Don’t panic.

Bürger-CERT (”German’s official cyber-security response team”) is warning users against using Firefox until version 3.6.2 (scheduled on March the 30th) is out, on the assumption that Secunia SA38608 needs to be considered a 0-day threat, but:

  1. There’s no evidence of this vulnerability being exploited in the wild, even though paying customers of the VulnDisco security product have been given access to a working exploit since February the 1st.
  2. A patched Firefox release candidate is already available, so if you’re really scared or impatient you can get it here.
  3. As almost always happens, NoScript* has been protecting its users since day 0, keeping its promise of preventing exploitation of security vulnerabilities (known and even not known yet!).

* in its default configuration, and even better in its full content blocking mode.

Update 2010-03-23

In the meanwhile, Mozilla decided to go through the effort of anticipating Firefox 3.6.2 by one whole week for the greater good, so if you haven’t seen the “Available update” message yet, just use Help|Check for updates now.

Now that vulnerability details are not embargoed anymore, I can add that exploitation required the browser to load a specially crafted web font. The relevant NoScript feature protecting against this is NoScript Options|Embeddings|Forbid @font-face, which is checked by default.

8 Responses to “Firefox 3.6’s “0-Day” and You”

  1. #1 Social networkers scared of scam as identity theft hits Russian sites | SocialDaily.info says:

    […] hackademix.net » Firefox 3.6’s "0-Day" and You […]

  2. #2 Faust says:

    So I assume from #3 that this exploit involves java? Haven’t yet seen that confirmed.

  3. #3 Giorgio says:

    @Faust:
    No, it is not Java-related, but don’t forget that “embedding” blocked by NoScript are not limited to Java :)

    Anyway, having analyzed the bug in question before making it, I can confirm that my statement about NoScript protection is correct.

    Edit 2010-03-23
    Now that details are not embargoed anymore, I can tell you that exploitation required the browser to download a specially crafted web font. The relevant (default) NoScript setting against this is NoScript Options|Embeddings|Forbid @font-face.

  4. #4 How do I manually rid my computer of malware and spyware that hijacks my internet browser? | Malware Bouncer | Malware Bites says:

    […] hackademix.net » Firefox 3.6’s “0-Day” and You […]

  5. #5 BC says:

    What was the original reasoning for blocking embedded fonts?

  6. #6 Giorgio says:

    @BC:
    Exactly this kind of scenario.
    Current font parsers are rather old, and have been implemented without the “fonts as a possible remote attack vector” mindset.
    Now that any web page can feed them, fonts are much more dangerous than simple images (which still, from time to time, suffer from codec bugs) and at least as dangerous as generic plugin content.

  7. #7 Twitter Trackbacks for hackademix.net » Firefox 3.6's "0-Day" and You [hackademix.net] on Topsy.com says:

    […] hackademix.net » Firefox 3.6’s "0-Day" and You hackademix.net/2010/03/22/firefox-36s-0-day-and-you – view page – cached Bürger-CERT (”German’s official cyber-security response team”) is warning users against using Firefox until version 3.6.2 (scheduled on March the 30^th) is out, on the assumption that Secunia SA38608 needs to be considered a 0-day threat, but: 1. There’s no evidence of this vulnerability being exploited in the wild, even though paying customers of the VulnDisco security product have been… Read moreBürger-CERT (”German’s official cyber-security response team”) is warning users against using Firefox until version 3.6.2 (scheduled on March the 30^th) is out, on the assumption that Secunia SA38608 needs to be considered a 0-day threat, but: 1. There’s no evidence of this vulnerability being exploited in the wild, even though paying customers of the VulnDisco security product have been given access to a working exploit since February the 1^st. View page Filter tweets […]

  8. #8 hackademix.net » Why NoScript Blocks Web Fonts says:

    […] Firefox 3.6’s “0-Day” and You 24 03 2010 […]

Bad Behavior has blocked 3077 access attempts in the last 7 days.