|
|
|
Flash! Firefox No Longer an Automatic Defense Against Browser Drive-Bys
By: Larry Seltzer
2008-11-18
Article Rating:  / 13
There are 10 user comments on this Network Security & Hardware story.
Flash! Firefox No Longer an Automatic Defense Against Browser Drive-Bys (
Page 1 of 2 ) Security exploits still target browser vulnerabilities, but attacks on browser plug-ins and vulnerable third-party controls such as Flash and Acrobat are becoming more common. That means Firefox users need to be as cautious as users of Internet Explorer.The playing field for drive-by exploits through Web browsers appears to be
evening these days, thanks to the rise of exploits through third-party
controls. The chances of Firefox users being exploited are a lot better than
they used to be. This is especially true on Windows Vista.
The latest
Microsoft Security Intelligence Report states, and I believe it based on
what I've seen on my own and through other vendors, that exploits through
third-party controls are the big thing now, saying, "more than 90 percent
of vulnerabilities disclosed in 1H08 affected applications, rather than
operating systems." Two more interesting and relevant quotes:
- For browser-based attacks on
Windows XP-based machines, Microsoft vulnerabilities accounted for 42
percent of the total. On Windows Vista-based machines, however, the
proportion of vulnerabilities attacked in Microsoft software was much
smaller, accounting for just 6 percent of the total.
- Microsoft software accounted
for 5 of the top 10 browser-based vulnerabilities attacked on computers
running Windows XP in 1H08, compared to zero of the top 10 on computers
running Windows Vista.
So Windows and Internet Explorer are a declining factor in
the exploitation of users through browsers on XP, and only a very small factor
on Vista.
What's filling in the non-Microsoft percentage? Third-party apps, with Adobe
Flash as the most important example. There are others, including Acrobat, but
Flash exploits, in the form of malicious SWF files, are very common now. Some
of them are as simple as redirects to a malicious site that tries to do other
things or just to sell you rogue software, but some are full-out buffer
overflows in Flash.
It's this latter type of exploit that is especially interesting. As a
general rule, a buffer overflow in the Flash ActiveX control for IE should work
as well in the Flash plug-in for Firefox. It's all Adobe code being compromised.
It needs to be said here that the most important thing you can do to protect
yourself against these attacks is to be aggressive about applying patches for
important third-party controls, like Flash and Acrobat. Adobe has gotten much
better about bringing out updates and the latest generations of these products
also employ mitigations like DEP and ASLR to fight exploitation even if a
vulnerability is invoked. As with most other products, the people getting
exploited are those running old versions.
I asked a few experts for guidance on this and didn't get as specific an
answer as I had wanted. Do such exploits work as well in Firefox? Are Firefox
users being exploited through these attacks? I also asked Adobe, which didn't
respond.
The experts I talked to agreed that, as a general matter, an exploit for a
browser plug-in is as likely to work in one browser as another. In some cases
they would work "out of the box." In other cases there may need to be
some modifications for each environment.
Researcher Thor Larholm points out that
for the case where memory corruption occurs in an image rendering, you may need
to calculate heap offsets and partition the memory correctly before triggering
the exploit, but it's the same type of work for any browser; in the case of
Flash you can do it all in ActionScript. Does anyone do this work, or do they
just calculate the IE offsets and hard-code them into the exploit? No answers
from anyone; it could be done easily, we just don't know if it is being done.
