefit to giving the hatter more press time....but, Secunia users (this user) need to better understand the process. How does a reported issue go from A to B and B with a Cat4. Is it all subjective ? How does any claimed threat get acknowledged and validated and reported and rated by Secunia.
Recall, Opera denied their threat at first and now Opera appears to be taking it seriously. Secunia has a big soapbox. When Secunia speaks ....it does carry weight. Why Mozilla is not hearing....unknown?
Regards to all @ Secunia,
bjm-
Was this reply relevant?
+2
-0
Dr Zen RE: Mozilla Firefox Unspecified Code Execution Vulnerability
Member 9th Mar, 2010 19:33
Score: 1
Posts: 8
User Since: 2nd Nov 2009
System Score: N/A
Location: US
(unknown source)
See my thread under http://secunia.com/community/forum/thread/show/359...

OK in addition just found the below on Qualysis FYI


(1) CRITICAL: Multiple Mozilla Products Multiple Vulnerabilities
Affected:
Firefox versions prior to 3.6
Firefox versions prior to 3.5.8
Firefox versions prior to 3.0.18
Thunderbird versions prior to 3.0.2
SeaMonkey versions prior to 2.0.3

Description: Several products from the Mozilla Foundation such as its
popular web browser Firefox, internet suite SeaMonkey, and email client
Thunderbird, contain multiple vulnerabilities. The first issue is caused
by a memory corruption error in the browser engine and this might result
in arbitrary code execution. The second issue is a heap corruption error
in the Mozilla's Web Workers implementation caused by improper handling
of array data types while processing posted messages. The third issue
is a use-after-free error in HTML parser caused by incorrect freeing of
already used memory. The fourth issue is a same origin policy violation
caused by inadequate restriction of read access to object passed to
showModalDialog and can be triggered by a specially crafted
dialogArguments values. The fifth issue is caused by an error in the way
SVG documents, that are served with Content-Type:
application/octet-stream, are processed and eventually leading to
bypassing the same-origin policy. Full technical details for the
vulnerabilities are publicly available via source code analysis.

Status: Vendor confirmed, updates available.

References:
Mozilla Security Advisories
http://www.mozilla.org/security/announce/2010/mfsa...
http://www.mozilla.org/security/announce/2010/mfsa...
http://www.mozilla.org/security/announce/2010/mfsa...
http://www.mozilla.org/security/announce/2010/mfsa...
http://www.mozilla.org/security/announce/2010/mfsa...
Zero Day Initiative Advisory
http://www.zerodayinitiative.com/advisories/ZDI-10...
Vendor Home Page
http://www.mozilla.org
SecurityFocus BID's
http://www.securityfocus.com/bid/38285
http://www.securityfocus.com/bid/38286
http://www.securityfocus.com/bid/38287
http://www.securityfocus.com/bid/38288
http://www.securityfocus.com/bid/38289

************************************************** ***********

(2) HIGH: Mozilla Firefox Code Execution Vulnerability
Affected:
Mozilla Firefox 3.6

Description: Mozilla Firefox, an open source web-browser from the
Mozilla Application Suite, is the second most popular browser with a
24.43% usage share. It reportedly contains a flaw caused by unspecified
error and it can be exploited to execute arbitrary code. Technical
details for this vulnerability are not available publicly and there are
reportedly no public proof-of-concepts or exploits circulating in the
wild. There is reportedly a working commercial exploit from the
VulnDisco Pack.

Status: Vendor confirmed, updates available.

References:
Intevydis blog
http://intevydis.blogspot.com/2010/02/new-versions...
Wikipedia Article on Mozilla Firefox
http://en.wikipedia.org/wiki/Mozilla_Firefox
Product Home Page
http://www.mozilla.org/
SecurityFocus BID
http://www.securityfocus.com/bid/38298/

--
Dr Zen
Was this reply relevant?
+1
-0
bjm__ RE: Mozilla Firefox Unspecified Code Execution Vulnerability
Member 10th Mar, 2010 07:12
Score: 64
Posts: 374
User Since: 9th Mar 2009
System Score: 100%
Location: US
Hi Dr Zen
Thanks for the informative, thorough helpful post...
@ my post in this thread >
bjm- Mozilla Firefox Unspecified Code Execution Vulnerability
4th Mar, 2010 17:24
[...]The Secunia researchers verify all exploits before issuing advisories.[...]
Emil R. Petersen
Secunia PSI Support
-------------------------------------------------- -----------------------------
@ Dr Zen wrote:
Status: Vendor confirmed, updates available.
~ Where are the updates? I check for updates several times a day. I just checked. No updates available from Mozilla for Firefox.

Regards
bjm-


Was this reply relevant?
+0
-0
0puns0r3s RE: Mozilla Firefox Unspecified Code Execution Vulnerability
Member 10th Mar, 2010 08:47
Score: -5
Posts: 22
User Since: 27th Feb 2010
System Score: N/A
Location: IN
Last edited on 10th Mar, 2010 09:41
@ coopa, bjm- and Dr Zen thanks for the info! We have learnt a lot at this thread!

