Comments on: CanSecWest 2009 Pwn2Own Exploit and XSL Transform Vulnerability http://blog.mozilla.com/security/2009/03/26/cansecwest-2009-pwn2own-exploit-and-xsl-transform-vulnerability/ Thu, 19 Nov 2009 15:36:11 -0800 http://wordpress.org/?v=2.8.6 hourly 1 By: PC.Tech http://blog.mozilla.com/security/2009/03/26/cansecwest-2009-pwn2own-exploit-and-xsl-transform-vulnerability/comment-page-1/#comment-105433 PC.Tech Fri, 10 Apr 2009 19:05:02 +0000 http://blog.mozilla.com/security/?p=87#comment-105433 This is the usual scenario, although I'm sure there are others: - http://en.wikipedia.org/wiki/Rogue_software "...Most of the time, they will display a message such as "WARNING! Your computer is infected with Spyware/Adware/Viruses! Buy [software name] to remove it!", a variant of which will say "Click OK to scan your system" instead of asking the user to outright buy the software. Another variant on this method involves telling the user their "Computer/Internet Connection/OS is not optimized and to Click Here to scan now". Usually, when the dialog box's OK button is clicked, this will (re)direct the user to a malicious website, which will install the program. Sometimes, even clicking the upper right hand X button to close the dialog box will produce the same effect. (Pressing Alt+F4 or using Task Manager with Ctrl-Alt-Delete can circumvent that trick)..." "Using Task Manager" for some variants is the only way to get out of this situation, by terminating the BROWSER session entirely. Any other course of action may lead to a redirect and install of the malware, since the code for the redirect is already in the browser's cache. 'Problem is that the user has to recognize exactly what's happening, and invoke Task Manager to quit the browser session - if they don't, they're hosed. This isn't just a Firefox problem. . This is the usual scenario, although I’m sure there are others:

- http://en.wikipedia.org/wiki/Rogue_software
“…Most of the time, they will display a message such as “WARNING! Your computer is infected with Spyware/Adware/Viruses! Buy [software name] to remove it!”, a variant of which will say “Click OK to scan your system” instead of asking the user to outright buy the software. Another variant on this method involves telling the user their “Computer/Internet Connection/OS is not optimized and to Click Here to scan now”. Usually, when the dialog box’s OK button is clicked, this will (re)direct the user to a malicious website, which will install the program. Sometimes, even clicking the upper right hand X button to close the dialog box will produce the same effect. (Pressing Alt+F4 or using Task Manager with Ctrl-Alt-Delete can circumvent that trick)…”

“Using Task Manager” for some variants is the only way to get out of this situation, by terminating the BROWSER session entirely. Any other course of action may lead to a redirect and install of the malware, since the code for the redirect is already in the browser’s cache. ‘Problem is that the user has to recognize exactly what’s happening, and invoke Task Manager to quit the browser session – if they don’t, they’re hosed. This isn’t just a Firefox problem.

.

]]> By: Lori Coffman http://blog.mozilla.com/security/2009/03/26/cansecwest-2009-pwn2own-exploit-and-xsl-transform-vulnerability/comment-page-1/#comment-105290 Lori Coffman Sat, 04 Apr 2009 02:05:46 +0000 http://blog.mozilla.com/security/?p=87#comment-105290 I have had 27 count them 27viruses since i started using firefox and not one in 5 years of using IE and anytime i try to research a patch or fix or anything for this problem at firefox i find wordy useless articles that basically say yeah we can't do anything about that but only after offering every suggestion most of them ridiculous and the interesting thing is that the ads popups what ever you want to call them that are giving me the viruses, trojans , malware, spyware AND worms are all the ones that i have filters set for in the useless friggin' ad blocker plus i have all the firefox updatesz and patches and fixes and blah blah blah i have had to close thre windows in the 2 minutes since i started typing this and found 7 mal spy troj virwomrs in 2 frigging minutes!!!! and anytime i do your alsop useless reports i get nadda except more viruses i have 5 virus programs on my pc now and after cleaning the hundreds of objects off that mozilla and ad blocker let through within five minutes of signing through firefox 3.0.8 i haver at least25 more so bye firefox i will be telling everyone i know how much you suck and care nothing about your users,,and hey i would stop myself but there's just nothing i can do about that............ lcoffbaby@hotmail <em>[Lucas]: Lori, I have two suggestions. a) there are lots of fake virus scanning sites, that claim to find viruses to trick users into downloading... a virus posing as a virus scanner. If you get "scanned" by a website, its a scam b) most people get viruses from downloading random programs off the web that are infected. In the 15+ years of using various browsers (mostly Mozilla & Firefox) I've never gotten a virus.</em> I have had 27 count them 27viruses since i started using firefox and not one in 5 years of using IE and anytime i try to research a patch or fix or anything for this problem at firefox i find wordy useless articles that basically say yeah we can’t do anything about that but only after offering every suggestion most of them ridiculous and the interesting thing is that the ads popups what ever you want to call them that are giving me the viruses, trojans , malware, spyware AND worms are all the ones that i have filters set for in the useless friggin’ ad blocker plus i have all the firefox updatesz and patches and fixes and blah blah blah i have had to close thre windows in the 2 minutes since i started typing this and found 7 mal spy troj virwomrs in 2 frigging minutes!!!! and anytime i do your alsop useless reports i get nadda except more viruses i have 5 virus programs on my pc now and after cleaning the hundreds of objects off that mozilla and ad blocker let through within five minutes of signing through firefox 3.0.8 i haver at least25 more

