Firefox Security Threat – Google is vulnerable

by Karthik on November 12, 2007 · 25 comments

Firefox

A Malicious exploit has been discovered in Firefox that would allow a Hacker to use a Malicious JAR file to get access to your Google Account and all your confidential information.

Firefox is falling into some serious trouble over the past few months, with more and more security exploits being discovered and being exploited. The latest threat involves the usage of a malicious JAR file. The flaw is still in the wild and the problem persists with the websites of Major Internet companies that includes Google. Beford.org has found a way to use the JAR exploit to get details of Google Accounts using a Malicious JAR file specially crafted to take advantage of the exploit.

Well I’m going to refrain myself from writing about the Exploit. I have tested this exploit on my own spare Google Account, and I can confirm that this works. Its better be to safe because I’m not sure when exactly is Google and Mozilla planning to patch up the security holes. I suggest you download the NoScript addon for Firefox. Right now NoScript seems to be the only solution. If you are wondering what NoScript is, then here is what its developer has to say about it :

It allows JavaScript, Java and other executable content to run only from trusted domains of your choice, e.g. your home-banking web site, and guards the “trust boundaries” against cross-site scripting attacks (XSS). Such a preemptive approach prevents exploitation of security vulnerabilities (known and even unknown!) with no loss of functionality…

The other way to stay safe would be to visit sites that you trust and not download anything that looks suspicious. Given the vastness of the Internet, however careful you are, this can be still a threat. Keep yourself signed out of all Accounts until this is patched. But do remember to stay safe.

This exploit was known to Mozilla for quite sometime and hasn’t still patched it. Given that this vulnerability affects both Google and Firefox lets see who gets this patched first.

Via GNUCitizen and Bedford

See more from: Web

{ 23 comments… read them below or add one }

Thilak November 12, 2007 at 10:38 pm

The problem is not with Firefox. IE has bugs, but most of them are still not discovered. In the open source community, bugs will be discovered as soon as it releases

Reply

Z@ck November 13, 2007 at 11:52 pm

Is this about IE of firefox @Thilak??

Use a seperate forum to yarp abt IE. Atleast when M/soft gets a bug alert if patches

If the Moz folks knew abt this and they didnt patch..thats a bad thingie to be doing to the fans out there..

Reply

RMD November 14, 2007 at 4:21 am

Thilak – what do you mean the problem is not with Firefox? Of course it is.

As far as IE having bugs… of course it does, all reasonably complex software has bugs.

But IE 7 on Vista (with Protected Mode) is probably the safest way to browse the web. There has not been a SINGLE exploit that can target a user using IE 7/Protected Mode.

Reply

Julio Biason November 14, 2007 at 4:24 am

I was thinking: to know what to do with a JAR file, Firefox needs the Java plugin; without it, Firefox would show you the options to select an application to open it or save it to disk.

So… isn’t it a Java security flaw instead?

Reply

donnie November 14, 2007 at 4:32 am

thilak, did i read the same article as you? how is the problem not with firefox? what does this have to do with ie? from what i read, it seems there is indeed a problem with firefox and mentions nothing about ie.

Reply

shortshire November 14, 2007 at 4:46 am

There will always be bugs for open source products, but with the bugs come a giant community of people to willing to fix it. The firefox community has a massive amount of developers creating new apps for it all the time. IE has more bugs than any browser, phishing sites exploit these flaws because IE is the default browser in Windows.

Reply

Karthik Kastury November 14, 2007 at 5:00 am

Yes indeed the problem is with Firefox. Regarding the security of IE, there is nothing much to say, we all know how secure it is don’t we!

The problem with Firefox is that is Open Source. It’s both a boon as well as a bane for Mozilla. By being OpenSource its got a huge population of developers who are ready to fix anything that pops up, but at the same time not the safest code is produced during development.

I hope Mozilla fixes this bug as soon as possible, because this is quite serious.

Reply

Steven November 14, 2007 at 5:28 am

“It’s not a bug; it’s a feature.”

Anyways, everything has bugs. It seems people have hopped on the latest bandwagon of hating anything Microsoft puts out. The original reason for hating Microsoft is its corruption and business ethics, not the security flaws.

That’s not the topic here, though. Mozilla Firefox, as well ripped off as it is by Microsoft, has become a popular web browser, which means it’s going to be a target for crackers. Windows is a target, not because it’s easy, but because the majority of people use Windows. It would be just as easy to build viruses and exploits for Linux (trust me, it is), but not as many people use it.

Since Firefox has become a popular browser, and thus a target, in my opinion, they should remove the open source platform and only let legitimate people make bug fixes. Of course, that will cut down the amount of updates and what-not, but it will also make it take a little bit more time to find exploits.

Don’t get me wrong, I support open source all the way, but it is a security risk, and a security risk from hell with that. Besides, from what I read, it’s generally the user downloading something they’re not supposed to, are activating a control for an unknown or untrustworthy source, so in actuality, it’s their fault.

Consider these the ramblings of an incoherent game designer, though.

Reply

Z@CK THINKS HE KNOWS November 14, 2007 at 5:41 am

Zack, you obviously know nothing about Microsoft’s legacy of completely ignoring security exploits.