(unknown source)
@ coopa
coopa makes a valid point re > they would essentially be paying for exploit info. Open Source is supposed to allow the free flow of info.
Unfortunate that Mozilla is silent... I have search'd all over Mozilla for just a faint reference to Secunia. IDK Mozilla appears to have acknowledged the reported threat and has no other plans for now?.
Secunia has acknowledged the reported vulnerability and extends the reported vulnerability both credibility and severity.
Kudos to Opera for stepping up and reaching out to Secunia.
thanks to all for keeping this thread active...
No benefit to giving the hatter more press time....but, Secunia users (this user) need to better understand the process. How does a reported issue go from A to B and B with a Cat4. Is it all subjective ? How does any claimed threat get acknowledged and validated and reported and rated by Secunia.
Recall, Opera denied their threat at first and now Opera appears to be taking it seriously. Secunia has a big soapbox. When Secunia speaks ....it does carry weight. Why Mozilla is not hearing....unknown?
Regards to all @ Secunia,
bjm-



Regarding the Opera Vulnerability, this is what I've learned so far....It was "disclosed" by (Marcin Ressel/Vupen Security) (source: http://www.theregister.co.uk/2010/03/05/opera_vuln...). Keyword here being "disclosed":).....In the case of Firefox, the Vulndisco guys have not "disclosed" the supposed "vulnerability".

Therefore, I still fail to see how Secunia could give a "Category 4 Security Threat" to Firefox without a proper "Proof of Concept" demo!

As a further update, here is the response I received from the Firefox Security Team:

(unknown source)
Hi <my real name here!:)>,

I saw your comment on the blog post as well. I'm sorry, but there is simply no additional information that we have to share that isn't posted there. If and when we learn anything actionable, we will be sure to respond appropriately.

Regards,

Brandon Sterne
Mozilla Security Group


The old google cache page of the Intevydis blog post which I posted a few comments ago appears to be dead. Here is a new cache page by the Russian blackhatter. For those interested, check it out:
http://74.125.153.132/search?q=cache:LTKbp1zuTHwJ:...

I'm posting his entire comments here since this page could also disappear from Google cache:

It seems that a lot of rabbits are speculating about Firefox module which has been released as a part of Vulndisco 9.0.

Honestly we see nothing special about this particular bug, as there are tremendous amount of bugs in every browser. If we were able to find 1 bug in Firefox, highly motivated organized hackers will find 10 bugs, 'security industry' is usually one step behind hackers...

We are not going to explain here why we are developing Vulndisco and how it can be used, but some points about ff module should be explained:

1. first of all, ff exploit is not 'being used in the wild'

2. some morons say that increase of ff crashes is probably 'the exploit being tested' ...no comments

3. fact that there is no 'credible source' who can confirm the existence of ff exploit means nothing

4. fake Vulndisco user 'Mario23' who posted a message to Immunity forum - yet another moron, probably from Mozilla security team

To sum up, as post to mozilla security blog suggests - 'keep browsing with Firefox with confidence'
Posted by Evgeny Legerov at Monday, March 01, 2010

If 1 + 1=2, then.......No proof of concept code, only one person/software module has reported this vulnerability, most of us are firefox users and we've seen nothing unusual, unnecessary FUD and publicity....Then there is nothing (much) to worry about:)....Of course, we do continue to be careful while browsing the web with any browser...That is understood.


Please correct me if I'm wrong.
Was this reply relevant?
+1
-0
Dr Zen RE: Mozilla Firefox Unspecified Code Execution Vulnerability
Member 10th Mar, 2010 17:34
Score: 1
Posts: 8
User Since: 2nd Nov 2009
System Score: N/A
Location: US
Yeah, I too found out Mozilla has no true update, BUT I did see in one of those threads that disabling Java is a potential workaround for now.... can anyone assist in verifying that?

And you are most welcome. I too find this difficult to fathom. Just hope that one of the members here is not related to that black H A T or IS.

--
Dr Zen
Was this reply relevant?
+1
-0
bjm__ RE: Mozilla Firefox Unspecified Code Execution Vulnerability
Member 10th Mar, 2010 18:07
Score: 64
Posts: 374
User Since: 9th Mar 2009
System Score: 100%
Location: US
Last edited on 10th Mar, 2010 18:50
Hello 0puns0r3 ~ coopa ~ Dr Zen ~ Anthony Wells,
We are at an impasse...? Yes/No?
1) The Secunia researchers verify all exploits before issuing advisories.
Emil R. Petersen
Secunia PSI Support
2) All known publicly reported vulnerabilities are Fixed in:
Firefox 3.6
Firefox 3.5.8
Firefox 3.0.18
Thunderbird 3.0.2
SeaMonkey 2.0.3
3) There is reportedly a working commercial exploit from the
VulnDisco Pack.
4) Secunia researchers verify all exploits before issuing advisories.
5) Technical details for this vulnerability are not available publicly and there are
reportedly no public proof-of-concepts or exploits circulating in the wild.
6) Secunia researchers verify all exploits before issuing advisories.
7) I still fail to see how Secunia could give a "Category 4 Security Threat" to Firefox without a proper "Proof of Concept" demo!
8) I would expect Secunia to comment further on this problem having put out an Advisory on a "muddy" situation , especially if they can confirm the exploit and Mozilla don't seem able .
--------------------------------------------------
re > I run my browsers in a sandbox ("Sandboxie")
Sandboxie has limitations....
Sandboxie cannot always protect from exploits that only require the browser to be actionable. There are exploits that appear as normal browser activity and only require the browser to be actionable. Sandboxie is more effective with exploits that require a app outside the sandbox'd browser to be actionable.
-------------------------------------------------- ---
Impasse & Quandary
bjm-

