Newsletters

Select newsletters below and click the button to sign up!

Boston News NY News
DC News Internet Daily
SiliconValley News
InternetNews Business Report




Become a Marketplace Partner


Partner With Us


Internetnews Bloggers

Recent Entries

Archives

July 2009
Sun Mon Tue Wed Thu Fri Sat
      1 2 3 4
5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28 29 30 31  

Monthly Archives

Search The Blog

Netstat -vat by Sean Michael Kerner (bio)

A command line view of IT



Firefox 3.5 at risk from 0-Day JavaScript and DNS flaws?

By Sean Michael Kerner on July 14, 2009 12:06 PM
sr-firefox3.jpg
From the 'shiny, new and broken' files:

US-CERT is warning today about a new un-patched 0-day Firefox 3.5 vulnerability. According to US-CERT, the vulnerability is due to an error in the way JavaScript code is processed.

There is proof of concept code for the exploit publicly available now and as such in my opinion this represents an immediate threat to Firefox 3.5 users. To the best of my knowledge this is the first 'critical' flaw publicly reported for the Firefox 3.5 release which came out two ago.

The code that I saw was written by security researcher Simon Berry-Byrne and is officially titled, "Firefox 3.5 Heap Spray Vulnerability. Berry-Byrne in his proof of concept code thanks security research H D Moore, "...for the insight and Metasploit for the payload."  Metasploit is an open source security testing framework which can enable an attack to become 'weaponized' for testing and research purposes.

There is a second potential vulnerability that is making the rounds in the security research community involving a DNS leakage in Firefox 3.5.

Security researcher hevnsnt has reported a DNS leak, such that no matter how a user redirects their DNS (proxy etc) the Firefox 3.5 browser still leaks out the local DNS data. I contacted Mozilla on the DNS issue yesterday and so far have not yet had any response back from them.

The DNS leak issue is a bit different than the JavaScript issue, in that it's what I would classify as an 'information disclosure' flaw. The JavaScript issue in contrast could lead to a denial of service or arbitrary code execution.

Mozilla developers had already planned to issue a Firefox 3.5.1 update for the middle of July, so we might not have to wait long at all

Either way, let's hope Mozilla gets both these issues patched quickly.

| Comments (0) | TrackBacks (0) | Share

Tags:

0 TrackBacks

Listed below are links to blogs that reference this entry: Firefox 3.5 at risk from 0-Day JavaScript and DNS flaws?.

TrackBack URL for this entry: https://swarm.jupitermedia.com/mt-tb.cgi/8467

Leave a comment