Mozilla has released version 3.6.13 of its popular Firefox web browser.
This new version contains fixes for 11 security holes, nine of which have been given the worst rating of “critical” severity, as the vulnerabilities can be used to run malicious attack code and install software – the user has to do nothing to be hit in this way, just normal browsing is enough.
Fortunately Firefox contains an integrated update mechanism (Help / Check for Updates to kickstart the process) which can help ensure that most users are rapidly upgraded to the latest version.
However, don’t dawdle. Malicious hackers could try to exploit the vulnerabilities – described on Mozilla’s website – to infect your computer with malware.
Mozilla has issued a warning that a Firefox add-on available from the official Mozilla Add-Ons website was secretly sending users’ stolen passwords to a remote location.
“Mozilla Sniffer” was uploaded to the Firefox add-on site on June 6th, but was only determined at the start of this week to contain code that sent the contents of website login forms to a remote location.
In other words, if you installed this add-on (and according to Mozilla about 1800 people did) then everytime you entered your password on a website you were potentially handing over your confidential login details to an unknown party.
And this isn’t the first time that Firefox add-ons have made the security headlines. For instance, earlier this year Mozilla revealed that the Master Filer add-on was infected by the LdPinch password-stealing Trojan.
Back then Mozilla said it would strengthen its vetting procedures, scanning all add-ons with additional anti-virus tools. Clearly that wasn’t enough in this latest breach, and there is a proposal to introduce a requirement that all add-ons be code-reviewed before they are published on the site. More details on this proposal are available in a document about the new review model.
Mozilla has now block-listed the “Mozilla Sniffer” add-on, meaning that users who are already running the code will be promoted to remove it.
If you’re one of the potential victims, however, I would go further than just removing the add-on. Make sure you change your passwords too.
Mozilla has responded to concern about a critical security vulnerability in Firefox 3.6, by releasing version 3.6.2 of its popular browser ahead of schedule.
Firefox 3.6.2 fixes a vulnerability first discovered by security researcher Evgeny Legerov last month, which could allow hackers to launch malicious code on users’ computers.
As I blogged yesterday, concern about the bug was so high that the likes of the German government had advised internet users to switch to an alternative browser until a fix from Mozilla was available (at the time that fix was not scheduled until March 30th).
However, concern about the severity of the security flaw encouraged Mozilla to accelerate its timetable for release and speed up the schedule.
If you are a Firefox 3.6 user, go to the Help menu and choose “Check for Updates” to update your installation of Firefox to the latest version. You can also visit www.getfirefox.com if you wish to download the full version.
By Graham Cluley, Sophos
The German government has advised computer users not to run Firefox and run an alternative browser instead, because of a critical security flaw.
The advice, which comes from BürgerCERT, part of the German Federal Office for Security in Information Technology (known as the Bundesamt für Sicherheit in der Informationstechnik or BSI), recommends that computer users stop using Firefox until Mozilla releases a fix.
The reason why Germany is suggesting such seemingly drastic action is that there is a critical vulnerability in currently available versions of Firefox that could be exploited by hackers to launch malicious code on users’ computers.
For its part, Mozilla has acknowledged the security vulnerability, and advises that a patched version 3.6.2 of Firefox is scheduled to be available on March 30th.
Here is a rough translation (courtesy of Google Translate):
Because of the Mozilla Foundation, a privately disclosed vulnerability Bürger-CERT recommends the use of alternative browser until Mozilla has released Firefox version 3.6.2. The current release of Firefox 3.6.2 Plan provides for delivery on Tuesday 30 Before March 2010.
There is an as yet unspecified vulnerability in Mozilla Firefox version 3.6. A remote attacker to execute using rigged websites the opportunity to inject malicious code in the context of the logged on user.
Security researcher Evgeny Legerov discovered the vulnerability last month, controversially making code which exploited it available to those who were prepared to pay. That’s not an approach which is likely to have won him many friends at Mozilla, who would much prefer that vulnerability researchers worked with them on responsible disclosure.
It must be an uncomfortable time for German web users too. After all, in January they were advised not to use Internet Explorer, and now they’re being told to keep a wide berth from Firefox until it’s fixed.
It’s certainly a lot easier for computer-savvy home users to leapfrog from browser to browser than companies.
Switching your web browser willy-nilly as each new unpatched security hole is revealed could cause more problems than it’s worth. For instance, imagine how much training some users will require to switch from one browser to another.
And it’s worth bearing in mind – what are you going to do when your replacement browser itself turns out to contain a vulnerability? Are you going to switch yet again?
My advice is to only switch from Firefox if you really know what you are doing with the browser you’re swapping to. If you stick with Firefox, apply the security update as soon as its available.
If you can’t wait – Mozilla says it has produced a release candidate build of Firefox 3.6.2 which already contains the fix (obviously it hasn’t been through their complete quality assurance process yet). You can download it from their website at https:/ftp.mozilla.org/pub/mozilla.org/firefox/nightly/3.6.2-candidates/build3/
By Graham Cluley, Sophos
Mozilla has issued a warning that two add-ons available from AMO (addons.mozilla.org, the Mozilla Add-ons website) were infected by malicious code capable of infecting Windows computers.
