Fx 3.6.2 Release Candidate fixes critical vulnerability

Talk about internet security, computer security, personal security, your social security number...
Post Reply
Alan Baxter
Ambassador
Posts: 1586
Joined: Fri Mar 20, 2009 4:47 am
Location: Colorado, USA

Fx 3.6.2 Release Candidate fixes critical vulnerability

Post by Alan Baxter »

http://blog.mozilla.com/security/2010/0 ... y-sa38608/
Mozilla was contacted by Evgeny Legerov, the security researcher who discovered the bug referenced in the Secunia report, with sufficient details to reproduce and analyze the issue. The vulnerability was determined to be critical and could result in remote code execution by an attacker. The vulnerability has been patched by developers and we are currently undergoing quality assurance testing for the fix. Firefox 3.6.2 is scheduled to be released March 30th and will contain the fix for this issue. As always, we encourage users to apply this update as soon as it is available to ensure a safe browsing experience. Alternatively, users can download the current Beta build of Firefox 3.6.2, which contains the fix from here: https://ftp.mozilla.org/pub/mozilla.org ... es/build3/
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Fx 3.6.2 Release Candidate fixes critical vulnerability

Post by Giorgio Maone »

In the meanwhile (having seen the private details), I can confirm NoScript (in its default configuration, and even better in "apply these restrictions to trusted sites" mode) has been protecting his users against this vulnerability.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6
Alan Baxter
Ambassador
Posts: 1586
Joined: Fri Mar 20, 2009 4:47 am
Location: Colorado, USA

Re: Fx 3.6.2 Release Candidate fixes critical vulnerability

Post by Alan Baxter »

Thank you for the confirmation. After backing up my profile and Fx 3.6 installation, I went ahead and updated to Fx 3.6.2. I also updated my Fx 3.6 beta installation. It is an official RC that's been pushed to the beta testers.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.2) Gecko/20100316 Firefox/3.6.2
al_9x
Master Bug Buster
Posts: 931
Joined: Thu Mar 19, 2009 4:52 pm

Re: Fx 3.6.2 Release Candidate fixes critical vulnerability

Post by al_9x »

Giorgio Maone wrote:In the meanwhile (having seen the private details)
Giorgio, do you know why the details are so private that Mozilla doesn't even provide workarounds to the users? In this case there were two, gfx.downloadable_fonts.enabled, and the NoScript @font-face setting.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.2) Gecko/20100316 Firefox/3.6.2
User avatar
therube
Ambassador
Posts: 7924
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: Fx 3.6.2 Release Candidate fixes critical vulnerability

Post by therube »

Security related bugs are almost always private - until the exploit has been publicly disclosed.
Gives them additional time to review, fix, & put a release out.

Once disclosed publicly (including methods of attack), it no longer makes sense to keep the bug private.

In the same way, even though this affected 3.6, there may be similar (though different) exploits that affect older versions, & so they still may not want to fully disclose until they've closed those avenues too.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.8) Gecko/20100205 SeaMonkey/2.0.3
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Fx 3.6.2 Release Candidate fixes critical vulnerability

Post by Giorgio Maone »

al_9x wrote:do you know why the details are so private that Mozilla doesn't even provide workarounds to the users?
In this very case, the first work-around you suggested would have probably gave away too much details about the nature of the vulnerability, and script kiddies would have started to aggressively fuzzy the font parser to find it (not that I believe they're not doing this right now). I agree that saying "using NoScript mitigates the risk" would have been innocuous from this point of view: it's what I did in my blog, and Daniel Veditz commented about it on the official blog entry as well.

Please notice, though, that as soon as Mozilla had enough details to fix this issue, since the fix was quite simple, the most effective of work-arounds has been promptly made available, i.e. Fx 3.6.2RC3.

Therefore, IMHO, suggesting to disable web fonts all together was not worth the risk explained above and, since this is not exactly the most visible of the settings, people would have probably forgotten to enable them back later.

Talking about NoScript itself, rather than to suggest a work-around for the bug at hand, was more meant to reassure its users about the protection they had enjoyed while the vulnerability was unknown (like for most other unknown vulnerabilities which are still present).
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2.2) Gecko/20100316 Firefox/3.6.2
al_9x
Master Bug Buster
Posts: 931
Joined: Thu Mar 19, 2009 4:52 pm

Re: Fx 3.6.2 Release Candidate fixes critical vulnerability

Post by al_9x »

Giorgio Maone wrote:the first work-around you suggested would have probably gave away too much details about the nature of the vulnerability
Hiding vulnerability details only makes sense when the disclosure is truly private by a true (proven, trusted) white hat. In this case potential "bad guys" had access to it for a month, in fact, it seemed for a while that Mozilla might never have been given the details. Under such circumstances, hiding the workarounds, only prevents users from protecting themselves.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.2) Gecko/20100316 Firefox/3.6.2
Post Reply