NIST Site Search
Search NIST.GOV
Custom Search
[Official NIST.GOV TIME]
Product Research

Advertise on this site
Firefox JavaScript Reentrant Vulnerability
Two Hackers at the ToorCon hacker conference demonstrated a flaw in Firefox that could lead to arbitrary code execution. The problem is with how Firefox implements JavaScript. Easy mitigation step, see below. (Updates: Proof of Concept code posted... The two hackers may have overstated the problem.) No Longer Supported
If you just want the skinny on the Firefox vulnerability click here. We're starting off with a little background on Javascript. See important Updates below.

We've said it many times before, the Internet is not a safe place, diligence is key. Though we feel that Firefox is more secure than Internet Explorer this is large part due to the lack of ActiveX support. But there are many other avenues to attack the web browser other than ActiveX. One of those is Javascript. Javascript is a interpreted programming language that works on the client side of the connection (as opposed to the server side). When your web browser loads a web page and sees Javascript on the page it interprets the code and does what its told to do. This sounds inherently dangerous since you have no control over what may be hidden in the HTML of some web page. But Javascript was written from the ground up to run within the confines of the web browser and as such its powers are limited. Most often used for simple tasks such as mouse rollovers (eg; changing a graphic when you highlight a button, or changing a text color when you float the cursor over the text) or validating form input. It is also often used in flyout style menus. It is usually harmless.

But the bad guys have figured out ways to use it maliciously. One such use is in Cross-Site Scripting (XSS) where Javascript is fed through some site's form entry (etc) that will echo it back to the user. When this is done it appears that whatever the Javascript did in the browser actually came from the website. So when you think you are entering your pin number on the banks site you may actually be entering it on the phishing / hackers site (there are other malicious uses for XSS as well). XSS vulnerable sites are everywhere. This author went hunting for them and found 2 major media sites that are vulnerable in less than 20 minutes.

Because Javascript must be interpreted by the browser to do things any oversight on the part of the browser programmers could be disastrous. A simple example would be Javascript used to load an image, if that routine could instead be used to load a local file with parameters a hacker could use this to run commands to download and start any malicious content they wanted. This would, in affect, make Javascript as dangerous as ActiveX (ActiveX can do almost anything if you let it. Its very powerful, it can also be very dangerous if used or configured incorrectly). These type problems with Javascript are rare but have come up from time to time.

Latest Firefox JavaScript Reentrant Vulnerability: (see updates below)

Two self-professed hackers, Mischa Spiegelmock and Andrew Wbeelsoi, gave a slide show at the ToorCon hacker conference showing Firefox being exploited to run arbitrary code. According to Spiegelmock the Firefox Javascript implementation is a "complete mess," and "is impossible to patch." Of course this this comes from a couple of hackers who's presentation was described on ToorCon as "New ways of getting your load onto your quivering victim's stack Reaching into the hearts and minds (also the genitals) of users" and comments in the slide presentation like "Hahahahahahaha stick that in your pipes and smoke it Firefox fanboys!". According to people who saw the presentation it appeared to show enough to figure out how to recreate the exploit. So far the vulnerability has not been confirmed and it is possible this is all a ruse or greatly exaggerated. But the folks at Mozilla seem to have seen enough to be taking this serious.

Of course this could also be the real deal. If that is the case Firefox has a very potent vulnerability just waiting to be exploited. Javascript can often be loaded in to bulletin board posts and blogs so random surfing would not be safe. Of course it can also be used in targeted attacks via eMail links, or loaded on to compromised web servers. It will be imperative that this get fixed quickly. If you are using a pre-1.5 version of Firefox and don't want to upgrade you should install the NoScript Extension (see below) immediately. Firefox 1.5x will be updated to fix this problem, previous versions will not.

The vulnerability as presented could lead to running arbitrary executable code within the security context of the user. In other words make Firefox install whatever the bad guys want installed assuming your login has the rights to install software.

