Tuesday, July 14, 2009

First Zero Day Exploit for Firefox 3.5

Via h-online.com -

The exploit portal Milw0rm has published an exploit for Firefox 3.5. The exploit demonstrates a security vulnerability by starting the Windows calculator. In testing by heise Security, the exploit crashed Firefox under Vista, but security service providers Secunia and VUPEN confirmed that attackers using prepared websites can infect PCs. The cause of the problem is a buffer overflow when processing specially prepared Font tags.

The Mozilla Foundation has been informed about the problem, but so far has not responded to queries by heise Security. An update does not currently exist. So far there are no reports of sites on the internet being first to use the hole for active infections and exploitation of Windows PCs. Since the published exploit uses PC heap spraying under JavaScript, disabling JavaScript should act as a stop gap. When the exploit was tested with Windows 7 RC1, after a short time, the browser displayed a dialogue offering to abort the script.

See also:

No comments:

Post a Comment