P.S. to Dr Zen re > Workaround - disabling Java ?
I read:
Disable JavaScript until a version containing these fixes can be installed.
Java and JavaScripts are not the same animal. JavaScripts do not require Java.
~~Until a version containing these fixes can be installed~~
see item 2) All known publicly reported vulnerabilities are Fixed.
I run FF (all ver) with Java and Flash disabled all the time & of course with NoScripts (for JavaScript). I find very limited use for Java & I enable Flash player as required. As I am also Sandbox'd...all enabled revert to disabled upon dumping the sand. I do not allow access to the entire profile.
Cheers
bjm-

Is it time to explore Google Chrome or Opera...?
Was this reply relevant?
+0
-0
Anthony Wells RE: Mozilla Firefox Unspecified Code Execution Vulnerability
Expert Contributor 10th Mar, 2010 18:58
Score: 2454
Posts: 3,345
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 10th Mar, 2010 19:08
Hello bjm ,

The question certainly is for me three fold :-

1) if there is no PoC and it's not in the wild , then we don't know if any specific counter measure is directly useful , in this case ;


2) why/how have SEcunia come up with a CAT 4 ; is it a "catch all" super cautious thing ?? ;

3) Will it encourage other hackers to hold people to ransom (so to speak) ??

Regarding "Sandboxie" , for sure nothing is 100% secure (that's why we are here:(( :) . I use it to great effect (for me , that is) as a part of my security set up to look to get "good" safety with ease of access to the surf .

Sandboxie clearly state that they update pretty regularly to cover known vulnerabilities , but at my level of use I am not clear what you mean by "actionable" apps in and out of the box and the problem therein .

If you have time , perhaps you could add some extra detail .

Take care
Anthony

PS: I am running Google Chrome (4.0.x stable) and it sits well alongside Firefox . It has it's own sandbox system and the latest versions also run happily in Sandboxie .

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+3
-0
bjm__ RE: Mozilla Firefox Unspecified Code Execution Vulnerability
Member 10th Mar, 2010 21:39
Score: 64
Posts: 374
User Since: 9th Mar 2009
System Score: 100%
Location: US
Hello Anthony,
quote from http://www.sandboxie.com/index.php?HelpTopics
It should be noted, however, that Sandboxie does not typically stop sandboxed programs from reading your sensitive data.

It is very difficult to reliably detect a key-logger. For a lengthy explanation, see Detecting Key Loggers
http://www.sandboxie.com/index.php?DetectingKeyLog...

http://www.wilderssecurity.com/showthread.php?t=24...

~ knowledgeable sandboxie users know how to tighten up the default sandboxie settings ~ some @ Secunia Forum may have been introduced to sandboxie via this thread....I did not want my posts to infer sandboxie is perfect. I always browse sandbox'd. But, if I happen on a rouge site...sandboxie will not protect me from myself. Posting this on a trusted site. There is a free exchange of data sandbox'd. If I were posting this on a rouge site. There would also be a free exchange of data.
-------------------------------------------------- -------------------
Thanks for the comments about Google Chrome ~ every time I think I'll try Chrome. I read about concerns over Google tracking and privacy.
http://www.srware.net/en/software_srware_iron.php
-------------------------------------------------- ---------------------
just between us (no one else will read this)....do you feel Secunia has accurately reported FF 3.6 vulnerability..

Regards
bjm-
Was this reply relevant?
+2
-0
Anthony Wells RE: Mozilla Firefox Unspecified Code Execution Vulnerability
Expert Contributor 10th Mar, 2010 22:15
Score: 2454
Posts: 3,345
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

Hi bjm ,

Thank you for the clarification on sandboxes which I understand and at least I feel comfortable I am not missing anything .

You rightly emphasise the "read" possibility and all that entails and that using the FAQ and excellent Forum will help new users to tighten the bolts to make their paranoia squeak . I really am only looking in my case to stop exploits installing or downloading whilst my back is turned :((

As far as Google tracking is concerned , I feel that once you are surfing with any kind of speed or freedom you are anybody's and everybody's and your data is up for grabs to any bidder ; I don't get the impression Google are any better or worse . If you want to worry , think of what the Govt. or your Insurance Co knows about you and how "secure" that data is (not) .

I clean out Ff and Chrome most days with CCleaner after choosing (along with Browser settings) which site data I may want to keep for particular access or arrangement . At the end of the day there is not much left .

As to the handling of the Ff problem , just between you and me , then nobody comes out looking good . We are so used to trusting Secunia (as you have pointed out) and , in general , rightly so : but lets's face it , if you or I can make a mistake then so can anyone ; an unknown ranking rather than CAT 4 would be more understandable to me :)

Take care
Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+2
-0
0puns0r3s RE: Mozilla Firefox Unspecified Code Execution Vulnerability
Member 11th Mar, 2010 10:19
Score: -5
Posts: 22
User Since: 27th Feb 2010
System Score: N/A
Location: IN
Last edited on 11th Mar, 2010 10:27
@ all: Yes, we are at an impasse:)...Before we continue, I am not a hacker:) though I do pick up his posts from google or google cache.....I too hope that you guys are not hackers:).....Our final option: Start an online petition and send it Michelle Baker, the CEO of Mozilla.

@ bjm-Sandboxie is a good tool, but if you practice "safe browsing", there is no need for (more) paranoia:)......

1. Use noscript and disable javascript etc...and allow those for sites which you trust.

2. If you don't visit sites which are breeding grounds for malware (examples: warez sites, keygen, crack sites etc....etc...), half of your online problems vanish:)

3. If you don't click on random popups or ads which say "your computer is infected. Click here to fix or perform a free scan", then another part of your problems vanish:)

My only primary concern: Online banking! For anything that requires you to use your online banking account, I think that for that alone, an alternative browser should be used (more paranoia!:)...However, I did use Firefox to pay my online phone bills and my banking account is intact:) (touchwood!)

