A Russian researcher has released attack code to exploit a critical vulnerability found in Mozilla's latest version of the Firefox web browser. It triggers a heap corruption vulnerability in the open-source browser that can allow attacks to execute malicious code remotely. He added it as a module to Vulndisco, which is an add-on for the Immunity Canvas automated exploitation system sold to security professionals.
"We've played a lot with it in our labs - it was very reliable," Evgeny Legerov, founder of Moscow-based Intevydis, told The Register. "Works against the default install of Firefox 3.6. We've tested it on XP and Vista." Mozilla issued Firefox 3.5.7 (for those who haven't upgraded to Firefox 3.6 yet) during the week to address security concerns, one of which was described as a heap corruption vulnerability.
Legerov said that the bug fixed by Firefox 3.5.7 is not the same one that he is exploiting in the lab however. While currently only being available to security researchers that pay a fee, details of the attack could spread with time.
"Mozilla takes all security vulnerabilities seriously, and have as yet been unable to confirm the claim of an exploit. We value the contributions of all security researchers and encourage them to work within our security process, responsibly disclosing vulnerabilities to ensure the highest level of security and best outcome for users," Mozilla said in a statement.
Legerov said that the bug fixed by Firefox 3.5.7 is not the same one that he is exploiting in the lab however. While currently only being available to security researchers that pay a fee, details of the attack could spread with time.
"Mozilla takes all security vulnerabilities seriously, and have as yet been unable to confirm the claim of an exploit. We value the contributions of all security researchers and encourage them to work within our security process, responsibly disclosing vulnerabilities to ensure the highest level of security and best outcome for users," Mozilla said in a statement.