Mitigation:
  • If you run Firefox you should immediately install the NoScript Extension. This script will prompt you when a page tries to run Javascript and give you the option to let it run. You can tell it to run just for this browser session or you can whitelist the site so that it always runs Javascript from that site. Some sites are very dependent on Javascript and won't show you anything without it. Some sites display nicely without it. We recommend whitelisting sites you visit often. Unless you do you'll never know what content you're missing out on. Some of the content might load using standard HTML, other content might load using JavaScript. For instance this site uses Javascript in several of the sidebar boxes.
  • You could use Internet Explorer since it is not vulnerable to this particular bug. But it currently has several unpatched vulnerabilities of its own. Since it still commands about 75-80% of the browser market hackers often target its vulnerabilities harder than those in Firefox (besides their is a "stick it to the man" mentality in attacking MS).


References:


Updates:
  • If you can't trust a couple of hackers who can you trust!! Quotes from Mozilla's interview with one of the two hackers that gave the presentation: "The main purpose of our talk was to be humorous." "I personally have not gotten it to result in code execution, nor do I know of anyone who has." The PoC can lead to a browser crash. They also admitted to not having "30 undisclosed Firefox vulnerabilities".
  • Proof of Concept code has been posted on the web. Now its only a matter of time before this vulnerability is exploited in the wild.


Vulnerable - Windows, Mac, Linux. Apparently all versions of Firefox.

Share or Bookmark this Article Using:
No Longer Supported



Google
WebNIST.org
NIST.govSecurityFocus.com





Posted by NIST.org on Monday 02 October 2006 - 04:13:29 | |printer friendly
Translate to: French German Italian Spanish Portuguese GTM_LAN_DUTCH Russian Chinese Arabic Korean English
Google Ads




Headlines

»CVE-2013-4312
The Linux kernel before 4.4.1 allows local users to bypass file-descriptor limits and cause a denial ...
»CVE-2014-9757
The Ignite Realtime Smack XMPP API, as used in Atlassian Bamboo before 5.9.9 and 5.10.x before 5.10.0, allows remote configured XMPP servers to execute arbitrary Java code via serialized data in an XMPP message.
»CVE-2015-2012
The MQXR service in WMQ Telemetry in IBM WebSphere MQ 7.1 before 7.1.0.7, 7.5 through 7.5.0.5, and 8 ...
»CVE-2015-3251
Apache CloudStack before 4.5.2 might allow remote authenticated administrators to obtain sensitive p ...
»CVE-2015-3252
Apache CloudStack before 4.5.2 does not properly preserve VNC passwords when migrating KVM virtual m ...
»CVE-2015-6398
Cisco Nexus 9000 Application Centric Infrastructure (ACI) Mode switches with software before 11.0(1c ...
»CVE-2015-7513
arch/x86/kvm/x86.c in the Linux kernel before 4.4 does not reset the PIT counter values during state ...
»CVE-2015-7550
The keyctl_read_key function in security/keys/keyctl.c in the Linux kernel before 4.3.4 does not pro ...
»CVE-2015-7566
The clie_5_attach function in drivers/usb/serial/visor.c in the Linux kernel through 4.4.1 allows ph ...
»CVE-2015-7675
The "Send as attachment" feature in Ipswitch MOVEit DMZ before 8.2 and MOVEit Mobile before 1.2.2 al ...
»CVE-2015-7677
The MOVEitISAPI service in Ipswitch MOVEit DMZ before 8.2 provides different error messages dependin ...
»CVE-2015-7678
Multiple cross-site request forgery (CSRF) vulnerabilities in Ipswitch MOVEit Mobile 1.2.0.962 and e ...
»CVE-2015-7679
Cross-site scripting (XSS) vulnerability in Ipswitch MOVEit Mobile before 1.2.2 allows remote attack ...
»CVE-2015-7680
Ipswitch MOVEit DMZ before 8.2 provides different error messages for authentication attempts dependi ...
»CVE-2015-7914
Sauter EY-WS505F0x0 moduWeb Vision before 1.6.0 allows remote attackers to bypass authentication by ...