Secunia: I still have a lot of respect for you guys and I'm also a user of your PSI tool, but if you do know about the "exploit", please clarify. Otherwise, there is seriously no point having a "CAT 4 rating". How different is your organization from that of the hackers?

If you do have the info, but are willing to share it with only customers who can "pay up", please mention it in the advisory. On the other hand, if you do not have the info, please say so.

Make it clear and do not hide behind fancy jargon. This smacks of irresponsibility and goes against the spirit of Open source software and the free web.


I really don't know whether this is reliable, but the thread at the Immunity forum seems to have been updated:

If it is true, then it seems that the bug occurs if Firefox tries to load a "malformed" PNG File. Quoting the response here:


(unknown source)
Finally, after long borring email contact (and after credit card transfer), I've got the download/license.

I've tried it but it did not work good here. Just FireFox crashes, but the sample code (starting of %system_dir%\calc.exe as far as I understood) did not work... (WinXP SP3, FireFox 3.6) Probably just my tests were incorrect - I dont know, I've tried to contact support-team, but no answere. :(

Just some small infos: The bug occures when firefox tries to (specially? - did not test something else but the one example code) load a malformed PNG file; I do not know PNG format very well, so no further infos here.

Still, you can contact me about the code/PNGs. I'll just answere honest proposals (dont waste my time in any other case - transmutator42 at gmail dot com).

TransMutator

--- Last Edited by TransMutator at 2010-02-08 14:58:14 ---


Forum link here:

https://forum.immunityinc.com/board/thread/1161/vu...
Was this reply relevant?
+2
-0
bjm__ RE: Mozilla Firefox Unspecified Code Execution Vulnerability
Member 11th Mar, 2010 19:17
Score: 64
Posts: 374
User Since: 9th Mar 2009
System Score: 100%
Location: US
Last edited on 11th Mar, 2010 19:27
To Secunia Official
Please explain how Secunia assigns a Cat4 rating. What protocol is used.
I would better understand / trust the rating if I knew whence it came. How it is derived. What checks and balances are at play to ensure accurate vulnerability reporting & rating.
Please explain if Secunia has tested , verified , validated and/or reproduced the Mozilla Firefox Unspecified Code Execution Vulnerability.
--------------------------------------------------
Please clarify the new Relevancy Score system. What prompts > This reply has been minimized due to a negative Relevancy Score. How many thumbs down prompts a post minimization. Is Relevancy Scoring exclusively user based. May Secunia thumb up/down a post. May Secunia minimize a post for cause. So, if I just don't like a user for any reason... all I have to do to...is vote negative.
Very democratic ~ one negative; and any opinion, any contribution, any post is minimized.

Respectfully submitted
bjm-
Was this reply relevant?
+4
-4
0puns0r3s RE: Mozilla Firefox Unspecified Code Execution Vulnerability
Member 12th Mar, 2010 08:32
Score: -5
Posts: 22
User Since: 27th Feb 2010
System Score: N/A
Location: IN
Last edited on 12th Mar, 2010 08:35
@ Secunia: Some of us in this thread have been quite frank with our questions. We came here expecting some sort of reply from you guys. Sadly, we still have not got them.

We could not care much about the negative ratings we get! Heck, none of us trolled...we did our best and we still have not received any kind of answer.

@ all: It's been a pleasure interacting with you guys in this thread. Until we meet again elsewhere:). If there is some kind of update regarding this issue, do not hesitate to share it here. Bye for now.

Just a small piece of news for those interested. Firefox will have an update to the next version "3.6.2". Yes, there will be no 3.6.1. Probably by March 30th or so...So guess that will take a bit of worry from our minds. More details here:

https://wiki.mozilla.org/Releases/Firefox_3.6.2
Was this reply relevant?
+8
-6
Secunia Research RE: Mozilla Firefox Unspecified Code Execution Vulnerability
Secunia Official 12th Mar, 2010 13:18
Score: 5
Posts: 7
User Since: 16th Feb 2010
System Score: N/A
Location: Copenhagen, DK
For your information, we do read every single posting on the "Secunia Vulnerabilities Forum". When we see relevant information we will, to the extend possible, confirm this and, if applicable, update the relevant advisory.

This means that if we don't update an advisory, usually within one business day, then the advisory is considered accurate as is - or the posting didn't contain sufficient evidence to prove, reproduce, or verify the claim.

For more information about the "Secunia Vulnerabilities Forum" see:
http://secunia.com/community/forum/thread/show/374...

This page contains some details on the terminology used and ratings:
http://secunia.com/advisories/terminology/

bjm__

RE: Mozilla Firefox Unspecified Code Execution Vulnerability
[+]
This reply has been minimised due to a negative Relevancy Score.

coopa

RE: Mozilla Firefox Unspecified Code Execution Vulnerability
[+]
This reply has been minimised due to a negative Relevancy Score.

Pink_Freud

RE: Mozilla Firefox Unspecified Code Execution Vulnerability
[+]
This reply has been minimised due to a negative Relevancy Score.

0puns0r3s

RE: Mozilla Firefox Unspecified Code Execution Vulnerability
[+]
This reply has been minimised due to a negative Relevancy Score.

bjm__

RE: Mozilla Firefox Unspecified Code Execution Vulnerability
[+]
This reply has been minimised due to a negative Relevancy Score.