so bye firefox i will be telling everyone i know how much you suck and care nothing about your users,,and hey i would stop myself but there’s just nothing i can do about that…………

lcoffbaby@hotmail

[Lucas]: Lori, I have two suggestions. a) there are lots of fake virus scanning sites, that claim to find viruses to trick users into downloading… a virus posing as a virus scanner. If you get “scanned” by a website, its a scam b) most people get viruses from downloading random programs off the web that are infected. In the 15+ years of using various browsers (mostly Mozilla & Firefox) I’ve never gotten a virus.

]]> By: Michael Tero http://blog.mozilla.com/security/2009/03/26/cansecwest-2009-pwn2own-exploit-and-xsl-transform-vulnerability/comment-page-1/#comment-105160 Michael Tero Mon, 30 Mar 2009 01:15:59 +0000 http://blog.mozilla.com/security/?p=87#comment-105160 This last week I've been noticing a change in the way Google search is reacting. When I make my usual searches on Google and click on the links I've click on many times before, am being redirected or hijacked to some other site, usually advertising or spam like. I click the back arrow, click again on the same link and it usually takes me to the correct site, but it some times takes a couple more tries. First though was to check my extensions and I noticed a Java Quick Starter which I disabled, I'll see if that works. Any suggestion let me know. And by the way I have the latest Firefox update 3.0.8 This last week I’ve been noticing a change in the way Google search is reacting. When I make my usual searches on Google and click on the links I’ve click on many times before, am being redirected or hijacked to some other site, usually advertising or spam like.
I click the back arrow, click again on the same link and it usually takes me to the correct site, but it some times takes a couple more tries.

First though was to check my extensions and I noticed a Java Quick Starter which I disabled, I’ll see if that works.

Any suggestion let me know.
And by the way I have the latest Firefox update 3.0.8

]]> By: Eddie Johnson http://blog.mozilla.com/security/2009/03/26/cansecwest-2009-pwn2own-exploit-and-xsl-transform-vulnerability/comment-page-1/#comment-105157 Eddie Johnson Sat, 28 Mar 2009 01:05:56 +0000 http://blog.mozilla.com/security/?p=87#comment-105157 I too am looking for better corporate deployment of NoScript. Back in a prior version I'd done some hacking around with installing the extensions globally but because I switch versions often as I roam from machine to machine with a roaming profile I found a bunch of crazy conflicts with global settings versus user profile stuff, it seemed like Firefox would drop your user settings when they coincided with the globals (for that particular version), then when I roamed to another machine with slightly different globals I didn't have the user settings needed. I gave up without a resolution and just backed away from global customization. So that's my long way of saying, "yes, please give us better control of global settings." I too am looking for better corporate deployment of NoScript. Back in a prior version I’d done some hacking around with installing the extensions globally but because I switch versions often as I roam from machine to machine with a roaming profile I found a bunch of crazy conflicts with global settings versus user profile stuff, it seemed like Firefox would drop your user settings when they coincided with the globals (for that particular version), then when I roamed to another machine with slightly different globals I didn’t have the user settings needed. I gave up without a resolution and just backed away from global customization.

So that’s my long way of saying, “yes, please give us better control of global settings.”

]]> By: Giorgio Maone http://blog.mozilla.com/security/2009/03/26/cansecwest-2009-pwn2own-exploit-and-xsl-transform-vulnerability/comment-page-1/#comment-105156 Giorgio Maone Fri, 27 Mar 2009 21:19:18 +0000 http://blog.mozilla.com/security/?p=87#comment-105156 @Kurt: NoScript did protect against exploitation of this vulnerability (even though could not prevent the crash itself from happening): http://hackademix.net/2009/03/26/lock-down-firefox-for-the-weekend/ Now (since 1.9.1.5, http://noscript.net/getit#devel ), it protects also against any XSLT issue triggered by malicious sites, because it regards XSLT as active content and blocks it if comes from untrusted sources: http://hackademix.net/2009/03/27/firefox-light-speed-update-and-noscript-xslt-protection/ @Kurt:

NoScript did protect against exploitation of this vulnerability (even though could not prevent the crash itself from happening): http://hackademix.net/2009/03/26/lock-down-firefox-for-the-weekend/

Now (since 1.9.1.5, http://noscript.net/getit#devel ), it protects also against any XSLT issue triggered by malicious sites, because it regards XSLT as active content and blocks it if comes from untrusted sources:
http://hackademix.net/2009/03/27/firefox-light-speed-update-and-noscript-xslt-protection/

