Zero day exploit hits Firefox 3.6

[noaccount]

No patch available for the time being, read news here
http://www.downloadsquad.com/2010/02/20/first-zero-day-exploit-hits-firefox-3-6/

Secunia rates it highly critical

The vulnerability is caused due to an unspecified error and can be exploited to execute arbitrary code.
The vulnerability is reported in version 3.6. Other versions may also be affected.

http://secunia.com/advisories/38608/

Assessment: Not secure for browsing, minimum 1 critical attack vector exists when using this browser

eek tado posted this one before me...
http://forum.raymond.cc/spyware-viruses/18259-zero-day-vulnerability-in-firefox.html

[Gabethebabe]

In majorgeeks they are stating that IE8 is now safer than FF.

I suppose this is not the case if you have NoScript addon.

[Kees]

Sorry for the FF fanboys.

[shan]

unlike MS which only release security updates every month if i remeber Mozilla gives it out quikly!! and they havent made any offical statments right ??

[noaccount]

In majorgeeks they are stating that IE8 is now safer than FF.

I suppose this is not the case if you have NoScript addon.

Secunia says the same their assesment is made without ANY addons.

@shan
yes u are right but this is more than bloggers chat...

[evilfantasy]

Looks like whoever reported this isn't exactly backing up their claims.

Secunia Advisory SA38608

Mozilla is aware of the claim of a zero-day in Firefox as posted here: http://secunia.com/advisories/38608/. We cannot confirm the report as we have received no details regarding the reported vulnerability, such as a proof-of-concept or steps to reproduce. We’ve attempted to contact the researcher who discovered the issue but have not received a response.

[noaccount]

[message stands] im wondering

secunia, did you test it yourself?

[evilfantasy]

In majorgeeks they are stating that IE8 is now safer than FF.

Yep. As described here. How to Protect yourself from malware!

We are doing malware removal on just as many or more infected computers where Firefox is the main browser so it's time to stop saying FF is more secure then IE.

7) Install a backup browser just incase you run into problems with Internet Explorer

Some malware can affect your browser's ability to connect to the internet. Since Internet Explorer is the built-in default browser for Windows, most people still have and use it. Thus it is the most likely candidate for being attacked by malware. At the current time ( Jan 2010 ), Internet Explorer is actually more secure than FireFox, Chrome, Opera and Safari. And IE8 does a better job at blocking malware too. In the past, people used to say "use Firefox, it's safer", this is not the case anymore since Firefox's popularity grew and it is frequent cause of malware problems now. In addition, recent reports show Firefox to have a greater number of security holes than IE.

But remember. In the end safety starts with you. No browser can block stupidity.

evilfantasy - MajorGeeks Malware Fighter

[leofelix]

Hi thank you.
I'm not worried at all.
First because we will get a FF update soon as usual, secondly because no exploit is on the wild (except for the one claimed by people who discovered this vulnerability), third because I use "no script" by Giorgio Maone

[noaccount]

thx guys, i do as you do leofelix (not exactly same apps) but same layered defense, i like no script well.

have you seen the original advisory thread?
https://forum.immunityinc.com/board/thread/1161/vulndisco-9-0/
feedback stopped +- 1 month ago after a user question its validity

Hello,
I've bought VulnDisco 9.0 and tested the FireFox 0-day-exploit.
It did NOT (!!!) work with FireFox 3.6 and 3.5.8 at WindowsXP SP3 and at WindowsVista SP2.
[Honestly I think that exploit is just a hoax, an good advertisment trick - Secunia (http://secunia.com/advisories/38608/) believed it without testing it by themselves]

Still, it contains some other interesting exploits for other programs, but I have not tested them so far.

kind regards,
Mario

several other undisclosed 0day vulnerabilities (not only for FF) seem to be available here
http://zerodayinitiative.com/advisories/upcoming/