So Firefox 3.5 is available and it has quickly
become a hot download item, with almost 24 million
downloads worldwide so far. The browser itself is
touted as faster, safer and just better —
but that's no reason not to be cautious.
One
of our Vulnerability Analysts turned up
this video
the other day. The video title says "Firefox
Exploit" but so far in our analysis, it looks like
the exploits aren't really targeting Firefox.
The
attack itself is rather comprehensive —
there are at least 3 exploits being tried and
their execution is a little involved. The exploits
target vulnerable Adobe Flash players
(CVE-2007-0071) and Microsoft ActiveX Controls
(CVE-2008-0015). The last exploit has been making
the rounds in the wild recently.
Still,
the vector being used is the tried and true route
of a vulnerable web application. So it's basically
the same old hole in a brand new dress. Updating
the browser — good. Not updating web apps at
the same time — not so good. Just as a
precaution, don't forget to update all your
plugins, apps and so on when you update your
browser!
Having said that, our Exploit
team is currently digging deeper into certain
features of the exploits. We'll add updates if and
when any more interesting features turn up.
—————
Updated to add: The exploits in the malicious website are
targeting the following vulnerabilities:
Three
of the vulnerabilities are related to ActiveX
Controls. CVE-2009-1136 is the subject of the
latest Microsoft Security Advisory (973472) and is
also the subject of one of our later posts (see
above). Visiting the malicious site with Internet
Explorer 6 and 7 caused the browsers to crash and
the payload to run.
It looks like the
only vulnerability that has more impact on Firefox
3.5 is CVE-2007-0071, which affects Flash players.
Visiting the website with the latest Flash player,
or without it installed, may not trigger the
drive-by download.
Still, that doesn't
mean the user is 100% protected if they do visit
the website. The site's contents appears to have
changed since that video came out, so it is
possible the exploits (and targeted
vulnerabilities) have changed as well.
So
whatever browser or web app version is installed,
just don't visit a known malicious website.
—————
Updated again to add: An actual exploit targeting the Firefox 3.5
browser itself – rather than an outdated web
app or plugin – has since been
reported.