March 30, 2009
Summary:
- This vulnerability affects: Firefox 3.0.7 (and previous versions) for Windows, Linux, and Macintosh
- How an attacker exploits it: Multiple vectors of attack, including enticing one of your users to visit a malicious web page
- Impact: Various results; in the worst case, an attacker executes code on your user’s computer, gaining complete control of it
- What to do: Upgrade to Firefox 3.0.8
March 30, 2009
Summary:
- This vulnerability affects: Firefox 3.0.7 (and previous versions) for Windows, Linux, and Macintosh
- How an attacker exploits it: Multiple vectors of attack, including enticing one of your users to visit a malicious web page
- Impact: Various results; in the worst case, an attacker executes code on your user’s computer, gaining complete control of it
- What to do: Upgrade to Firefox 3.0.8
Exposure:
Late Friday, the Mozilla Foundation released Firefox 3.0.8, fixing two zero day security vulnerabilities in their popular web browser. We summarize the vulnerabilities below:
- XSL transformation vulnerability (2009-012). Firefox suffers from a flaw that Mozilla describes as an XSL transformation vulnerability. Firefox doesn’t properly parse a particular Extensible Stylesheet Language (XSL) element, which could lead to a memory corruption. By enticing you to a malicious web site containing a specially crafted XSL element, a remote attacker could exploit this memory corruption to either crash Firefox, or potentially execute code on your computer with your privileges. If you have local administrative, or root privileges, the attacker could leverage this flaw to gain complete control of your machine. This is the same zero day flaw we described in a Wire post last week. Mozilla Impact rating: Critical
- XUL tree element code execution vulnerability (2009-013). Firefox suffers from a code execution flaw involving the way it handles a particular XML User Interface Language (XUL) method. By enticing one of your users to a malicious web site, a remote attacker could exploit this flaw to execute code on that user’s computer with that user’s privileges. If your users have local administrative, or root privileges, the attacker could leverage this flaw to gain complete control of their machines. This is one of the Pwn2Own browser vulenrabilities we described in a Wire post a few weeks ago.
Visit Mozilla’s Known Vulnerabilities page for a complete list of the vulnerabilities that this update fixes. Since this update fixes zero day vulnerabilities, we consider it a high priority. A researcher has already released exploit code for one of these flaws. The other was very publicly exposed at a popular security conference. We expect malicious attackers to quickly begin leveraging at least one of these flaws so you should patch as quickly as you can.
Solution Path:
Mozilla has updated Firefox 3, correcting these security vulnerabilities. If you use Firefox in your network, we recommend that you download and deploy version 3.0.8 as soon as possible. We recommend that 1.5.x and 2.x users migrate to 3.0.8 now. Note: The latest versions of Firefox 3.0 automatically inform you when a Firefox update is available. We highly recommend you keep this feature enabled so that Firefox receives its updates as soon as Mozilla releases them. To verify that you have Firefox configured to automatically check for updates, click Tools => Options => Advanced tab => Update tab. Make sure that “Firefox” is checked under “Automatically check for updates.” In this menu, you can configure Firefox to always download and install any update, or if you prefer, only to inform the user that an update exists.
For All Users:
Many of these attacks arrive as normal-looking HTTP traffic, which you must allow through your firewall if your network users need to access the World Wide Web. Therefore, the patches above are your best solution.
Status:
The Mozilla Foundation has released Firefox 3.0.8, fixing these security issues.
References: