Another firefox vulnerability!

[iago]

__Summary

Using plugins like Flash and the -moz-opacity filter it is possible to display the about:config site in a hidden frame or a new window.

By making the user double-click at a specific screen position (e.g. using a DHTML game) you can silently toggle the status of boolean config parameters.

As long as the number of about:config parameters is unchanged (unlikely a casual user will change them) you can move the parameter you want to the specified screen position by using CSS.

You can also load about:config using the real player plugin and merged url events. See the real producer documentation for details and merge a command like "u 0:0:0:0.0 0:0:0:30.0 &&targetframe&&about:config"

__Proof-of-Concept

http://www.mikx.de/fireflashing/

__Status

The bug is marked as fixed in bugzilla. Get a nightly build, compile on your own or wait for Firefox 1.0.1.

2005-02-01 Vendor informed (bugzilla.mozilla.org #280664)
2005-02-01 Vendor confirmed bug
2005-02-04 Vendor fixed bug
2005-02-07 Public disclosure

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0232 to this issue.

__Affected Software

Tested with Firefox 1.0 and Mozilla 1.7.5

__Contact Informations

Michael Krax <mikx@mikx.de>
http://www.mikx.de/?p=10

mikx

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Again, fixed in 3 days

[Mythix]

<3 their dev team.

[Newby]

Read an article in Wired about Firefox.

"It took Microsoft six weeks to patch a vulnerability to a trojan; it took Mozilla 72 hours to identify, fix, and put out a patch for the same bug."

Something along those lines.

[MyndFyre]

Perhaps it might have something to do with a broad user base.......

Nah.......

[iago]

Internet Explorer has like 93% user base, so unless lower user base is better....

[MyndFyre]

Internet Explorer has like 93% user base, so unless lower user base is better....

Ok....  So, let's say FireFox has a 5% user base.  It then takes 3 days to fix a patch.
3 days x 18 = 54 days.  54 days / 7 days/wk = 7.71 weeks.

Assuming the breadth of market share that Microsoft has to cover grows proportionately to its user base, MS is actually beating FireFox, and that's assuming IE has 90% market share to FireFox's 5%.

In other words, MS has to make sure that IE works on a much broader range of systems than FF does.

[Quik]

I was editing about:config the other day to edit speed.

And Myndy, I bet the amount of IE users who update their system and actually get the vulnerability updates is less then the amount of Mozilla users (who update their system, since all Firefox users know how to correctly use a computer. You can't say that for all IE users, however )

[MyndFyre]

I was editing about:config the other day to edit speed.

And Myndy, I bet the amount of IE users who update their system and actually get the vulnerability updates is less then the amount of Mozilla users (who update their system, since all Firefox users know how to correctly use a computer. You can't say that for all IE users, however )

As a percentage, probably.  As an absolute number, I doubt it; generally, more than 5% of the population running IE know how to operate the computer.  At least a significant number are entirely business-oriented, and the users don't need to worry about updating it themselves, as their IT departments will do it for them.

[iago]

Internet Explorer has like 93% user base, so unless lower user base is better....

That makes no sense.  But let's go the other way:

Ok....  So, let's say FireFox has a 5% user base.  It then takes 3 days to fix a patch.
3 days x 18 = 54 days.  54 days / 7 days/wk = 7.71 weeks.

Assuming the breadth of market share that Microsoft has to cover grows proportionately to its user base, MS is actually beating FireFox, and that's assuming IE has 90% market share to FireFox's 5%.

In other words, MS has to make sure that IE works on a much broader range of systems than FF does.

That makes no sense.  Let's try a different calculation. 

Firefox has a 5% user base.  Approximately 1% of users get exploited per day, for 5 days.  5% of 5% is small.
IE has a 95% user base.  Approximately 1% of users get exploited per day, for 54 days.  That's a hell of a lot of exploits.

It seems to me that the higher user base you have, the faster you should be getting patches out.

[MyndFyre]

Internet Explorer has like 93% user base, so unless lower user base is better....

That makes no sense.  But let's go the other way:

Ok....  So, let's say FireFox has a 5% user base.  It then takes 3 days to fix a patch.
3 days x 18 = 54 days.  54 days / 7 days/wk = 7.71 weeks.

Assuming the breadth of market share that Microsoft has to cover grows proportionately to its user base, MS is actually beating FireFox, and that's assuming IE has 90% market share to FireFox's 5%.

In other words, MS has to make sure that IE works on a much broader range of systems than FF does.

That makes no sense.  Let's try a different calculation.  

Firefox has a 5% user base.  Approximately 1% of users get exploited per day, for 5 days.  5% of 5% is small.
IE has a 95% user base.  Approximately 1% of users get exploited per day, for 54 days.  That's a hell of a lot of exploits.

It seems to me that the higher user base you have, the faster you should be getting patches out.

You're missing my point.  What I'm saying is that because IE has a potentially much more broad range of systems on which it must run, with varied configurations, it must go through more significant QA checks.

I understand what you're saying, that they need to get patches out because a lot of the population is vulnerable.  My point is, because they're targetting more users, they need to put the product through significantly more thorough quality assurance.

[iago]

My point is that user base shouldn't affect patch time.  If you can agree with both my and your points, then they should be trying to get the patch out faster and slower, which doesn't make sense.  I don't see any way out of that contradiction, except to say that patch time shouldn't be affected by user base.