Alerts

0-Day Bug in Firefox 3.5 & 3.6 – Update Now!

A 0-day security flaw has been making its rounds for the past two days. While we usually warn users about this type of incidents, we decided to keep the information as private as possible, as the no vendor patch was available at the moment.

The flaw was detected on October 26th, when a number of compromised websites have started to plant malware on users’ computers after visiting a specially-crafted webpage. The exploit code was written in JavaScript and was uploaded on http://l-3com.[removed]-work.com/admissions/admin.php. Some high-profile websites, including the Nobel Prize webpage, were compromised by iFrame injections which led the users towards the exploit.

This specially-crafted JavaScript file includes distinct payloads for Firefox versions ranging from 3.6.8 to 3.6.11, which trigger a use-after-free error, which means that the code will try to use a portion of the memory after it has been freed.  This technique, although not revolutionary, has also been used in the IE8 Exploit in January, commonly known as Operation Aurora.

As the malicious page is visited, the JavaScript code checks both the operating system and the browser version and populates a specific area of the memory with two distinct payloads.

The former differs from one version of the browser to another and is aimed at triggering the exception in the browser, while the latter is identical for every version of the navigator and will execute the malicious file. If the user reaches the compromised page using a different browser or a Firefox version that is not vulnerable, the script will redirect the user to an about:blank page.

Successful exploitation will download a file called svchost.txt, an infected binary file that will be subsequently renamed as svchost.exe and executed on the victim computer. This specific piece of malware is detected as Backdoor.Belmoo.A, and allows a remote attacker to take control over the infected system.

BitDefender users have been protected since the emergence of the new exploit (detected as Exploit.CVE-2010-3765.A), which means that the antivirus blocks access to the malformed web page before it gets to execute any code.

Firefox has also issued an update from 3.6.11 to 3.6.12 which is no longer vulnerable to this type of exploit. In order to stay safe, you are advised to update your browser and your local antivirus solution.

Technical analysis of the exploit file available courtesy of BitDefender Malware Researcher Octav Minea.

About the author

Bogdan BOTEZATU

Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.