Going Commercial with Firefox Vulnerabilities

Security vendor Secunia released a advisory two days ago. Nothing unusual. The Advisory is titled “Mozilla Firefox Unspecified Code Execution Vulnerability”. Unspecified? Why that? Secunia is well informed usually.

“The vulnerability is caused due to an unspecified error and can be exploited to execute arbitrary code. The vulnerability is reported in version 3.6. Other versions may also be affected”, the Advisory says.

The Advisory links to a forum post, which is about a update for the exploitation system VulnDisco 9.0. Update means “new exploit” – not patch ;-) It reports two 0-day exploits: One for Firefox 3.6 and one for Lotus Notes, each on XP and Vista machines. You can buy this unknown and undisclosed exploit at the website. It is the first time i hear about such “open minded” business. The commercialization of hacking is going on…

7 comments on “Going Commercial with Firefox Vulnerabilities”

  1. Sebastian Klipper

    Secunia CSO Thomas Kristensen now told me the following:

    “This particular report is a bit special because of the lack of information available. Normally, we do not write about vulnerabilities unless certain details are available and / or we can test it. (…) and previous vulnerabilities reported by this company / person has proved to be reliable.

    Thats why the Advisory uses the term “reportedly”.

  2. Dr Zen

    Well? what is the current analysis. Lots of people are talking about this issue on Secunia forum… Waiting here. Give us some latest info. This IN PART is making Secunia appear to be “lacking”. I and others depend on Secunia and FF… Update up please.

  3. Concerned User

    Hello Sebastian-Long time Firefox user here:)…Thanks for your post!

    So far only one person (Evgeny Legerov, The VulnDisc guy AKA Black Hatter) has claimed that the “bug/vulnerability” exists. Given the fact that Firefox’s code is Open Source, it is hard to believe that only one person has found a “vulnerability”.

    Many of us have asked for information in the Secunia thread. However, there has been no proper response as of now. Therefore, I’m asking these questions here. (Please note I am not a Security Professional:). Just a web user):

    1. Why would Security Professionals like Secunia give unnecessary weight to the claims of a black hatter/hacker?

    2. The guy obviously wants people to buy his “vulndisc” package:)

    3. Given the fact the Firefox is “Open-Source”, one finds it very hard to believe that only one person has been able to find the vulnerability.

    4. Why can’t companies like Secunia or Individuals simply buy the software package and check out the vulnerability (I am aware of the fact that this is what the black hatter wants!).

    Thanks for your time! and please correct the spelling of “privacy”. It now reads as “pricacy statement” in the disclaimer “By posting…..”

  4. Sebastian Klipper

    Thanks for your comment!

    Why would Security Professionals like Secunia give unnecessary weight to the claims of a black hatter/hacker?

    What, if not? Secunia customers want to be informed I think.

    Given the fact the Firefox is “Open-Source”, one finds it very hard to believe that only one person has been able to find the vulnerability.

    I think, that is not unusual at all. The ZDI-Advisories for example are “unspecified” in some way, too. It’s hard work to find “good” vulnerabilities. I had a nice talk about this issue with one of the ZDI-researchers. I will ask him, what makes the difference between Open Source on the one hand and proprietary Software on the other.

    Why can’t companies like Secunia or Individuals simply buy the software package and check out the vulnerability (I am aware of the fact that this is what the black hatter wants!).

    I have no clue ;-)

  5. Concerned User

    Hello Sebastian: Many thanks for your comments. Would like to clarify a few more things. Please bear with me:):

    1. Does Secunia rate a vulnerability only if there is definite “proof” (i.e. exploit code, details, Proof of Concept etc…)is released? So far the only person who claims that there is a Firefox vulnerability is the black hatter, Evgeny Legerov. No one else has come forward with the existence of such a vulnerability.

    2. So, how could Secunia give a CAT 4 rating based only on his words without the lack of definite proof? I mean, did they test whether this vulnerability exists?

    3. So….lack of exploit code, only one person/organization claims that this vulnerability exists, no user has come forward with claims that this vulnerability has affected them….So, why is this still rated “CAT 4″ and isn’t it a bit misleading?

    Thanks again!

  6. precelek

    Awsome content. Bookmarked for future referrence

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>