Date published: 2016-02-11T05:50:00Z
Details

»Cisco Releases Security Update
Original release date: February 10, 2016 | Last revised: February 11, 2016 Cisco has released ...
»Microsoft Releases February 2016 Security Bulletin
Original release date: February 09, 2016 Microsoft has released 13 updates to address vulnera ...
»Google Releases Security Update for Chrome
Original release date: February 09, 2016 Google has released Chrome version 48.0.2564.109 to ...
»Adobe Releases Security Updates
Original release date: February 09, 2016 Adobe has released security updates to address vulne ...
»Oracle Releases Security Updates for Java
Original release date: February 08, 2016 Oracle has released security updates to address a vu ...
»Comodo Chromodo Browsers Vulnerable to Cross-Domain Attacks
Original release date: February 04, 2016 Some Comodo Chromodo browser versions (45.8.12.392, ...
»WordPress Releases Security Update
Original release date: February 02, 2016 WordPress 4.4.1 and prior versions contain two secur ...
»FTC Announces Enhancements to IdentityTheft.gov
Original release date: January 29, 2016 The Federal Trade Commission (FTC) has upgraded its I ...
»OpenSSL Releases Security Advisory
Original release date: January 28, 2016 OpenSSL versions 1.0.2f and 1.0.1r have been released ...
»Cisco Releases Security Update
Original release date: January 27, 2016 Cisco has released a security update to address a vul ...


Date published: not known
Details

»Throwback Thursday: The Thin Blue Line
This Throwback Thursday, VB heads back to 1994 when UK Fraud Squad ...
»Welcome to virusbulletin.com
Almost 20 years after Virus Bulletin revealed its first site on the ...
»VB2015 video: TurlaSat: The Fault in our Stars
In a presentation at VB2015 in Prague, Kaspersky Lab researcher Kur ...
»Security vendors should embrace those hunting bugs in their products
When interviewed by the Risky Business podcast last week, VB Editor ...
»February
Anti-virus and security related news provided by independent anti-v ...
»More VB Conference papers and videos published
More VB2014 Conference papers and videos published - 11 papers and ...
»Throwback Thursday: Peter-II - Three Questions of The Sphinx
This Throwback Thursday, VB heads back to 1993, when an ordinary me ...
»VB2015 paper: Effectively testing APT defences
Simon Edwards discusses how to test the potentially untestable. ...
»VB2015 paper: The ethics and perils of APT research: an unexpected transition into intelligence brokerage
Juan Andrés Guerrero-Saade discusses the perils and ethical conundr ...


Date published: not known
Details
Main Menu
· Home
Current Security News
 
US-CERT Current Activity

» Cisco Releases Security Update
[10 Feb 2016 10:17am]

» Microsoft Releases February 2016 Security Bulletin
[09 Feb 2016 03:44pm]

» Google Releases Security Update for Chrome
[09 Feb 2016 03:18pm]

» Adobe Releases Security Updates
[09 Feb 2016 11:01am]

» Oracle Releases Security Updates for Java
[08 Feb 2016 02:20pm]

» Comodo Chromodo Browsers Vulnerable to Cross-Domain Attacks
[04 Feb 2016 05:53pm]

» WordPress Releases Security Update
[02 Feb 2016 02:46pm]

» FTC Announces Enhancements to IdentityTheft.gov
[29 Jan 2016 03:36pm]

» OpenSSL Releases Security Advisory
[28 Jan 2016 02:11pm]

» Cisco Releases Security Update
[27 Jan 2016 03:40pm]

***
US-CERT Alerts

» TA15-337A: Dorkbot
[03 Dec 2015 04:40pm]

» TA15-314A: Compromised Web Servers and Web Shells - Threat Awareness and Guidance
[10 Nov 2015 06:12pm]

» TA15-286A: Dridex P2P Malware
[13 Oct 2015 05:23am]

