CyberInsecure.com

Daily cyber threats and internet security news: network security, online safety and latest security alerts
February 19th, 2010

Attack Code For Mozilla’s Firefox Zero-day Vulnerability Released By Researcher

A Russian security researcher on Thursday said he has released attack code that exploits a critical vulnerability in the latest version of Mozilla’s Firefox browser.

The exploit – which allows attackers to remotely execute malicious code on end user PCs – triggers a heap corruption vulnerability in the popular open-source browser, said Evgeny Legerov, founder of Moscow-based Intevydis. He recently added it as a module to Vulndisco, an add-on to the Immunity Canvas automated exploitation system sold to security professionals.

“We’ve played a lot with it in our labs – it was very reliable,” Legerov wrote in an email to The Reg. “Works against the default install of Firefox 3.6. We’ve tested it on XP and Vista.”

The report comes as Mozilla pushed out a Firefox update that tackles three critical vulnerabilities in version 3.5.7. One of those bugs is also described as a heap corruption vulnerability, but Legerov said the flaw is different from the one his code exploits.

Mozilla issued a statement that read in part: “Mozilla takes all security vulnerabilities seriously, and have as yet been unable to confirm the claim of an exploit. We value the contributions of all security researchers and encourage them to work within our security process, responsibly disclosing vulnerabilities to ensure the highest level of security and best outcome for users.”

Legerov said his firm does not provide advanced notification to software makers under an arrangement often referred to as responsible disclosure.

If Legerov’s claim pans out, it would be one of the few times in recent memory that a zero-day vulnerability for Firefox has circulated in the wild. While the exploit is currently available only to those who pay a hefty licensing fee, wider circulation can’t be far behind.

Credit: The Register

Share this item with others:

More on CyberInsecure:
  • Two Critical Vulnerabilities Fixed By Mozilla In Firefox 3.0.8
  • New Firefox 3.0 Is Vulnerable To High-Severity Code Execution
  • Serious Security Flaw In Firefox 3.0.7, Exploit Already Available
  • Zero-day Microsoft Windows NSlookup.exe Vulnerability Exploited In The Wild
  • Nobel Peace Prize Website Compromised, Infects Visitors Through Zero-Day Firefox Vulnerability

    • Posted in Software, Vista, Vulnerabilities, Windows | Print This Post Print This Post

    This entry was posted on Friday, February 19th, 2010 at 4:32 am and is filed under Software, Vista, Vulnerabilities, Windows. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

    If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Attack Code For Mozilla’s Firefox Zero-day Vulnerability Released By Researcher

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    *
    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.

    « «
    » »