Seems like Pwn2Own is getting a reputation for uncovering some pretty nasty browser based vulnerabilities, once again this year Firefox, Safari and IE8 were all broken wide open. The latest development is Mozilla has beaten both Microsoft and Apple to the punch and released Firefox 3.6.3 patching the vulnerability.

Again it was a critical vulnerability and the creator netted himself $10,000 from the contest for the exploit. Pretty fast patching from Firefox though with an 8 day turnaround, and the vulnerability is only on Firefox 3.6.x not 3.5.x in its current state.

Mozilla late yesterday patched a critical Firefox vulnerability used by a German researcher to win $10,000 for hacking the open-source browser at last week’s Pwn2Own contest.

In a repeat of 2009, Mozilla was the first browser maker to patch a bug exploited at Pwn2Own. In fact, the company improved on its performance by fixing the newest flaw only eight days after Nils, a researcher who works for U.K.-based MWR InfoSecurity, hacked Firefox. Last year, Mozilla took 10 days to come up with its Pwn2Own fix. Nils also successfully exploited Firefox at 2009′s contest.

This time, Nils used a memory corruption flaw to hack the browser, Mozilla said in the security advisory that accompanied the update to Firefox 3.6.3. It rated the bug as “critical,” the highest threat ranking in its four-step scoring system.

Nils exploited Firefox 3.6.2 — Mozilla had patched the browser just two days before the contest kicked off — on 64-bit Windows 7 , also bypassing the operating system’s DEP (data execution prevention) and ASLR (address space layout randomization) defenses. For his work, Nils was awarded $10,000 by 3Com TippingPoint, Pwn2Own’s sponsor.

Gotta give him some props though, exploiting the latest version of Firefox and bypassing both DEP and ASLR. Nice work Nils! It just goes to shows, if the motivation is there (which it is for many blackhats) then an entry vector can be found.

Especially with the rapid pace of software development in the web era, there’s no way everything can be kept secure with all the additional features and functions that are constantly being added.

Other researchers hacked Apple’s Safari and Microsoft’s Internet Explorer 8 (IE8) to also win $10,000 each.

According to Mozilla, Nils’ exploit only works against Firefox 3.6, the newest edition, but the company said it planned to also patch Firefox 3.5 “just in case there is an alternate way of triggering the bug.” Mozilla did not specify a timeline for the Firefox 3.5 update. Firefox 3.5 was just patched last Monday to bring it to version 3.5.9.

Mozilla restricted access to additional information on the vulnerability by locking down Bugzilla, its change- and bug-tracking database, allowing only authorized users to view information on the flaw. That move is typical of Mozilla when it has patched some, but not all, of its browsers.

Neither Apple or Microsoft has announced plans to patch their Pwn2Own vulnerabilities. Microsoft has acknowledged receiving details of the IE8 vulnerabilities that Dutch researcher Peter Vreugdenhil used to hack the browser, but earlier this week said a patch was not ready.

Microsoft as usual have stated it is still ‘under investigation’ having just patched 10 vulnerabilities in IE8 last week, they now have another to add to the list. I’m not holding my breath for an out-of-band patch however.

Mozilla also made the move to lock the public out of the vulnerability details on Bugzilla to prevent it from getting into the wild.

No news from Apple yet on the Safari bug, wonder when they’ll come out with a fix for it? Or acknowledge it even? Or perhaps they’ve already fixed it and pushed out the patch..who knows?

Source: Network World

I’m sure you’ve heard about the Microsoft IE7 Exploit that allows Remote Code Execution on XP & Vista, it turns out it’s actually much worse than first expected.

The exploit also affects IE5.01, IE6 and IE8 on all OS versions! That’s a pretty worrying turn of events for MS especially as they are seemingly leaving it unpatched.

You can find a clarification of the various workarounds for the IE flaw on Technet here.

Researchers are warning that the unpatched security vulnerability in Microsoft’s Internet Explorer affects more versions of the browser than previously thought, and that steps users must take to prevent exploitation are harder than first published.

According to an updated advisory from Redmond, the bug that’s been actively exploited since Tuesday bites versions 5.01, 6, and 8 of the browser, which is by far the most widely used on the web. A previous warning from Microsoft only said that IE 7 was susceptible to the attacks. IE is susceptible when running on all supported versions of the Windows operating systems, Microsoft also says.

What’s more, while there is some protection from Vista’s User Account Control, the measure doesn’t altogether prevent the attack, according to this post on the Spyware Sucks blog. Microsoft and others have suggested that those who must use IE in the next few weeks set the security level to high for the internet security zone or disable active scripting. These are sensible measures, but they don’t guarantee you won’t be pwned, according to this post from the Secunia blog.

Once again Firefox users for the win, this is a flaw in the whole family of Internet Explorer and must effect a shocking amount of users. I guess setting your Security Zone to high and disabling Active Scripting helps but then it also disables a lot of features on a lot of sites.

So you are losing out on the user experience of the web just to be more secure, mostly because Microsoft doesn’t want to release an ad-hoc patch.

Well Google Chrome final version is out now too, so there’s another option for people.

Secunia goes on to revise what it says is the cause of the vulnerability. Contrary to earlier reports that pinned the blame on the way IE handles certain types of data that use the extensible markup language, or XML, format, the true cause is faulty data binding, meaning exploit code need not use XML.

Microsoft has yet to say whether it plans to issue a fix ahead of next month’s scheduled release. For the moment, the volume of in-the-wild attacks remains relatively modest and limited mostly to sites based in China. But because attackers are injecting exploits into legitimate sites that have been compromised, we continue to recommend that users steer clear of IE until the hole has been closed.

Plenty of other researchers have weighed in with additional details about the flaw. Links from SANS, Sophos and Hackademix.

I think an imminent danger is if people start using iframe vulnerabilies and XSS to inject this exploit into some more prominent sites – that could cause a huge spread of infections!

Anyway just let people using IE know that this is another reason they shouldn’t be using it! Show them how to download and install Firefox and please teach them to use Tabs!

Source: The Register