» TA15-240A: Controlling Outbound DNS Access
[28 Aug 2015 11:31am]

» TA15-213A: Recent Email Phishing Campaigns – Mitigation and Response Recommendations
[01 Aug 2015 04:01pm]

» TA15-195A: Adobe Flash and Microsoft Windows Vulnerabilities
[14 Jul 2015 05:13pm]

» TA15-120A: Securing End-to-End Communications
[29 Apr 2015 10:00pm]

» TA15-119A: Top 30 Targeted High Risk Vulnerabilities
[28 Apr 2015 10:00pm]

» TA15-105A: Simda Botnet
[15 Apr 2015 06:51am]

» TA15-103A: DNS Zone Transfer AXFR Requests May Leak Domain Information
[13 Apr 2015 01:36pm]

***
Computerworld Security

» ENCRYPT Act co-sponsor learned tech ropes at Microsoft
[11 Feb 2016 03:29pm]

» Data destruction 101: There's more to it than wiping your drive [Infographic]
[11 Feb 2016 10:00am]

» Critical flaw exposes Cisco security appliances to remote hacking
[11 Feb 2016 08:19am]

» House bill would prevent patchwork of state laws banning smartphone encryption
[11 Feb 2016 04:45am]

» Encryption boost from U.S. House bill: Stop States’ smartphone stupidity
[11 Feb 2016 04:37am]

» Android root malware is widespread in third-party app stores
[10 Feb 2016 04:07pm]

» SAP slaps a patch on leaky factory software
[10 Feb 2016 09:06am]

» Microsoft fixes 36 flaws in IE, Edge, Office, Windows, .NET Framework
[10 Feb 2016 08:34am]

» Government may tap into your IoT gadgets and use your smart devices to spy on you
[10 Feb 2016 08:20am]

» Poseidon hacker group behind long-running extortion scheme
[10 Feb 2016 06:04am]

» Setting up a Windows 10 picture PIN
[10 Feb 2016 06:00am]

» U.S. regulator: A Google computer could qualify as car driver
[10 Feb 2016 05:51am]

» Google will stop accepting new Flash ads on June 30
[10 Feb 2016 05:18am]

» Identity thieves obtain 100,000 electronic filing PINs from IRS system
[10 Feb 2016 05:13am]

» IDG Contributor Network: Microsoft delivers major updates to Internet Explorer and Adobe Flash Player
[10 Feb 2016 04:54am]

***
Microsoft Security Advisories

» 3137909 - Vulnerabilities in ASP.NET Templates Could Allow Tampering - Version: 1.1
[10 Feb 2016 12:00am]

» 2871997 - Update to Improve Credentials Protection and Management - Version: 5.0
[09 Feb 2016 12:00am]

» 3123479 - Deprecation of SHA-1 Hashing Algorithm for Microsoft Root Certificate Program - Version: 1.0
[12 Jan 2016 12:00am]

» 3109853 - Update to Improve TLS Session Resumption Interoperability - Version: 1.0
[12 Jan 2016 12:00am]

» 3118753 - Updates for ActiveX Kill Bits 3118753 - Version: 1.0
[12 Jan 2016 12:00am]

» 2755801 - Update for Vulnerabilities in Adobe Flash Player in Internet Explorer and Microsoft Edge - Version: 53.0
[05 Jan 2016 12:00am]

» 3057154 - Update to Harden Use of DES Encryption - Version: 1.1
[08 Dec 2015 12:00am]

» 3123040 - Inadvertently Disclosed Digital Certificate Could Allow Spoofing - Version: 1.0
[08 Dec 2015 12:00am]

» 3119884 - Inadvertently Disclosed Digital Certificates Could Allow Spoofing - Version: 1.0
[30 Nov 2015 12:00am]

» 3108638 - Update for Windows Hyper-V to Address CPU Weakness - Version: 1.0
[10 Nov 2015 12:00am]

