NEWS FROM THE LAB - Monday, July 13, 2009

Updated Browser, Old-school Attack Posted by Alia @ 07:41 GMT

FirefoxSo Firefox 3.5 is available and it has quickly become a hot download item, with almost 24 million downloads worldwide so far. The browser itself is touted as faster, safer and just better — but that's no reason not to be cautious.

One of our Vulnerability Analysts turned up this video the other day. The video title says "Firefox Exploit" but so far in our analysis, it looks like the exploits aren't really targeting Firefox.

The attack itself is rather comprehensive — there are at least 3 exploits being tried and their execution is a little involved. The exploits target vulnerable Adobe Flash players (CVE-2007-0071) and Microsoft ActiveX Controls (CVE-2008-0015). The last exploit has been making the rounds in the wild recently.

Still, the vector being used is the tried and true route of a vulnerable web application. So it's basically the same old hole in a brand new dress. Updating the browser — good. Not updating web apps at the same time — not so good. Just as a precaution, don't forget to update all your plugins, apps and so on when you update your browser!

Having said that, our Exploit team is currently digging deeper into certain features of the exploits. We'll add updates if and when any more interesting features turn up.


Updated to add: The exploits in the malicious website are targeting the following vulnerabilities:

  •  CVE-2009-1136
  •  CVE-2008-0015
  •  CVE-2008-2463
  •  CVE-2007-0071

Three of the vulnerabilities are related to ActiveX Controls. CVE-2009-1136 is the subject of the latest Microsoft Security Advisory (973472) and is also the subject of one of our later posts (see above). Visiting the malicious site with Internet Explorer 6 and 7 caused the browsers to crash and the payload to run.

It looks like the only vulnerability that has more impact on Firefox 3.5 is CVE-2007-0071, which affects Flash players. Visiting the website with the latest Flash player, or without it installed, may not trigger the drive-by download.

Still, that doesn't mean the user is 100% protected if they do visit the website. The site's contents appears to have changed since that video came out, so it is possible the exploits (and targeted vulnerabilities) have changed as well.

So whatever browser or web app version is installed, just don't visit a known malicious website.


Updated again to add: An actual exploit targeting the Firefox 3.5 browser itself – rather than an outdated web app or plugin – has since been reported.