Pink_Freud

RE: Mozilla Firefox Unspecified Code Execution Vulnerability
[+]
This reply has been minimised due to a negative Relevancy Score.

Ziff

RE: Mozilla Firefox Unspecified Code Execution Vulnerability
[+]
This reply has been minimised due to a negative Relevancy Score.

0puns0r3s

RE: Mozilla Firefox Unspecified Code Execution Vulnerability
[+]
This reply has been minimised due to a negative Relevancy Score.

Jesant13

RE: Mozilla Firefox Unspecified Code Execution Vulnerability
[+]
This reply has been minimised due to a negative Relevancy Score.

bjm__

RE: Mozilla Firefox Unspecified Code Execution Vulnerability
[+]
This reply has been minimised due to a negative Relevancy Score.
bjm__ RE: Mozilla Firefox Unspecified Code Execution Vulnerability
Member 15th Mar, 2010 16:07
Score: 64
Posts: 374
User Since: 9th Mar 2009
System Score: 100%
Location: US
on 12th Mar, 2010 13:18, Secunia Research wrote:
For your information, we do read every single posting on the "Secunia Vulnerabilities Forum". When we see relevant information we will, to the extend possible, confirm this and, if applicable, update the relevant advisory.

This means that if we don't update an advisory, usually within one business day, then the advisory is considered accurate as is - or the posting didn't contain sufficient evidence to prove, reproduce, or verify the claim.

For more information about the "Secunia Vulnerabilities Forum" see:
http://secunia.com/community/forum/thread/show/374...

This page contains some details on the terminology used and ratings:
http://secunia.com/advisories/terminology/


Thank you for uhhhh...clearing this up! (insert sarcasm emoticon here)

Will there be a statement or announcement of any significant relevancy and/or clarity regarding this issue forthcoming by Secunia and/or Mozilla any time in this millennium ??

Secunia is a terrific program, and I surely cannot complain about it's cost (nil)--but this situation seems ridiculous to me. Can we PLEASE get some relevant information (a workaround, perhaps?) sometime SOON????

Respectfully,
Joe D aka Pink_Freud
Was this reply relevant?
+2
-1

Pink_Freud

RE: Mozilla Firefox Unspecified Code Execution Vulnerability
[+]
This reply has been minimised due to a negative Relevancy Score.
bjm__ RE: Mozilla Firefox Unspecified Code Execution Vulnerability
Member 15th Mar, 2010 19:39
Score: 64
Posts: 374
User Since: 9th Mar 2009
System Score: 100%
Location: US
@ Secunia
This means that if we don't update an advisory, usually within one business day, then the advisory is considered accurate as is - or the posting didn't contain sufficient evidence to prove, reproduce, or verify the claim.
The above Secunia explanation is meaningless, useless double speak;
If we (Secunia) don't update an advisory ....
then the advisory accuracy is "as is" ...or,
the advisory accuracy is "not as is".
Clear as mud!
Oh! and also contradicts Secunia's mission statement.

Regards to all PSI users in this thread!
Respectfully submitted,
bjm-
Was this reply relevant?
+3
-2
bjm__ RE: Mozilla Firefox Unspecified Code Execution Vulnerability
Member 15th Mar, 2010 19:55
Score: 64
Posts: 374
User Since: 9th Mar 2009
System Score: 100%
Location: US
Last edited on 15th Mar, 2010 20:09
(unknown source)
For your information, we do read every single posting on the "Secunia Vulnerabilities Forum". When we see relevant information we will, to the extend possible, confirm this and, if applicable, update the relevant advisory.


When we see relevant information....relevant information from who/what?
Secunia inhouse specialists verify all reported vulnerabilities before the advisory release....that what Secunia mission statement asserts.

Secunia will only update the relevant advisory if / when Secunia see's relevant information.

Secunia typo~ "to the extend possible" .... I imagine, Secunia meant "to the extent possible"

@Pink Freud
Will there be a statement or announcement of any significant relevancy and/or clarity regarding this issue forthcoming by Secunia and/or Mozilla any time in this millennium ??
IMO ~ NO
Secunia will only update the relevant advisory if / when Secunia see's relevant information.
IMO ~ Since Secunia posted the advisory absent relevant information...why would Secunia consider looking for relevant information now?
Respectfully submitted
This reply will be minimized due to a negative Relevancy Score. I corrected Secunia spelling ~ minimised ~ ;-)
Was this reply relevant?
+2
-3

geewhiz

RE: Mozilla Firefox Unspecified Code Execution Vulnerability
[+]
This reply has been minimised due to a negative Relevancy Score.
bjm__ RE: Mozilla Firefox Unspecified Code Execution Vulnerability
Member 16th Mar, 2010 20:58
Score: 64
Posts: 374
User Since: 9th Mar 2009
System Score: 100%
Location: US
@ Forum
Secunia has posted their policy regarding the Forum.
http://secunia.com/community/forum/thread/show/374...
-------------------------------
To any user expecting a response from Secunia... I sadly offer:
You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.
The forum is considered the community's. You will, therefore, not necessarily see any responses nor comments from Secunia Official's.
This means that if a forum post disputes a Secunia Advisory and the advisory is not updated, usually within 1 business day, then the advisory is considered accurate as is - or the posting didn't contain sufficient evidence to prove, reproduce, or verify the claim.
-----------------------------------
So, unless a user is able to post a dispute to a Secunia Advisory that contains sufficient evidence to prove, reproduce, or verify the users disputed claim. You will not see any responses nor comments from Secunia Official's.
Once Secunia issues an Advisory. The Advisory stands....until and unless a user / anyone can prove to Secunia and satisfy Secunia that the Secunia issued Advisory is not accurate as is.

