Firefox Exploit Emerges

An exploit that takes advantage of a recently-patched bug in Mozilla Corp.'s Firefox browser went public Tuesday, causing security vendors to urge users to update immediately.

Code was posted to the Metasploit Project site, which rolls out exploit modules for its Framework tool on a regular basis, that could let hackers corrupt Firefox's memory, then run their own programs to hijack or damage the computer. Metasploit published modules that work against the Linux and Mac editions of Firefox 1.5.

The bug, which was one of 8 fixed in the Firefox 1.5.0.1 security update last week, was labeled "Critical" by Mozilla.

Symantec on Wednesday confirmed that the exploit works on Linux systems, and even though Windows code has not yet been made public, users should expect it soon. "Since the issue was developed for the Metasploit Framework, we assume that trivial modification would allow for the targeting of Windows," read an alert to customers of Symantec's DeepSight Threat Management System.

A caveat, said Symantec, is that the exploit consumes about 1 gigabyte of memory. That "possibly reduces the likelihood of successful exploitation on some systems."Mozilla critic Avi Raff accused the browser maker of downplaying the vulnerability. In a blog entry, Raff wrote "This again shows that Mozilla are not learning from past mistakes and are still downplaying vulnerabilities. My guess is that they are waiting for an exploit in the wild before they are going to rate any exploitable memory corruption vulnerability as 'Critical'."

Mozilla bumped up its rating Tuesday from "Moderate" to "Critical."

Mozilla also acknowledged that the vulnerability was introduced in the work leading up to Firefox 1.5, which means that earlier editions of the open-source browser are not at risk.

Firefox 1.5.0.1 can be downloaded from here; Firefox 1.5 should have already received update notifications and/or had the update automatically installed for them.