 |
|
|
�������x}r8s;�iW1ŋKmiXTF((�ئH�IVO�� 7]hɗn9劲I�H�D"H|Ggg�D]ݴ1p͙M5��5|zg`HRsg>�-34
@oRQP
Ġ�x�wO7](� _h�
�oGx6S)};6�L(�|H�Bɤ:QħF�r ˺Y4�hm�Ea�jj�T+WQ�/[��,\hӏF}/sj_.;gW��B(֝[p
n+Va(.:^O._�ac#H� �oD��QR�"jt8M�Q�A�1qj�� �RMWJqߨP~y)ڡVR\FZV@`%�pbQUe�>Ϧe}}uI}|vti"|#9Ġj�PEb�+��2hZtܜ<_rt.O7=rڽ&'/v�I; �i
Og�f�*�=>扷k0��`k�`c��R^ٗG$�NWm2 1)H|S: Y��u'PZ,/�fRrZ~@X*��R*Y4C��! ,mdʱ�(�r�N��dޜ�>4C+D_0ND9�cf�I����2�3}� M���H�Uņ]`)exNS{4//_P�PAK/g
�5't*転(if1;A=f&�/�r.i"}��`o8y�"V뛹Ȇ4l=�j�G殖euJ�֖d]�;3E֏{ZVp�3n[�һ^tZ0, �
4SOC>56㤾F#<2h:m8�5�"�
47P}HOqI�$7X�(}Zc�_g6�/}�Ta�>֔�^탊�I$�>R7�ZЉ\?暠c
V�CB뎂:��{�ښB�"(QފС4�мa���q�j =�*v3`�=g��h{`����tև
*��SsfPB�<@x;?�+1
��D4|JIIL}NB4�"BQF�� �T� * g�#X"K@#'Gs [A�;�B/V+�\y"�*M'8ݱ;P+J�d&3,ЂW-KKJAfsf(4{~4�cbB$|#'&�Xr`Y
�\+|�)l
�6ri:<�Ҵ5=�Y�K9��ܺ<�,$-X� ɉ�*1C
IKw,O�f�wq=7߄w
w0aFiŬ9c�Ey�5>�du fN-���˘
\
�g?f0-���qڛX5V<ۢf|a* ,q[r�ׁ�fX8ȣ�=p
؇��&=A);m9��PMME�c7�˅L<�kV*H(AY3�b-y�3D�2筷
�V挧M21r@uOSj1�H1gPdz?;V@q=1S�WR�tZ�B+8E/4-{e]Z2+(V6/KƠR�/
B]+�Ҟ�
�rT%{��N-J�ƗjZ"��J:P6V�"X�Eɧ%&te2L�E:���pZ#�@Q�jrIj��h#��VhVK^Me+ �T��2�4
0o�p�"7`bBV1
OaNc�z6rAz{fl.>q��(*�l|R��7q��'�JiX�$l
M=t��&<�$��2.|N\��,/0s�gеSҝa|ia;m/�eKKXQ>Om��V ҇�D�D-0ڠ�,�E�=_OM�b^ z0iTW+JIU�Ө�cmLĽf��2��M۠R#|Ġ:lF֝9\QZ6-B.,g��
\�jpj
Z��Lp�sAqA0,]y�.|�T>�w�V�V0\�n�~��Qa˘;P}qAףm*IH�rIQ)�Mf"�9oLq3
�hȐ0ҁq�/S"58�z�x��@*�&�ODBZCNJ� �-�-UEN=)o
-��gq�0Z��K&� G�qӞ�rVyCfZa0K�y2kR^K?
