Channel Daily News

Mozilla fixes Firefox’s DLL load hijacking bug

Mozilla on Tuesday patched 15 vulnerabilities in Firefox, 11 of them labeled critical.

One of yesterday’s patches addressed a problem found in scores of Windows applications, making Firefox one of the first browsers to be patched against the DLL load hijacking bug that went public three weeks ago.

Nearly three-quarters of the vulnerabilities in Firefox 3.6 were rated “critical,” Mozilla’s highest threat ranking, representing bugs that hackers may be able to use to compromise a system running Firefox, then plant other malware on the machine. Of the remaining flaws, two were pegged as “high” and one each was judged “moderate” and “low.”

Four of the vulnerabilities were reported to Mozilla by HP TippingPoint’s Zero Day Initiative (ZDI), the largest commercial bug bounty program, while another was handed to Mozilla’s developers by David Huang and Collin Jackson, of Carnegie Mellon University’s Silicon Valley-based CyLab.

The Huang/Jackson flaw could be used by attackers to bypass a site’s cross-site scripting (CSS) defenses to inject and execute malicious JavaScript into the Web site.

Jackson and Huang were two of the three Carnegie Mellon researchers who recently published a paper on CSS cross-origin theft, a topic that made news last week when a Google security engineer demonstrated how a Twitter account could be appropriated by hackers by targeting Microsoft’s Internet Explorer.

But the most notable fix of the 15 was the one that patched Firefox’s DLL load hijacking bug.

Last month, HD Moore, chief security officer at Rapid7, announced that several dozen Windows programs were flawed because they call code libraries — dubbed “dynamic-link libraries,” or “DLLs” — using only a filename instead of a full pathname, giving hackers a way to commandeer a PC by tricking the application into loading a malicious file with the same name as the required DLL.

Other researchers later estimated that more than 200 different programs could be exploited, including Firefox and other browsers from Google, Opera and Apple.

Apple patched Safari’s DLL load hijacking vulnerability on Tuesday around the same time that Mozilla released Firefox 3.6.9.

According to Mozilla, only Firefox running on Windows XP was vulnerable to DLL load hijacking attacks prior to Tuesday. “Firefox users on … Vista [and later] were not vulnerable to this attack because dwmapi.dll legitimately exists in Vista and later versions and is successfully loaded by Firefox before attempting to load the planted DLL,” the advisory read.

Mozilla credited security researcher Haifei Li of Fortinet with reporting the bug; separately, Li said he submitted the Firefox vulnerability, and those in six other vendors’ products, on July 10.

Also included in the security update was support for the X-Frames-Options, a new HTTP response header that sites can use to stymie “clickjacking” attacks.

Firefox is the last major browser to add X-Frames-Options support.

Users can update to Firefox 3.6.9 by downloading the new edition or by selecting “Check for Updates” from the Help menu in the browser. Firefox 3.5 users can obtain the patched version 3.5.12 by calling up the integrated update tool.