Feeds

Attack code for Firefox zero-day goes wild, says researcher

Black hats, take note

5 things you didn’t know about cloud backup

A Russian security researcher on Thursday said he has released attack code that exploits a critical vulnerability in the latest version of Mozilla's Firefox browser.

The exploit - which allows attackers to remotely execute malicious code on end user PCs - triggers a heap corruption vulnerability in the popular open-source browser, said Evgeny Legerov, founder of Moscow-based Intevydis. He recently added it as a module to Vulndisco, an add-on to the Immunity Canvas automated exploitation system sold to security professionals.

"We've played a lot with it in our labs - it was very reliable," Legerov wrote in an email to The Reg. "Works against the default install of Firefox 3.6. We've tested it on XP and Vista."

The report comes as Mozilla pushed out a Firefox update that tackles three critical vulnerabilities in version 3.5.7. One of those bugs is also described as a heap corruption vulnerability, but Legerov said the flaw is different from the one his code exploits.

Mozilla issued a statement that read in part: "Mozilla takes all security vulnerabilities seriously, and have as yet been unable to confirm the claim of an exploit. We value the contributions of all security researchers and encourage them to work within our security process, responsibly disclosing vulnerabilities to ensure the highest level of security and best outcome for users."

Legerov said his firm does not provide advanced notification to software makers under an arrangement often referred to as responsible disclosure.

If Legerov's claim pans out, it would be one of the few times in recent memory that a zero-day vulnerability for Firefox has circulated in the wild. While the exploit is currently available only to those who pay a hefty licensing fee, wider circulation can't be far behind. This story will be updated as more is learned.

More about the bug is here and here. ®

This story was updated to correct an inaccuracy about the availability of Immunity Canvas.

Next gen security for virtualised datacentres

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 10 endpoint backup mistakes
Avoid the ten endpoint backup mistakes to ensure that your critical corporate data is protected and end user productivity is improved.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Rethinking backup and recovery in the modern data center
Combining intelligence, operational analytics, and automation to enable efficient, data-driven IT organizations using the HP ABR approach.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.