aYj8Q�g7�#RFOX��5�w4�ڗ'8�Eo}�2�-sWe@o(��@gf-%WAg�שUXT8ᄑe��x�͘/�� 儩�̸T*i3B#�М�w�%
'�L-`Z>5{�Nۉ�{1w0v��\3���wkq�9\ EYۇ>Y}l@)�tdx8)ѡ,H���r]TՑnR
U�����4T#� ��>�vo��(f�f{B[�
`{I-~*O9-b����:smh�h<
QB|�|4F8b*�05�.�*zIeWs�AcoYr��Lj��B&:GdHC��+PaNT:YGw=܁c2P?[I(TZg7cUś]6U�{zn&R)j'�,Wzh�RW667/=/d��"9y�m2D8ZA1JM;E9Ȳ5(_c��1FnyuitRMeclE@<窦UR=mA�3�YSYdpó�f�DiϺZߺ}�
lO>=J��52>h=�Эt;Gq;XqLRB�7�:PU (�ō�πjNdž�2u}
��
�m_ۯ
`FOW�}Hlw\O�+no'WaO��n�W=R@�JR� Hǖ1�]�]2�Yјzֱ4�>�ʀkhG�2cdY�r�HU�u{\ e�w�2|��]��>�?/$RQr+Ձ�ƀ,OxV֪"m=,N
=X�Z=4H~��
z�t�I1p
Nu4 H}ʧR�DuQTܴ�JZV7
v\vOJ�9
^M
lZKqXKᴄkp��9
-4j=uR/̖rK%4e%3E/�.9@X<�y}�b��{lrK[\w\8̔=%8h5\-QDt@�j:��U)�U :.izIR0Ӂ:tGl~<ڊtĽ%h2)dnS==.[^Hp��&|͙���gJ�P5�]�Uj;_ 1�4!0\?=bH�P? ]�^*~
t:C�d�`| !A`#d1~m48�L6M�s�{�kd�ҝa�+vH[!�Rr_'kN,WZXKS!�m۪1�>#ɢj�k:MwV���
Bb-.�3w1ߐPVC� (ʡ�-`����`�VɈN5>�cϻ�4��VB�0B�įE,e$K�e=2�M|;i�w[(�6[�F_�ѫ�ٿ�y½�~YVST
�t6~O�K0fAb^+F+=ǭՓN:_H|�I�NN�*=os_,DCsF�(n2�x �A\d~i_��eԉ)%R�\
'���6l->;8��cd�Q�(S.�p�$-Zbe^nKlx0e�RȔ&=J8�z>RB&Դ5˓4-i^�Eqj�i�e�ʒ��~i'j' ۡX#�֛�].7G8
(O
kzsq�^^ҹuX<:Rp@D2��Cs:&�AB|Hy��mϣ�#:*VZZFZv*'?v�%hb&��yAH0�H�v倜�b}~"U߯Ilw;up=q"?h9#7:ŎNj��vʌW!�C`(
�v�,�مF�f5�W�3llyRеls2f�ucB�A095ѧ�| �3����AU ��J5
&��Om�0zc��l3ȢÈϥ̷rt`�?K.}:Ik�09jJH@2CwOH4b5zU@uWfOF��95C/�rBE}l(-h�Gt?v�Jw¶"CSq���:Q+`*
14�XH�!H�nm
X"2gNIJa'>��d�,F}�
x32T?.�!ziВ116onR;=Ӈ�4z%(�>Acq�U~(dR�n
.o]Z�tGq�B�1nV�x/I&)ϓE�L
@O�K4�{Y[B�QKwv�{Y!0�N
ئw=13�~�_�O}�rm�G��X�
?�*�4lo
azW`[ʅ=RH3�#@�*y�h�\]]s71&pRx666�y��) hTRwV`8�{ia3��⫆�~�@z'�FiOX��W+O2��QFD5=�9d` 50�Qtǔ]�(A-O,h .(RW�\'��x�6x�r3�v@M�X'R�aHz櫀}�p6~0Y&G_D2��ZfC-W*O�Ƴln�R5B{K�c W>3�ڷ7���ᄜЩn��'�zE3ut7$aXLvEUJ�ÂDG5�?1�f8�M�%