Respectfully submitted
"This post will be minimized relevant or not"


Was this reply relevant?
+7
-2
0puns0r3s RE: Mozilla Firefox Unspecified Code Execution Vulnerability
Member 17th Mar, 2010 09:08
Score: -5
Posts: 22
User Since: 27th Feb 2010
System Score: N/A
Location: IN
Last edited on 17th Mar, 2010 09:21
This has set quite a bad precedent from Secunia since:

1. Mozilla did not consider this as a "vulnerability" since the hacker refused to disclose it. He claimed that anyone could "buy" the vulnerability from him.

2. Secunia have a good reputation with the Security Community. So why would they continue flagging this if they're not sure at all?

3. They report this "vulnerability" as "Mozilla Firefox Unspecified Code Execution Vulnerability". Basically, they're actually admitting that they have no idea about the "code execution" since they've used the word "unspecified"

4. However, they should have made it much more clearer in the advisory.

5. They should have contacted both Mozilla and the hacker and then come to a decision whether this vulnerability does exist or not!

6. Or they could have tested out this vulnerability if possible.

7. So who gains because of this so-called unproved vulnerability?:

a. Rival browsers like Internet Explorer, Opera, Safari, Chrome etc...There is already a lot of FUD like memory hogging, startup, etc..etc..spread about Firefox. This will only add more FUD:(. I did not expect Secunia to do this.

b. More FUD will (continue) to be spread over the internet. People will immediately point out to Firefox 3.6 and say "Mozilla never offered a patch for it. They failed" etc..etc..
(never mind the fact that nobody is sure of this vulnerability! No one would even bother to read this thread)

Like they say in the internets....Epic Fail:)
Was this reply relevant?
+5
-2

monsignor

RE: Mozilla Firefox Unspecified Code Execution Vulnerability
[+]
This reply has been minimised due to a negative Relevancy Score.
millstone RE: Mozilla Firefox Unspecified Code Execution Vulnerability
Member 18th Mar, 2010 22:18
Score: 0
Posts: 1
User Since: 18th Mar 2010
System Score: N/A
Location: NL
Last edited on 18th Mar, 2010 22:18
A lot of damage has already been done with this advisory, I imagine. Does Firefox have a damage control team? Something like SAS and Opera put in recently? That worked!

However, in security, silence is golden. This is not the same as security by obscurity.

We should assume that Evgeny Legerov is a Secunia insider. Then he himself could have done the verification.

Probably there is no Firefox vulnerability. That does not mean that there is not a problem now. Everybody has a problem if Secunia says there is. I think correcting a mistaken advisory is not easy, politicaly, if it means admitting an organisational flaw. An escape could be a new Firefox release. Because when there is no attention to an old advisory anymore, then changing it would hurt Secunia less.

Mozilla please bring out a dummy patch for this dummy vulnerability. Should not be too difficult. Weave it in with another fix.

Now is a very inconvenient moment for a problematic Firefox vulnerability (very convenient though for the competition).

Minimization imminent?
Was this reply relevant?
+5
-5
azbob RE: Mozilla Firefox Unspecified Code Execution Vulnerability
Member 19th Mar, 2010 05:39
Score: 13
Posts: 2
User Since: 23rd Feb 2010
System Score: N/A
Location: US
Last edited on 19th Mar, 2010 05:39
the latest from the Mozilla Security Blog:

Update on Secunia Advisory SA38608

03.18.10 - 08:20pm

Mozilla was contacted by Evgeny Legerov, the security researcher who discovered the bug referenced in the Secunia report, with sufficient details to reproduce and analyze the issue. The vulnerability was determined to be critical and could result in remote code execution by an attacker. The vulnerability has been patched by developers and we are currently undergoing quality assurance testing for the fix. Firefox 3.6.2 is scheduled to be released March 30th and will contain the fix for this issue. As always, we encourage users to apply this update as soon as it is available to ensure a safe browsing experience. Alternatively, users can download the current Beta build of Firefox 3.6.2, which contains the fix from here: https://ftp.mozilla.org/pub/mozilla.org/firefox/ni...
Was this reply relevant?
+9
-0
0puns0r3s RE: Mozilla Firefox Unspecified Code Execution Vulnerability
Member 19th Mar, 2010 08:43
Score: -5
Posts: 22
User Since: 27th Feb 2010
System Score: N/A
Location: IN
Last edited on 19th Mar, 2010 08:43
1. Black Hatter announces a "vulnerability" in the hopes that someone buys his software. He also threatens not to release the vulnerability.
2. All news sites and security sites publicize the story without any confirmation.
3. Mozilla refuses to "pay up".
4. The vulnerability does not seem to affect a lot of people and Mozilla goes ahead and announces that they will release 3.6.2 anyways.
5. Hacker realizes that he is being foolish and releases the code:)

Questions which will remain unanswered:

1. Why did the hacker take a sudden "u" turn and release the vulnerability?
2. Did Secunia have any knowledge of the exploit?
3. Was the whole thing supposed to be a publicity stunt for the hacker's "Vulndisco" software package?