]]> By: Daniel Veditz http://blog.mozilla.com/security/2009/03/26/cansecwest-2009-pwn2own-exploit-and-xsl-transform-vulnerability/comment-page-1/#comment-105154 Daniel Veditz Fri, 27 Mar 2009 19:44:08 +0000 http://blog.mozilla.com/security/?p=87#comment-105154 The earlier XSL crash was reported as a stability problem. Since it looked like a non-exploitable null dereference on the surface it was not treated as an urgent issue. It was a stability problem in an edge case in a little-used feature and the developers were busy with release-blocking bugs (remember we were supposed to have finished "3.1" by now). Likewise when this was reported by Guido he's had to defend it against people who think it's a non-exploitable null deref. I have personally gotten mail from respected security researchers doubting our judgment on whether this is exploitable, and they may be right -- we haven't demonstrated that it's exploitable. But with the complex paths available to an attacker we can't prove that all of them result in a null being left on the stack in the right place. Incidentally, the patch languishing in bug 460090 matched our initial fix from bug 485217, which stopped the published crashes but did not in fact fix the vulnerability if you looked a little closer. Our shipping release contains a different patch from bug 485286 which fixes the vulnerability properly, not just the PoC crash. The earlier XSL crash was reported as a stability problem. Since it looked like a non-exploitable null dereference on the surface it was not treated as an urgent issue. It was a stability problem in an edge case in a little-used feature and the developers were busy with release-blocking bugs (remember we were supposed to have finished “3.1″ by now).

Likewise when this was reported by Guido he’s had to defend it against people who think it’s a non-exploitable null deref. I have personally gotten mail from respected security researchers doubting our judgment on whether this is exploitable, and they may be right — we haven’t demonstrated that it’s exploitable. But with the complex paths available to an attacker we can’t prove that all of them result in a null being left on the stack in the right place.

Incidentally, the patch languishing in bug 460090 matched our initial fix from bug 485217, which stopped the published crashes but did not in fact fix the vulnerability if you looked a little closer. Our shipping release contains a different patch from bug 485286 which fixes the vulnerability properly, not just the PoC crash.

]]> By: RyanVM http://blog.mozilla.com/security/2009/03/26/cansecwest-2009-pwn2own-exploit-and-xsl-transform-vulnerability/comment-page-1/#comment-105153 RyanVM Fri, 27 Mar 2009 18:15:23 +0000 http://blog.mozilla.com/security/?p=87#comment-105153 Hugo, it was certainly reported at some point prior. It even had a patch that sat around without getting checked in. https://bugzilla.mozilla.org/show_bug.cgi?id=460090 I hope some serious thought goes into figuring out what went wrong, as it's certainly an embarrassing situation. Hugo, it was certainly reported at some point prior. It even had a patch that sat around without getting checked in.
https://bugzilla.mozilla.org/show_bug.cgi?id=460090

I hope some serious thought goes into figuring out what went wrong, as it’s certainly an embarrassing situation.

]]> By: Hugo http://blog.mozilla.com/security/2009/03/26/cansecwest-2009-pwn2own-exploit-and-xsl-transform-vulnerability/comment-page-1/#comment-105151 Hugo Fri, 27 Mar 2009 16:46:50 +0000 http://blog.mozilla.com/security/?p=87#comment-105151 Is it true, that XSL PoC was provided to FireFox team 6month ago as Guido said in noscript blog? If so, why didn't you fix that mutch earlyer? Is it true, that XSL PoC was provided to FireFox team 6month ago as Guido said in noscript blog?
If so, why didn’t you fix that mutch earlyer?

]]> By: Phil http://blog.mozilla.com/security/2009/03/26/cansecwest-2009-pwn2own-exploit-and-xsl-transform-vulnerability/comment-page-1/#comment-105150 Phil Fri, 27 Mar 2009 15:03:07 +0000 http://blog.mozilla.com/security/?p=87#comment-105150 For the latest info on FirefoxADM, seen the developer's blog: http://ick2.wordpress.com/ For the latest info on FirefoxADM, seen the developer’s blog:

http://ick2.wordpress.com/

]]> By: Nikolai http://blog.mozilla.com/security/2009/03/26/cansecwest-2009-pwn2own-exploit-and-xsl-transform-vulnerability/comment-page-1/#comment-105149 Nikolai Fri, 27 Mar 2009 14:47:32 +0000 http://blog.mozilla.com/security/?p=87#comment-105149 Where to download firefoxADM: http://sourceforge.net/project/showfiles.php?group_id=129699 Installation manual for FirefoxADM: http://homepages.ed.ac.uk/mcs/FirefoxADM/ADM_Deploy.pdf Where to download firefoxADM:
http://sourceforge.net/project/showfiles.php?group_id=129699

Installation manual for FirefoxADM:
http://homepages.ed.ac.uk/mcs/FirefoxADM/ADM_Deploy.pdf

]]>