** HEAD'S UP ** FireFox Java Vulnerability

Greeting's

A new vulnerability has been discovered in Mozilla FireFox V 1.x which can be used remotely to gain access to potentianlly sensitive information.

Original Advisory : https://bugzilla.mozilla.org/show_bug.cgi?id=288688

Other reference advisory : http://secunia.com/advisories/14820/

A proof of concept is found here : http://secunia.com/mozilla_products_...exposure_test/

Above link can be used to test if your system is vulnerable to the exploit. Each time you click on the link 10 Kb of memory will read from your system. BUT NOTE I TRIED IT MORE THEN 6 TIMES AND MY BROWSER CRASHED.

Currently no patch is released but this vulnerability can be fixed by DISABLING JAVA SUPPORT.


Other Reference : http://cubic.xfo.org.ru/index.cgi?read=53004

This exploit is classified as : "Moderately critical".

Blast - That's got me!

Thanx for the heads up

Steve

Interesting. Anyone got IE that could try it? It was effective against Mozilla but I'm curious if this is more a JRE issue than a browser issue.

Greeting's

I tried the test with IE (fully updated) but it only show's "xxxxxxxxx......." and almost endless xxxx..

Anyway I just want to know for all those useres who tried the proof of concept code did you your firefox crash and if yes after how many tries ? Mine crashes after reading 60 Kb of memory.

I got up to 41 on my Firefox 1.0.1. My mozilla crashed the 1st time after 6 and then went endless on the 2nd try. Both of these are on Linux (RH9)

I dont know if I've even installed any java plugins for FF but I'll still disable it when I get home.

I tip my hat to you sir. (or madame)

Greeting's

I am not sure what is the latest version of firefox on linux but on windows it is 1.0.2. And MsMittens same here i got up 30 in the second try.

Byte: it's the same on Linux, I've just been lazy about updating my abuse machine (it's a machine I use in wargames classroom). ;)

Quote:

---

Originally posted here by ByTeWrangler
Currently no patch is released but this vulnerability can be fixed by DISABLING JAVA SUPPORT.

---

NO. The bug is in the JavaScript engine. Disabling Java has absolutely no effect (with regards to this bug). You should disable JavaScript support. Java and JavaScript are NOT the same thing...

Quote:

---

Source - http://secunia.com/advisories/14820/
The vulnerability is caused due to an error in the JavaScript engine, as a "lambda" replace exposes arbitrary amounts of heap memory after the end of a JavaScript string.

---

Good call!

Thanks for the info.

Yo!

Greeting's

This vulnerabality also affects **Netscape** more can be found here :

http://secunia.com/advisories/14804/

I would also like to thank SirDice for correcting my post.

Mozilla v1.7.3 with JavaScript turned ON runs POC...with it OFF it doesn't.

Quote:

---

Successful exploitation may disclose sensitive information in memory.

---

Like maybe...say....passwords?! eek

SELF-TESTING

Quote:

---

Like maybe...say....passwords?! eek

---

Just about time to post this, ric-o.

For you guys who want to test the script! (Take extreme precautions!).

I am curious for the source of the testing page facilitated for this vulnerability. I checked it (not being scriptkiddie or something), just plain curiousity, I extracted the most important part of the script just to find out what is really happening.

First, try the attached html (crash_JS_FF.html in zip file [crash_JS_FF.zip] --extract it first) and try it on a testing BoX (remember, testing BoX).

Here are the observations:

- Using Firefox, I run the HTML.
- Clicking the “Test Now - Left Click On This Link” each time reveals somewhat random data extracted from the memory. This is exciting to explore. I’ve come across this “LOAD_DOCUMENT_URI LOAD_RETARGETED_DOCUMENT_URI LOAD_REPLACE LOAD_INITIAL_DOCUMENT_URI LOAD_TARGETED - - userPass username password hostPort asciiSpec asciiHost”. Not yet scary huh!

Note that it crashes on my TEST BOX after clicking 3 times or more (never crashed lower than 3 clicks)… Randomly observe how many clicks you can possibly do before it crashes. I am still observing when would sensitive info like user and password could show up. Still not came across that severity. But one thing for sure, with the random exposure of memory content, too many sensitive information about your BoX and activities could be revealed. Whew. For those who want to try this (in a TEST BoX), please have your feedback on it. And just an added observation, check the task manager how it reacts every time you click. The Memory usage for some program changes in my BoX. *(XP Pro) ?

*
Need to add that in IE (latest), nothing happens except for showing the XXXXXXXXXXX... Not crashing. LoLz
*

Just to share some curiosity and observation. Remember, TAKE NECESSARY PRECAUTIONS BEFORE DOING THIS, BE SURE YOU KNOW WHAT TO DO!

Cheers!

Yo! ;)

Has been fixed in the next release. You can get nightly builds from here:

http://weblogs.mozillazine.org/asa/