I guess Mozilla will release the code exploit after the update. I'm also assuming that the exploit will work only with user interaction, i.e. clicking on an untrusted link or something like that?
Was this reply relevant?
+3
-2
Jesant13 RE: Mozilla Firefox Unspecified Code Execution Vulnerability
Member 19th Mar, 2010 15:49
Score: -3
Posts: 40
User Since: 10th Sep 2009
System Score: 100%
Location: US
Last edited on 19th Mar, 2010 15:49
I'm glad Mozilla has patched the vulnerability and that they plan on releasing the update on March 30th. Great job guys. :)
Was this reply relevant?
+1
-1
bjm__ RE: Mozilla Firefox Unspecified Code Execution Vulnerability
Member 19th Mar, 2010 16:52
Score: 64
Posts: 374
User Since: 9th Mar 2009
System Score: 100%
Location: US
Last edited on 19th Mar, 2010 17:01
Then I guess this will vindicate Secunia...as having issued an accurate insecure vulnerability from day one.
Question is...if hatter only just released info to Mozilla....How did Secunia get the info weeks ago. I remain confused. OK, now Mozilla will patch because vendor has reproduced threat only because hatter gave it up. So, does Secunia verify, validate, test, reproduce all reported threats prior to issuing an insecure or does Secunia just report them.
What prompted this turn of events....
Funny how all the actors ~ Secunia ~ Firefox ~ the hatter .... are all vindicated now?
Maybe some times all the pieces just fall into place....or maybe some times the pieces have help?
Guess, I'll have continue to blindly trust Secunia (as I did prior to this issue).
Why did it take FF so long to acknowledge?
Why did the hatter resist till now and now is willing to cooperate?
How did Secunia know the threat was valid all along?
Why has no one else previously reported duplicating the vulnerability?
Why has no one reported having an issue with this threat?
This Secunia Cat4....How did Secunia know...Why was Secunia so certain they were reporting an accurate insecure?
Crystal Ball
http://blog.mozilla.com/security/

Was this reply relevant?
+6
-0
Secunia Research RE: Mozilla Firefox Unspecified Code Execution Vulnerability
Secunia Official 19th Mar, 2010 17:49
Score: 5
Posts: 7
User Since: 16th Feb 2010
System Score: N/A
Location: Copenhagen, DK
Our Chief Security Specialist has issued a blog about this at:
http://secunia.com/blog/90/

We will be adding details about the vulnerability to our advisory once Mozilla has issued version 3.6.2. An in-depth Binary Analysis has been issued to our BA customers.
Pink_Freud RE: Mozilla Firefox Unspecified Code Execution Vulnerability
Member 19th Mar, 2010 23:09
Score: -11
Posts: 8
User Since: 9th Oct 2009
System Score: 100%
Location: N/A
Last edited on 19th Mar, 2010 23:15
(unknown source)
Then I guess this will vindicate Secunia...as having issued an accurate insecure vulnerability from day one.
Question is...if hatter only just released info to Mozilla....How did Secunia get the info weeks ago. I remain confused. OK, now Mozilla will patch because vendor has reproduced threat only because hatter gave it up. So, does Secunia verify, validate, test, reproduce all reported threats prior to issuing an insecure or does Secunia just report them.
What prompted this turn of events....
Funny how all the actors ~ Secunia ~ Firefox ~ the hatter .... are all vindicated now?
Maybe some times all the pieces just fall into place....or maybe some times the pieces have help?
Guess, I'll have continue to blindly trust Secunia (as I did prior to this issue).
Why did it take FF so long to acknowledge?
Why did the hatter resist till now and now is willing to cooperate?
How did Secunia know the threat was valid all along?
Why has no one else previously reported duplicating the vulnerability?
Why has no one reported having an issue with this threat?
This Secunia Cat4....How did Secunia know...Why was Secunia so certain they were reporting an accurate insecure?
Crystal Ball
http://blog.mozilla.com/security/[/quote]

I can't wait for the movie...

Starring Matt Damon as Mozilla Corp CEO John Lilly, John Malkovich as Evgeny "KGB" Legerov, Edward Norton and Michael Rispoli...
http://www.imdb.com/title/tt0128442/quotes
---------------------------------------------

Mozilla confirms critical Firefox bug
Slates patch for March 30; flaw can't be used in upcoming Pwn2Own hack contest
By Gregg Keizer
March 19, 2010 04:05 PM ET
http://www.computerworld.com/s/article/9173698/Moz...


Computerworld - Mozilla yesterday confirmed a critical vulnerability in the newest version of Firefox, and said it would plug the hole by the end of the month.

Although the patch won't be added to Firefox before next week's Pwn2Own browser hacking challenge, researchers won't be allowed to use the flaw, according to the contest's organizer.

"The vulnerability was determined to be critical and could result in remote code execution by an attacker," Mozilla acknowledged in a post to its security blog late Thursday. "The vulnerability has been patched by developers and we are currently undergoing quality assurance testing for the fix."

As John Lennon once sang: Strange Days, Indeed. Most peculiar Mama.

ETA: Thank you to those Secunia users who have posted on this "conundrum" --most notably bjm.

This posting will now be minimized due to......you know the rest.

Respectfully,
Pink_Freud AKA Joe D.
Was this reply relevant?
+2
-0
bjm__ RE: Mozilla Firefox Unspecified Code Execution Vulnerability
Member 20th Mar, 2010 00:32
Score: 64
Posts: 374
User Since: 9th Mar 2009
System Score: 100%
Location: US
Last edited on 20th Mar, 2010 00:35
@ Pink_Freud AKA Joe D.

