[gruntled2]

I'm using Firefox 1.0.6 on a fully patched XP box with the "Allow Websites to install software" box unchecked. Two days ago a file "asdf.exe" was deposited at root (c:\asdf.exe) and immediately tried to access the Internet. Presumably asdf.exe was trying to install something malevolent. Research on the Web indicates this file has been delivered from a number of Web sites, most likely by an infected ad server. I know this came in through Firefox as I had nothing else running at the time. A variant of the cross scriping vulnerability?

-dave

[JaredM]

Are you sure firefox automatically downloaded and executed this file and didn't piggy back on another executable you downloaded? Do you have a website that we can test this vunribility?

[Dunderklumpen]

That would be my first guess also and the file has been known to be distributed through e-mail - the exploit that is.

Security Bulletin

[gruntled2]

Checked my download logs for Firefox; nothing listed (confirming my memory that I wasn't downloading anything). Also, wasn't running email or Instant Messenger at the time. Let me reiterate: I didn't click on an ad, and didn't try to download a file from this Website.

I know that Onion users have been noticing the download, but it's intermittent, which suggests that it's coming from a rotating ad server; some ads deliver a payload and some do not. http://www.theonion.com

[gruntled2]

Also, see this thread

http://www.dslreports.com/forum/remark, ... ~mode=flat


The thread concludes that this exploit *only* affects Firefox, but is unsure whether it will only be successful on older versions. I can confirm that the exploit works in 1.0.6 as well.

-dave

[Dunderklumpen]

So how come you think it was downloaded through Firefox?
This is a known exploit that there is several different exploits out there for.
Just asking.

[gruntled2]

I think this could be an issue with prefetch in Mozilla/Firefox. