Firefox新漏洞危及用户安全

关键字:Firefox flaw 漏洞
安全研究人员警告说,Firefox浏览器所有版本中都存在一种安全漏洞,利用这个漏洞,攻击者可对在受害人电脑中悄悄执行任意代码,目前尚无任何相关补丁。

安全研究专家Tom Ferris星期四稍微接受即时通讯(Instannt messaging)采访时,称Firefox在处理包含破折号的超长网络连接地址时,存在漏洞,导致安全问题出现。

他在Full Disclosure安全邮件列表中及自己的Security Protocols(安全协议)网站里均刊登了安全告示,并附上了概念证明(proof of concept)相关信息。

Ferris指出这是一个缓冲溢出类的安全缺陷,“导致攻击者可以在受害(人)电脑中,通过远程方式运行任意的代码。”他说,攻击者可以在某个网站上嵌入恶意代码,一旦用户访问了有关网页,电脑就可能被渗透。Ferris的概念证明代码目前只能让Fire fox崩溃,但他表示只要对代码稍加调整,就能远程执行代码。

缓冲溢出是常用的挖掘安全问题的手段。如果某个程序允许向预先分配的缓冲区以外的内存中写数据的话,那么溢出就会发生。某个恶意程序可以故意向指定的缓冲区以外大量写数据,而电脑常常无法阻止这类程序的运行。

Ferris上周日已向Mozilla基金会报告了有关的问题,他(也曾)表示愿意通过Mozilla的错误报告系统解决问题。但安全研究人员和软件制造商之间往往无法和平相处,这次也不例外。在和Mozilla有关人员发生了摩擦之后,Ferris一气 之下决定公开有关漏洞。

Mozilla负责协调Firefox的开发与发布,没有立即就今次的产品缺陷发表评论。但有知情人士透露Mozilla承认Ferris的确曾通过他们的错误系统报告过几次产品缺陷,也包括这次所发现的问题在内。

自去年11月Firefox问世以来,使用这个开源版本浏览器的人数节节上升。Firefox的卖点就是号称安全性好过微软的IE浏览器,而微软的IE由于诸多的安全事件,近年来产品占有率首次出现了下滑。

然而,Firefox自身也遇到了不少安全问题。自产品正式发布以来,已多次修补了安全漏洞,安全专家指出所谓的安全浏览器根本就不存在。

这次安全漏洞的公开时机,恰巧是在Mozilla刚刚发表Firefox 1.5测试版之后。按照Firefox的进度表,下一个升级版要到年底前才会推出,届时产品的安全性将会有所改进。

此前Ferris也发现过不少微软产品中的问题,他发现的其中一个问题涉及到了IE,微软至今仍在对此展开调查,尚未加以修复。

本月初,微软将发现Windows里面RDP(Remote Desktop Protocol,远程桌面协议)中安全漏洞的功劳记在Ferris名下。这个漏洞使得攻击者可以远程重新启动Windows系统。

原文:

September 9, 2005
Joris Evers,Staff Writer, CNET News.com

A new, unpatched flaw in that affects all versions of Firefox could let attackers surreptitiously run malicious code on users’ PCs, a security researcher has warned.

The problem lies in the way Firefox handles Web links that are overly long and contain dashes, security researcher Tom Ferris said in an interview via instant messaging late Thursday.

He posted an advisory and a proof of concept to the Full Disclosure security mailing list and to his Security Protocols Web site.

The security vulnerability is a buffer overflow flaw that “allows for an attacker to remotely execute arbitrary code” on a vulnerable PC, Ferris said. An attacker could host a Web site containing the malicious code to exploit the flaw, he said. Though his proof of concept only crashes Firefox, Ferris claims he has been able to tweak it to run code.

Buffer overflows are a commonly exploited security problem. They occur when a program allows data to be written beyond the allocated end of a buffer in memory. A computer can be made to execute potentially malicious code by feeding in extra data that is designed to flood the buffer.

Ferris reported the bug to the Mozilla Foundation on Sunday, intending to go through the organization’s bug-reporting process, he said. However, in an example of the uneasy alliance between security researchers and software makers, he decided to publicly disclose the flaw after a run-in with Mozilla staff, he said.

Mozilla, which coordinates development of Firefox and distributes the software, could not immediately comment on the flaw disclosure. However, a source close to the organization confirmed that Ferris had filed several bug reports, including this specific one.

Since the debut of Firefox 1.0 in November, usage of the open-source browser has grown. Security has been a main selling point for Firefox over Microsoft’s Internet Explorer, which has begun to see its market share dip slightly–for the first time in years.

However, Firefox has had its own security woes. Several serious holes in the browser have been plugged since its official release, and experts have said that safe Web browsers don’t exist.

The public bug disclosure comes just as Mozilla released the first beta of Firefox 1.5. The final release of the next Firefox update, which includes security enhancements, is due by year’s end, according to the Firefox road map.

Ferris has found bugs in Microsoft software before, including a yet-unpatched flaw in Internet Explorer that Microsoft still has under investigation.

Earlier this month Microsoft credited Ferris with reporting a bug in a Windows feature called Remote Desktop Protocol that could allow an attacker to remotely restart Windows systems.

Firefox新漏洞危及用户安全》有1个想法

发表评论