Mozilla developers rush to ship out a patch

Mar 27, 2009 09:53 GMT  ·  By

The release of proof-of-concept exploit code for an unresolved critical bug that allows for remote arbitrary code execution on the latest stable version of Mozilla Firefox has put developers on alert. A fix will be included in the 3.0.8 version of the browser, which is scheduled for release in a few days.

The vulnerability is described on SecurityFocus as a "Boundary Condition Error" and allows an attacker to execute potentially malicious code by calling a malformed XML file from a Web page. Parsing a specially crafted "root" XML tag in an XSL file results in a memory-corruption error.

These drive-by types of attacks have become the weapon of choice for many of today's malware distributors. Cross-site scripting (XSS) weaknesses are used to inject rogue exploit-serving IFrames into legitimate pages. These exploits target vulnerabilities in popular software such as Adobe Reader, Flash Player, or the browsers themselves.

This particular vulnerability affects multiple versions of Firefox running on all operating systems and exploitation failure results in a denial of service condition. Guido Landi is credited with publishing the PoC exploit code on March 25, 2009, however it looks like the bug is much older.

A user identified only as "andre" reported the same flaw on Ubuntu's Launchpad on July 31, 2008. It was then subsequently picked up and reported to Mozilla by Michael Rooney on October 15, 2008, and a patch for it was even coded by a developer named "Martin," but for some reason it was never deployed. "This bug seems to have fallen through the cracks, not sure what bugzilla incantation is the right one to get it noticed again, so asking for review of changed patch," Martin wrote on February 14, 2009.

"The past few months have been extremely hectic at Mozilla as we've tried to push Firefox 3.5 out the door and there has been a conscious effort to focus on bugs that directly block the release (i.e. blocking1.9.1+). Unfortunately, nobody noticed the severity of your bug and in the heat of the moment when the 0-day vulnerability hit the waves, that same nobody (of which I'm a part, not ducking responsibility) looked for a duplicate bug that might already contain a patch," Blake Kaplan wrote to Martin after a new bug report and patch had been created.

The fix for the issue will finally be shipped out to users as part of Firefox 3.0.8, which is described on Mozilla Wiki as "a high-priority firedrill security update to Firefox 3.0.x." According to the Wiki article, Firefox 3.0.8 will be released between March 30 and April 1.

The execution of arbitrary code can be prevented until 3.0.8 is out by using the NoScript Firefox extension, which blocks JavaScript code on Web pages by default. "[...] Reliable exploitation requires scripting to 'spray the heap,' i.e. to inject the malicious payload at the right places of your memory for execution," Giorgio Maone, the creator of NoScript, explains. However, disabling JavaScript will not prevent Firefox from crashing.