According to a security notice on AMO’s blog, the Master Filer add-on was infected by the LdPinch password-stealing Trojan, and Sothink Web Video Downloader version 4.0 was infected by a version of the Bifrose backdoor Trojan horse.
Judging by the statement on the Mozilla Add-ons blog, a fair few people could have found that their Windows computers were infected:
Master Filer was downloaded approximately 600 times between September 2009 and January 2010. Version 4.0 of Sothink Web Video Downloader was downloaded approximately 4,000 times between February 2008 and May 2008. Master Filer was removed from AMO on January 25, 2010 and Version 4.0 of Sothink Web Video Downloader was removed from AMO on February 2, 2010.
Versions of Sothink Web Video Downloader greater than 4.0 are said not to be infected. Furthermore, both Trojans were specifically written for Windows, meaning they could not infect on Mac OS X and Linux installations of Firefox.
This isn’t the first time malware has slipped through Mozilla’s security procedures. In May 2008, users who downloaded Firefox’s Vietnamese language pack were warned that it had contained a malicious script designed to display irritating advertising messages.
Mozilla says that in light of the security lapse it has strengthened its systems, scanning all add-ons with additional anti-virus tools.
Personally, I would recommend that all computer users remember not to rely on someone else doing the virus scanning for them, and ensure they have anti-malware protection running on their computer.
By Graham Cluley, Sophos
If your a user of the Firefox web browser then it’s time to update your software again, as Mozilla has issued an important update that fixes a number of critical flaws.
In total, 16 vulnerabilities are patched in Firefox 3.5.4 – with 11 given the highest rating of “critical”. What does that mean? Well, according to Mozilla’s own website a “critical” vulnerability is one which “can be used to run attacker code and install software, requiring no user interaction beyond normal browsing.”
In other words, critical vulnerabilities can be used to invisibly install and run malicious code on your computer – such as a Trojan horse or worm.
As we revealed in the Sophos Threat Report [PDF] published earlier this year, SophosLabs sees in excess of 23,000 new malicious webpages every day – infected with the intention of compromising your computer. So it’s really important that alongside running up-to-date with anti-virus software, you ensure your web browser – whether it be Firefox, Internet Explorer, Safari, Opera, or something else – is protected with the latest patches.
The update is now available from the Mozilla website, but hopefully most existing users will be pestered into updating by Firefox’s auto-update facility.
Firefox’s security is becoming ever more important as it creeps up on Microsoft Internet Explorer’s pole position as number one browser for the web. It is estimated that there are now over 330 million users of Firefox – more than the population of the United States!
by Graham Cluley, Sophos
IOActive security researcher Dan Kaminsky and independent security researcher Moxie Marlinspike separately announced the compromise of SSL-protected communication at the Black Hat conference, according to reports.
The flaw is described in more detail here, but as Mozilla said in an advisory, it basically meant that attackers could have obtained certificates that could intercept and alter encrypted information between client and server, such as bank account transactions.
The Microsoft Vulnerability Research Team also helped with coordinating a multiple-vendor response to the problem.
The other three vulnerabilities were also critical. This meant that attackers could have taken advantage by running code and installing software on a user’s computer even if they were just browsing normally.
By Asavin Wattanajantra at www.itpro.co.uk
Senior Threat Researcher Joseph Reyes spotted several malicious script files that exploited Mozilla Firefox and Microsoft Internet Explorer vulnerabilities:
- JS_DIREKTSHO.B exploits a vulnerability in Microsoft Video Streaming ActiveX control to download other possibly malicious files.
- JS_FOXFIR.A accesses a website to download JS_SHELLCODE.BV. In turn JS_SHELLCODE.BV exploits a vulnerability in Firefox 3.5 to download WORM_KILLAV.AKN.
- JS_SHELLCODE.BU exploits a vulnerability in Microsoft OWC to download JS_SHELLCODE.BV.
Initial analysis done by Threat Analyst Jessa De La Torre shows that the scripts above may be unknowingly downloaded through either Firefox or Internet Explorer .
According to Mozilla, a Firefox user reported suffering from a crash that developers determined could result in an exploitable memory corruption problem. In certain cases after a return from a native function, the just-in-time (JIT) compiler could get into a corrupt state. This could then be exploited by an attacker to run arbitrary code. However, this vulnerability does not affect earlier versions of Firefox, which do not support the JIT feature.
Firefox 3.5 users can avoid this vulnerability by disabling the JIT compiler as described in the Mozilla Security Blog. This workaround is, however, unnecessary for Firefox 3.5.1 users.
On the other hand, the vulnerability in Microsoft Video ActiveX Control allows remote code execution if a user views a specially crafted web page with Internet Explorer, executing the ActiveX control. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Microsoft is aware of attacks attempting to exploit the said vulnerabilities and advises its customers to prevent the OWC from running either manually or automatically using the solution found in Microsoft Knowledge Base Article 973472.
Trend Micro advises users to refer to the following pages to download updates/patches for the vulnerabilities the aforementioned script files exploit:
- Firefox: Mozilla Foundation Security Advisory 2009-41
- OWC: Microsoft Security Advisory (973472)
- DirectShow: Microsoft Security Bulletin MS09-032
Trend Micro advises users to download the latest scan engine to protect themselves against the above-mentioned exploits.
Source : Tendmicro by Jovi Umawing