» 3097966 - Inadvertently Disclosed Digital Certificates Could Allow Spoofing - Version: 2.0
[13 Oct 2015 01:00am]

» 2960358 - Update for Disabling RC4 in .NET TLS - Version: 2.0
[13 Oct 2015 01:00am]

» 3042058 - Update to Default Cipher Suite Priority Order - Version: 1.1
[13 Oct 2015 01:00am]

» 3083992 - Update to Improve AppLocker Publisher Rule Enforcement - Version: 1.0
[08 Sep 2015 01:00am]

» 3074162 - Vulnerability in Microsoft Malicious Software Removal Tool Could Allow Elevation of Privilege - Version: 1.0
[14 Jul 2015 01:00am]

***
WIRED » Security

» Encryption Is Worldwide: Yet Another Reason Why a US Ban Makes No Sense
[11 Feb 2016 10:23am]

» New Bill Aims to Stop State-Level Decryption Before It Starts
[10 Feb 2016 01:27pm]

» Obama’s Cybersecurity Plan is Meant to Secure His Legacy
[10 Feb 2016 05:00am]

» How to Hack the Power Grid Through Home Air Conditioners
[09 Feb 2016 08:40am]

» Donate Your Old USB Drives to Fight North Korean Brainwashing
[09 Feb 2016 07:00am]

» Obama’s New Cybersecurity Plan Sticks to the Most Basic Basics
[09 Feb 2016 03:01am]

» Hack Brief: Hacker Leaks the Info of Thousands of FBI and DHS Employees
[08 Feb 2016 01:33pm]

» It’s Been 20 Years Since This Man Declared Cyberspace Independence
[08 Feb 2016 07:58am]

» Take a Trip to a Time When Viruses Still Called You Names
[08 Feb 2016 05:00am]

» Security News This Week: The White House Bans Its Own Security Researcher
[06 Feb 2016 05:00am]

***
Network World Security

» Hackers of two Ukrainian utilities probably hit mining and railroad targets, too
[11 Feb 2016 04:32pm]

» NextNine's security platform helps to reduce industrial cyber risks
[11 Feb 2016 01:23pm]

» With new startup, Check Point Software co-founder bets on perimeter-less security
[11 Feb 2016 09:43am]

» Schneier: terrorists will switch to more secure alternatives to avoid encryption backdoors
[11 Feb 2016 07:29am]

» REVIEW: Cyphort makes advanced threat protection easier than ever
[25 Jan 2016 04:00am]

» Two network video cameras raise the bar for home security
[19 Jan 2016 12:20pm]

» FidSafe: A cloud service for important documents (and the price is right)
[15 Jan 2016 06:23pm]

» Best open source email security products
[11 Jan 2016 04:00am]

» REVIEW: MailScanner and ScrolloutF1 are standouts in open source email security
[11 Jan 2016 04:00am]

» Piper nv: An ambitious home monitoring and automation system
[09 Jan 2016 04:09pm]

» Sentri wants to guard your home but isn't very good at it yet
[20 Dec 2015 04:11pm]

» Dog and Bone LockSmart: The padlock rethought
[19 Dec 2015 12:53pm]

» Review: Best password managers for the enterprise
[07 Dec 2015 04:00am]

» Schneier: terrorists will switch to more secure alternatives to avoid encryption backdoors
[11 Feb 2016 07:29am]

» Indegy finds out when industrial controls go bad (think Stuxnet)
[11 Feb 2016 07:02am]

***


More IT Security
News Feeds
More Sponsors

Advertise on this site
RSS Feeds
Our news can be syndicated by using these rss feeds.
rss1.0
rss2.0
rdf
Symantec News

NIST.org is in no way connected to the U.S. government site NIST.gov

This site is © John Herron, CISSP. All Rights Reserved.

Please visit daily to stay up to date on all your IT Security compliance issues.

http://www.nist.org -
Hosted by BlueHost. We've never had a better hosting company.
{THEMEDISCLAIMER}