In-Depth

Attacks Target Firefox 3.0 Web Browser

Firefox 3.0 release highlights the perils of information technology celebrity

• By Stephen Swoyer
• 06/24/2008

Just hours after Firefox 3.0 -- with its much-hyped security enhancements -- went live, a trio of researchers claimed to have found flaws in the next-gen browser. Some of the disclosure activity may have been driven by celebrity-seeking: after all, the Mozilla Foundation made much of its attempt to set a (nonexistent) Guinness World Record for the most software downloads in a 24-hour period. Firefox 3.0 was a hot topic -- it even merited a mention on the satirical Colbert Report -- which made it a no-brainer target for celebrity-seeking crackers.

On the security front, Firefox 3.0 boasts improved malware protection capabilities, implementation of a safe message-passing scheme (with postMessage), and a new memory allocator (jemalloc), which replaces the default libc implementation. It also uses a new password manager facility.

Less than 24 hours after its official release, 3Com's TippoingPoint security subsidiary turned up what might be the most compelling -- and credible -- of the new Firefox 3.0 (and Firefox 2.0.x) flaws: an undisclosed vulnerability that could allow an attacker to execute arbitrary code on a compromised system. TippingPoint says it reported the vulnerability to Mozilla and won't divulge any details -- nor potential exploits -- until after Mozilla has investigated the matter.

"[A]bout five hours after the official release of Firefox 3.0 on June 17, our Zero Day Initiative program received a critical vulnerability affecting Firefox 3.0 as well as prior versions of Firefox 2.0.x. We verified the vulnerability in our lab, acquired it from the researcher, then promptly reported the vulnerability to the Mozilla security team shortly after," says a posting on TippingPoint's Digital Vaccine (DV) Labs blog.

"Not unlike most browser-based vulnerabilities that we see these days, user interaction is required such as clicking on a link in email or visiting a malicious Web page." The TippingPoint crew seemed confident that Mozilla would satisfactorily resolve the issue. "Working with Mozilla on past security issues, we've found them to have a good track record and expect a reasonable turnaround on this issue as well," the posting said.

Indeed, according to a 2006 Symantec study, not only did the Firefox browser fall prey to fewer reported vulnerabilities than its chief rival, Internet Explorer, but the Mozilla Foundation also tended to patch Firefox flaws more rapidly.

As of early June, says security researcher Secunia, Firefox 2.0 had only two unpatched vulnerabilities -- while Internet Explorer 7 had 10.

Also last week, a couple of other enthusiasts published information about potential Firefox 3.0 vulnerabilities. On the Full Disclosure mailing list (and on similar lists), a researcher by the name of "hexapode" claimed to have discovered a Firefox 3.0 release "overflow" vulnerability. This person declined to provide any additional information, cryptically indicating that details (or perhaps actual exploit code?) would be "coming soon."

Elsewhere on Full Disclosure, another cracker claimed that under certain conditions, Firefox 3 could launch applications without user interaction or without otherwise alerting a user.