��|iN]^ 6��-]�ke�]6�;)�s�*,X'r]+pIٛ4@�͂�9pw_�`zFè
@(�N2^�# E �c �Q�
L*F�lu
l�e��{/eS_�e�ܫ:�&�&
�+6KD9J���B3+a>V�hj16ՏvZ�ۑ%�]r��n㊕wRSەZY𘢩LLty�g6Ry䪒?mA,
�*u\��n�JZ'�5'ǴR�>9iɱ�*һ<ӋpX膲���
,fF&�=O��1��.�Y��,ޢ猓�ʸ�\M�]U+7�g�Զ�c�xpmѤwx��?��ʞ@m:�=�ېx]ձ.םF]2{6w9%%Ռ��(6�eD+wi*ME"S� �
u��ԟXy��u.L��'TB��2x ϥ
q��H~<ރ) b`%WBX%�@-��;9TCj�3"[��iJ.)E�{�,5_�M�\wa@RUIOˡaiXU$��.fA�tߑZCw�Jݞ�eJZQs�D��Bx#��bm��q�aˮ7�ߔJ/GV�hMj;c\�˟lXr"ʈY���`m��.�#� ZIE��S."��(�L�==�Ž("�=�+ͧݞ0ʦY~)LY�wv=\9sC��A! ��7fTEZkIS�H5^/(L�d" c{H�[DT�N4=�&p�y(j>�Vٔj+/E0QJ⌃T8c�FɅ� [ 'LԔz?esh$�@hC�&�Eђ7Bsܯ) - |#VJf�04�gN]?*�FJVi=�S p��g�8_"7-!_�i��5Q T[ޔjk/s�wl0�f+�Ϧd9g
�(k|�YK�\"�9ܷy&n֨h>ܖԤX���[�O+ٽٽٽٽ_މlzyMW\T0jua>xAT��z`Jr^'WVw㣽�Al;̧Ra̽;�K-1�";Y8���/s H�"!��a�I��Id:M1Еԓ1|F
i�v_qxrh�cz�I� ��y6��e;'Ɉrqojeǚy�b%G�z(V䎤�>f@ї�J�BW:<ꉥވr>#�6�ʫ*+T ޔ# \3XS'm]�#~aϗ�;m8�7$x�pUbv u@91F���
�|"�H*kUmF}R�逨KDDPx"6ވx],F�|Q5_�چT�_\lݟԠ�M�D6LG>ԏc
MpH���g��?𞀈��uu7�vo�q��J�@�Ma'z�㊂-T.,^�bymyT�D cܶLm/u�mb\k�h̳Lg���/\MӘO"�M�,¢ofl~sGk]7AW+@Ю3g\4wM}3Ơe
xo
�2���ql%hsZ^njI�$H[&`'�H�k��6�bMs-�ؒ�'/X>Sb7���l��DYI%*6e�N3lnO3ep ϟ�]²�ĎJy0Ge %QY.xF]ݠі�v)磙ejl�Au�b)��}B�`37y(
��m;�j\�Uv& \�ħ�68wVy*_= ;v��
HO�6կyz"럦yr[B�*%dB@Fg�Wz��"b!`m7�2;-�l߽� ٩q,fFR�A۴Vx�7��=`�W0;:n�OW5y0,_�{VԽK�祲pZ,[^/Y �.`D�6 d%hh֢��F (�ՒF(�Ǧp%��cqX2�?<"*X*���Z$Ⴣ%�=݇^&]ݽ]0$|JMs-�IM*��˒ۥHڅG>W-Q
O ,l{1��pO�f;m-G\�bd��@.h�Đ]�9=�f,T7iɽ�4n;*��frp�ӏ"xucO{
es���WIYU2+wO�i�α��?=�[N1t<.!ŭt�[���"y�gg
�*�nN2 u̢zjSt/f
�f0��
:i&Mݡr�SW�G~�"߿߉6!?XSC �߉.?~I8OX�dR(� !
