Comments on: Nobel Peace Prize Site Serves Firefox 0day

By: Joshua

Joshua — Fri, 29 Oct 2010 19:15:04 +0000

I’d have to see some proof before I agreed it was the most vulnerable. But the fact that it is open source has MANY advantages over closed source proprietary code. For one, they shipped a patch in LESS THAN 3 DAYS!!! Find me closed source software that will patch a major vulnerability that quick…yeah, you won’t. Second, since it is open source many add-on’s can be created to help mitigate future vulnerabilities or other dangerous actions encounterd while using your browser. Again, won’t see that with IE. The reason why you see FireFox pop up is due to popularity. People don’t want to use IE anymore, Chrome is still too new and Safari and Opera just don’t have the user base (yet) to worry about. The other reason you don’t hear of IE much anymore, is because they are now using Java/Adobe as infection methods instead and/or the tards are still using unsupported IE 6. If you ever want to see how out out of date peoples computers are, check out some of the malware removal forums like http://forums.techguy.org/54-virus-other-malware-removal/ or Bleeping Computer on Brian’s blog roll. Open source son, open source. I’d rather have the whole world on my side than rely on a few hundred/thousand coders at individual companies all competing against each other. Open source = passion, the rest is a paycheck.

By: Martin Dombrowski

Martin Dombrowski — Fri, 29 Oct 2010 08:47:50 +0000

First Handlers for other Applications like the German Social Networks under following link:

http://stacksmashing.net/2010/10/27/firesheep-handler-for-schuelervz-studivz-and-meinvz/

By: diocyde

diocyde — Fri, 29 Oct 2010 00:28:25 +0000

Just so you know, the Firefox 0-day and the Flash 0-day are both launched by the same chinese cyber operators that have burned approximately 10-15 0-days in the past 2 years targeting the Western world will all manner of targeted attacks. It is about time A message be sent that this actively will not go unanswered and their will be consequences. The domains and malware on both attacks are the same that have been launched against highly targeted interests a number of times in the past. If you would like to challenge my assumptions, go for it, at the end of the day you just might leave with your jaw on the floor.

I repeat, these two attacks are linked. The only thing thats interesting is the fact that they needed to burn so many in such a limited time span. Of course there is a China angle, They are hella pissed over the Nobel award to a dissenter. They wage aggressive cyber operations against dissenters in their country and outside of their country.

From an opsec and sloppieness perspective they are just dam horrible, they should be ashamed of their tradecraft. Silly Dragon. 0-days are for ninjas.

-Diocyde diocyde.wordpress.com

By: Jonathon

Jonathon — Wed, 27 Oct 2010 21:31:37 +0000

I should have been clear that I’m not including Firefox’s NoScript, which I consider the ultimate tool for browsing security. However, in my experience as an admin most of your average users just don’t want/don’t know how to mess with NoScript. They often just end up allowing scripts globally or just “allow all this site” for every site they want to view correctly (My wife does this, and I come in after her and revoke all the permissions she allows).

I maintain that without NoScript, I believe Firefox is now the most vulnerable browser. Open Source is great, but when the closed source megacorps (Microsoft/Google) get serious, Open Source doesn’t stand a chance.

By: Greg

Greg — Wed, 27 Oct 2010 18:30:49 +0000

The Chinese hypothesis is interesting.

I’m no expert on the great Firewall, but I believe it can be bypassed by VPNs and perhaps in other ways. That’s a concession the China makes to foreign businesses that need confidentiality.

Sophisticated Chinese can bypass the Firewall in similar ways, but most Chinese won’t have access. So, this might make sense for the PRC, but that doesn’t rule out other sources.

By: Joshua

Joshua — Wed, 27 Oct 2010 15:31:41 +0000

@Jonathan–ALL software has vulnerablities. Their isn’t a software program that can’t be exploited if given enough time, attention and oppurtunity. It just so happens that Firefox is extremely popular, so in lies the incentive.

By: LonerVamp

LonerVamp — Wed, 27 Oct 2010 15:22:39 +0000

@Brian: Thanks for posting the update. I hadn’t really heard much discussion yet on the Firefox 0day, which I find more interesting than yet another trojan payload. (Albeit, an interesting one that kicks back a shell.)

@target demographics: The sorts of people who visit the Nobel site are probably of a certain crust in society, or at least in general. If you can open shells to those people, chances are you’re going to gain a foothold into some interesting places that work on very interesting things… I doubt they much care about John Doe farmer in Nebraska checking out the prize-winners from his home connection.

Theorizing about XP is worthwhile, but it may be the exploit-writer was only successful against XP and not newer versions. This wouldn’t be uncommon when attacking memory space.

By: LonerVamp

LonerVamp — Wed, 27 Oct 2010 15:15:06 +0000

What makes you claim that Firefox is the most vulnerable?

What makes you think Chrome or IE are better?

Are you including addons/functionality like NoScript that improves the security?

By: Jonathon

Jonathon — Wed, 27 Oct 2010 13:26:08 +0000

I loved Firefox, but I’m afraid it’s heyday is over. We need to accept that right now Firefox is the most vulnerable of the top three. If it wasn’t, the hackers surely would have been more effective exploiting an IE vulnerability.

By: Christopher Kunz

Christopher Kunz — Wed, 27 Oct 2010 07:18:21 +0000

I, too, wonder about the target demographic. It seems that the exploit “naturally” limits it to XP-family OSes, which still seems to be a large chunk, especially in piracy-heavy regions.

However, one more thing hints at an targetted attack IMHO: It would seem that this is not your average botnet herder increasing the size of their flock – seeing that all the exploit binary purportedly does is open a connect-back shell. This would be very unusual for a botnet payload, wouldn’t it?