Going Commercial with Firefox Vulnerabilities

Security vendor Secunia released a advisory two days ago. Nothing unusual. The Advisory is titled “Mozilla Firefox Unspecified Code Execution Vulnerability”. Unspecified? Why that? Secunia is well informed usually.

“The vulnerability is caused due to an unspecified error and can be exploited to execute arbitrary code. The vulnerability is reported in version 3.6. Other versions may also be affected”, the Advisory says.

The Advisory links to a forum post, which is about a update for the exploitation system VulnDisco 9.0. Update means “new exploit” – not patch ;-) It reports two 0-day exploits: One for Firefox 3.6 and one for Lotus Notes, each on XP and Vista machines. You can buy this unknown and undisclosed exploit at the website. It is the first time i hear about such “open minded” business. The commercialization of hacking is going on…

7 Kommentare to “Going Commercial with Firefox Vulnerabilities”

  1. Sebastian Klipper says:

    Secunia CSO Thomas Kristensen now told me the following:

    “This particular report is a bit special because of the lack of information available. Normally, we do not write about vulnerabilities unless certain details are available and / or we can test it. (…) and previous vulnerabilities reported by this company / person has proved to be reliable.

    Thats why the Advisory uses the term “reportedly”.

  2. Dr Zen says:

    Well? what is the current analysis. Lots of people are talking about this issue on Secunia forum… Waiting here. Give us some latest info. This IN PART is making Secunia appear to be “lacking”. I and others depend on Secunia and FF… Update up please.

  3. Concerned User says:

    Hello Sebastian-Long time Firefox user here:)…Thanks for your post!

    So far only one person (Evgeny Legerov, The VulnDisc guy AKA Black Hatter) has claimed that the “bug/vulnerability” exists. Given the fact that Firefox’s code is Open Source, it is hard to believe that only one person has found a “vulnerability”.

    Many of us have asked for information in the Secunia thread. However, there has been no proper response as of now. Therefore, I’m asking these questions here. (Please note I am not a Security Professional:). Just a web user):

    1. Why would Security Professionals like Secunia give unnecessary weight to the claims of a black hatter/hacker?

    2. The guy obviously wants people to buy his “vulndisc” package:)

    3. Given the fact the Firefox is “Open-Source”, one finds it very hard to believe that only one person has been able to find the vulnerability.

    4. Why can’t companies like Secunia or Individuals simply buy the software package and check out the vulnerability (I am aware of the fact that this is what the black hatter wants!).

    Thanks for your time! and please correct the spelling of “privacy”. It now reads as “pricacy statement” in the disclaimer “By posting…..”

  4. Sebastian Klipper says:

    Thanks for your comment!

    Why would Security Professionals like Secunia give unnecessary weight to the claims of a black hatter/hacker?

    What, if not? Secunia customers want to be informed I think.

    Given the fact the Firefox is “Open-Source”, one finds it very hard to believe that only one person has been able to find the vulnerability.

    I think, that is not unusual at all. The ZDI-Advisories for example are “unspecified” in some way, too. It’s hard work to find “good” vulnerabilities. I had a nice talk about this issue with one of the ZDI-researchers. I will ask him, what makes the difference between Open Source on the one hand and proprietary Software on the other.

    Why can’t companies like Secunia or Individuals simply buy the software package and check out the vulnerability (I am aware of the fact that this is what the black hatter wants!).

    I have no clue ;-)

  5. Concerned User says:

    Hello Sebastian: Many thanks for your comments. Would like to clarify a few more things. Please bear with me:):

    1. Does Secunia rate a vulnerability only if there is definite “proof” (i.e. exploit code, details, Proof of Concept etc…)is released? So far the only person who claims that there is a Firefox vulnerability is the black hatter, Evgeny Legerov. No one else has come forward with the existence of such a vulnerability.

    2. So, how could Secunia give a CAT 4 rating based only on his words without the lack of definite proof? I mean, did they test whether this vulnerability exists?

    3. So….lack of exploit code, only one person/organization claims that this vulnerability exists, no user has come forward with claims that this vulnerability has affected them….So, why is this still rated “CAT 4″ and isn’t it a bit misleading?

    Thanks again!

  6. Sebastian Klipper says:

    Mozilla Update on Secunia Advisory SA38608
    Secunia made the right choice…

  7. precelek says:

    Awsome content. Bookmarked for future referrence

Leave a comment

By posting this comment you agree, that your name, Email address and your IP address is stored with your comment. View details in the pricacy statement.