|��5̅�e*P�'4�$�Gė{+~G��bD͵g#�O�_xNM#�nD/n
�7.H��Mu,vaD�%'�ȡ-WWG`*/N|S�g�_D�ǹp`�<�0m+`^ϩA#AɌ�҂�B<2w�ĨWnH�'�H�W�s]f+��#,�^u81akzzD��-��x�I��V(��x���ȋL,�!9��n��4?8?G�:��MEfIDwUET1��Ք}u5b; @�,4tAj-bYAMc�2Ʒ^X!tOpkBxGn<�tlNz� ԣ:BMyXwM�WU"���~8*\� VL}^ULx"y��?��3=�w�z^E�L[W�]ݕUS]<_q�=o7ݝ�Cgnu��C[wnWcnH Ћ�?0�E[x-EI��H�A&hR?d_f���~��R!kgI>@4�`}*PiZ$)e3|TϡVR*jZ?V�/ _הV/ =
Wc5���_`Hz=ױ8ۮ#=Tr^6s=�\*AEO�F>[S0q�|-�>(BAdR~�9")�b>;���-^a̷𥳐vgl|C+���H &I�пxE{{n �~݈kk::;�5
HuWIkmJ%��3\mD�Ν�Z_ar}sΩ}?sct%'{+,��iq�o�.0,&n����蜜X�ܱ\~��
Qq�b6b~m�>9l�gŚ8*g[�jGh-;�2פ5k��<9�!Q�@�O@L-A�H ,�7�LC�P�<Ǖϸ�R>hueaj+�Z�Akj��;ҁpK+qܖ.tf1l�B-�A&}^�z�C��&�J^j$'jp�
>=}6�ژY���iF4�Y
&�7d&4���q-q4�0;$%nX�[+$ʼO��o-�>?-bWld�b$@��X�g�_�پiFzhuew=�d#�k�`}(Cۑ?5M}Nأ�a�k;^��ρO��d��0W)玑3tX$l9e1q��!�̆\nX|J7�q7�5t$rE!�i
�oF˞0�sC~�C:�
�nZvD��҂F$��<"m�~�g^q79mOR-i`Ik0'l��x
�D�u��F$%hDg�Þ�1e;my^�_Ǝ^�t/>?Gt;WXjX�
�{�3sȧX,?ыJ�B Q�@t�R*
4Q:&.�H�� o$�H)�iPhP؞�S?pm2�ꥦ\I0^�^6Д��40
uA@"\2�Gza~2?y
:�R�Ϯ�L��zy�:tQS=1Ux{�C�`�g�scw��R[7�;eID^~|LR�]�$�BqнӜp6>@߰|c?뽉e�2'���}x��И1�_[5�}T꺂_�J�weX
Zԉvn���oU�̪g2�q�ÅJV ��{�AFA
dhz߃B��"HJ�P��k;���Wrڽ&-rznu^y��Ցt.�H�ӿ//9tߛ�or�ɡ\'I9�ru�S)�JyC/*ȋ5ৼtXB]Cz<*C/nvs
ث�VMY[,Oмz'JJܓs+Z`~H逷\]�d}+c|SfE�+t12<=s�e!c�AZK[,�F$q�=��ޛh.�v�)�f7w�pK|���`
�}f�.nm;yx=�]�;\�;Yo�[췡\ţu.d+6���Wq5Z�� #Eà�s
p?��
c�U?f�6>|e_C�zHu>j}jl('[
=a#^*��B8D�Cwo0��p=s��ŁS�
�wMm�[xc6Dx��cXAVW��/��~*^�6�:i��(G<8)�܁2>��>@͝eNu+j6d)?7``��fuf�?�.eP!�ؒ:VOD-#E
1'mgR&L;�,N�>n
3yF�
DG�9Psc7ˡ�B�~�22��VH'Ճ7r{鈘Hτ[T�Y�aS%�/u5f 5tP@2nv1�*\G;�!�(S UIry{�dg�X)43G,�o|�#�tuy9n"��k.ix\\oTùLHd z"kёǀ0�h0��~DO[Q��}d��(2m-�Eǝ.t�};�{��/}d-+2dХ�v�\%k$}�HdRͤ_�,�9"%
mPm��J/h����K`{
,��ARh6�LN�>�Ncc� a�vwj9wNe.,s0ŴBShJ ,�(O'knGL�k,�iЄ.�^p멎P�hU|�A�>1Y���[z��71G[�02cxz7Y=W'��KY'Ӷ}d&GX�oeL�Ze']ZD.hr��E"O
�ر~ m��j��#f��Y1[�Rj8g��n~ӧ�f>{����]9,L�?lB�c9ad�r[�"0V_o��>A�k�De�U�$xtC�GiEL`$;�]+qN*td&vP?g82a�#ٌ
M\K,B�.�7Wv!{�ZyƓc�|_元>�OxNž=�Sf s)SL_1�]̑?qG\h�Eq�Xqө8Y%?_K�c�~;s<^E�w$_oꎾ�Z�;~v��?;LJ:ˌRXi*.IoڝOg�u��nԣϟ/O(4IS!cae߄;6�6BJslt�6�1�͝�Tj�)��
|
Network Security & Hardware 