If my wife is watching, I'll be coming straight home after the meeting... and all this lawyer stuff has got me thinkin', maybe later tonight, if you present me with your briefs, I'll recommend a merger.

Cheers
bjm-
This posting will now be minimized due to......you know the rest.
Was this reply relevant?
+2
-3
coopa RE: Mozilla Firefox Unspecified Code Execution Vulnerability
Member 22nd Mar, 2010 15:31
Score: 2
Posts: 7
User Since: 9th Mar 2010
System Score: N/A
Location: US
Last edited on 22nd Mar, 2010 16:40
EDIT: Let's be fair, folks. If Secunia had been more open about why the bug had been accepted and Mr. Legerov's track record, we would have had little reason to doubt them.

Giving my post a negative relevancy score - for acknowledging that they were right and expressing my belief that Secunia could have avoided ill will by clarifying the advisory sooner - seems like a sheerly vindictive move.

-------------------------------------------------- -------------------------------

Well, well, well. Secnuia gets the last laugh.

However, I think Secunia could take a couple lessons from this.
-Authors should get a page that shows any and all exploits they are credited with and how those exploits were assigned (e.x. were they verified via PoC? Acknowledgment from vendor? Based on trustworthiness of past exploits?)

-Secunia should publicly acknowledge the context on which an exploit was accepted on the exploit page itself.

This would have done a lot to make Secunia's vulnerability assessment/acceptance process a lot more transparent and would have fostered trust in both Secunia and Mr. Legerov.

In addition, the lack of public comment/acknowledgment did little to boost Secunia's credibility. Just explain what you did in the blog post you made today would have gone a long way in keeping peace.
Was this reply relevant?
+1
-1

bjm__

RE: Mozilla Firefox Unspecified Code Execution Vulnerability
[+]
This reply has been minimised due to a negative Relevancy Score.
pc.tech1 RE: Mozilla Firefox Unspecified Code Execution Vulnerability
Member 22nd Mar, 2010 20:13
Score: 7
Posts: 19
User Since: 13th Feb 2010
System Score: N/A
Location: US
Last edited on 22nd Mar, 2010 20:13

- https://wiki.mozilla.org/WeeklyUpdates/2010-03-22#...
WeeklyUpdates/2010-03-22 - "QA and release teams are quickly checking the risk of 1.9.2 patches, to see if we can get 3.6.2 out early this week."
.

--
This machine has no brain.
Use your own.
.
Was this reply relevant?
+3
-0
pc.tech1 RE: Mozilla Firefox Unspecified Code Execution Vulnerability
Member 23rd Mar, 2010 06:25
Score: 7
Posts: 19
User Since: 13th Feb 2010
System Score: N/A
Location: US
Last edited on 23rd Mar, 2010 06:25
Firefox v3.6.2 released
---
From an admin. account, start Firefox, then >Help >Check for Updates
-or-
Download:
- http://www.mozilla.com/firefox/all.html

What’s New in Firefox 3.6.2
- http://www.mozilla.com/en-US/firefox/3.6.2/release...
Firefox 3.6.2 fixes the following issues found in previous versions of Firefox 3.6:
* Fixed a critical security issue that could potentially allow remote code execution (see bug 552216).
* Fixed several additional security issues.
* Fixed several stability issues.
Please see the complete list of changes* in this version..."
* https://bugzilla.mozilla.org/buglist.cgi?quicksear...
111 bugs found.

!

--
This machine has no brain.
Use your own.
.
Was this reply relevant?
+3
-0

sigV_26

RE: Mozilla Firefox Unspecified Code Execution Vulnerability
[+]
This reply has been minimised due to a negative Relevancy Score.
ky331 RE: Mozilla Firefox Multiple Vulnerabilities
Member 1st Apr, 2010 16:26
Score: -1
Posts: 10
User Since: 4th Apr 2008
System Score: N/A
Location: US
Last edited on 1st Apr, 2010 16:26
I just implemented the 31 March additional suggestion, to

set the "security.ssl.require_safe_negotiation" preference to "true"

and upon doing so, I can no longer access any secure (https://) sites.
Was this reply relevant?
+1
-0

ky331

RE: Mozilla Firefox Multiple Vulnerabilities
[+]
This reply has been minimised due to a negative Relevancy Score.
luolimao RE: Mozilla Firefox Multiple Vulnerabilities
Member 1st Apr, 2010 21:58
Score: 2
Posts: 9
User Since: 26th Sep 2009
System Score: 100%
Location: N/A
Last edited on 1st Apr, 2010 21:58
1. forcing SSL authentication has a) seemingly nothing to do with the vulnerabilities and b) breaks SSL websites for a significant number of people
2. the problem here is not firefox: ALL code has an unending number of vulnerabilities, and stating them openly only means that the Mozilla community is patching more vulnerabilities faster; it's not a blight, it's (sort of) a compliment.
3. Updating firefox to 3.6.2 is certainly a good idea, because of all the vulnerabilities (including others not mentioned here)
so why is everyone so mad?
Was this reply relevant?
+2
-0

-

You must be logged in to post a comment.



 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


Secunia is a member of FIRST Secunia is a member of EDUcause Secunia is a member of The Open Group Secunia is a member of FS-ISAC
 
Secunia © 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability - Disclaimer
follow Secunia on Facebook follow Secunia on Twitter follow Secunia on LinkedIn follow Secunia on YouTube follow Secunia Xing follow Secunias RSS feed follow Secunia on Google+