He may be complaining in the wrong forum about it but if you’re going to call him out on it at least be RIGHT. XD

Reply

MrX_TLO November 14, 2007 at 6:08 am

Java is crap. It’s not portable and it’s not secure. It’s slow and eats all our RAM.

Reply

Steve November 14, 2007 at 6:09 am

“”"This exploit was known to Mozilla for quite sometime and hasn���t still patched it. Given that this vulnerability affects both Google and Firefox lets see who gets this patched first.”"”"

It may be fixed very soon as https://bugzilla.mozilla.org/show_bug.cgi?id=403331#c18 is patched on the mozilla1.8 branch (<behind Firefox 2.0.0.*) as Bug 369814 depended on 403331.

Reply

UncleBoogie November 14, 2007 at 6:09 am

Surely having Java turned off would work as protection as well? (Since I’ve yet to find one decent use for Java, and fortunately my bank doesn’t use it.)

Reply

Jesse McNelis November 14, 2007 at 7:10 am

The problem sounds like it’s a problem with how firefox handles plugins.
i.e the Java plugin.
I imagine it might be difficult to fix if it requires breaking support for all the existing plugins.

Reply

Spht November 14, 2007 at 7:57 am

But by default, NoScript allows scripts to be executed from Google …

Reply

bruckwine November 14, 2007 at 8:31 am

damn… *goes off to install NoScript*

Reply

BillIsGay November 14, 2007 at 9:35 am

Just don’t download anything God Damit!!!!! and make sure don’t let firefox unzip anything that you have downloaded. Plus uninstall those addons and use firefox like any other web browser.

Reply

Myztry November 14, 2007 at 2:04 pm

Nothing compares to that spit dribbling certifiably insane Microsoft idea of allowing ActiveX code to run based on a yes/no/install response.
Since the hijacking of the Browser market, developers have been required to implement stupid ill-conceived functionality in the name of compatibility.
Microsoft has been a leader in the same manner as George Bush. There’s just no distinguishing them from the enemy.

Reply

Francesco Vaj November 14, 2007 at 2:25 pm

there is definite trend right now toward relaxing browser and dom security restrictions

it’s called web 2.0

soon hacker will be able to change one little image or embed on one little website and this will lead to thousands of client users with widgets on their desktop or phone that subscribe to feeds of feeds of feeds of widgets of scrapes of feeds of mirrors of a repost of that image on a social networking site post in a completely unrelated news article where the top commenter of the story uses the altered image/link as his avatar having the entire content of their gmail yahoo live ebay warcraft and digg accounts forwarded to a single hacker email address.

can you understand hacking in 2007? we can: http://xssworm.com

Reply

Kevitivity November 14, 2007 at 4:36 pm

Karthik Kastury said “The problem with Firefox is that is Open Source. It���s both a boon as well as a bane for Mozilla. By being OpenSource its got a huge population of developers who are ready to fix anything that pops up, but at the same time not the safest code is produced during development.”

So Open Source software is less secure? I starting to seriously question this blog as this is a statement of pure stupidity.

Reply

Dave Nofmeister November 15, 2007 at 12:54 am

First, I wanted to say THANKS for the heads up on Firefox!

Also, I don’t see what the big debate is. All programs will have security holes at some point. All Firefox has to do is to work on having the best browser out there!

Reply

Steve November 16, 2007 at 2:13 am

“”"”Steve

������”This exploit was known to Mozilla for quite sometime and hasn���t still patched it. Given that this vulnerability affects both Google and Firefox lets see who gets this patched first.���”���”

It may be fixed very soon as https://bugzilla.mozilla.org/show_bug.cgi?id=403331#c18 is patched on the mozilla1.8 branch (<behind Firefox 2.0.0.*) as Bug 369814 depended on 403331.”"”"

Bug 369814 is now marked fixed so Firefox 2.0.0.10 will have the fix.

Reply

DeusExVerra November 30, 2007 at 10:47 am

Fixed in Firefox 2.0.0.10:
“MFSA 2007-37 jar: URI scheme XSS hazard”
(among other things)

No longer an issue apparently. This sounds more like a fault of Java/User ignorance or carelessness than it does Mozilla if you ask me. I don’t see why Java is still in active development. From the perspective of a web developer and a net surfer, its a waste. Eats ram, slow as hell, doesn’t perform any real task that can’t be accomplished without it (and it can usually be accomplished FASTER without Java). And then there’s all the JRE’s and crap that take up disk space.

Such a waste. NoScript, Adblock, and the All-in-One Sidebar are definitely the best FFox Extensions out there. (Ffox Extension Backup and IeTab also deserve mention). NoScript is a bit of pain to set up at first, but after you’ve established a decent “whitelist” It’s painless :)

Reply

florist shop in singapore October 1, 2012 at 3:12 pm

Terrific paintings! That is the type of information that should be shared across the web. Shame on the search engines for no longer positioning this submit upper! Come on over and visit my site . Thank you =)

Reply

Leave a Comment

{ 2 trackbacks }

Previous post:

Next post: