Attack code published for Firefox flaw
Open-source project is criticized for underrating bugs
IDG News Service - A hacker Tuesday published code that exploits a vulnerability found in the latest version of Mozilla Corp.'s Firefox browser.
The code, which targets the Firefox 1.5 browser, was posted Tuesday on The Metasploit Project site by a hacker known as H D Moore. Metasploit is a widely used hacking tool.
Moore said that a hacker by the name of Georgi Guninski reported the flaw to the Mozilla Foundation on Dec. 6, and that he had simply implemented and posted the technique described by Guninski.
Mozilla published an advisory about the exploit last Wednesday as it released the Firefox 188.8.131.52 browser, which included a patch for the flaw. According to the advisory, the vulnerability, which had been rated as moderate, causes a corruption in the browser's memory that could be exploitable to run arbitrary code. Specifically, calling the "QueryInterface" method of the built-in Location and Navigator objects of the browser could allow a hacker to take over a Firefox 1.5 user's system by tricking the user into viewing a maliciously encoded Web page.
Hacker Aviv Raff on Tuesday criticized Mozilla in his blog for under-rating the flaw. He has blasted the open-source group in the past for downplaying the seriousness of vulnerabilities that have been found in its software.
"My guess is that they are waiting for an exploit in the wild before they are going to rate any exploitable memory corruption vulnerability as 'Critical,'" Raff wrote Tuesday.
Chris Beard, vice president of products at Mozilla, said Tuesday that the company was not aware of any known exploits to the flaw when it published the advisory, and so rated the vulnerability as moderate. However, the flaw will now be reclassified as "critical" since there is a possibility for remote code execution, he said.
The only version of the browser that is affected by the flaw is Firefox 1.5; older versions do not appear to be vulnerable, according to Mozilla. Moreover, most Firefox 1.5 users should now have automatically downloaded the software patch, thanks to the built-in automatic updates that Firefox now uses.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Mobile Applications Case Study: 8 Billion Transactions a Day The story documents how the online brokerage company tradeMONSTER created a custom mobile app and the success gleaned from this initiative. Also covered...
- Mobile Apps and Devices Slash Customer Cycle Time Consolidated Engineering Laboratories' field employees used to collect data on triplicate forms that were sometimes hard to read and difficult to manage. After...
- Cloud Knowledge Vault Learn how your organization can benefit from the scalability, flexibility, and performance that the cloud offers through the short videos and other resources... All Malware and Vulnerabilities White Papers | Webcasts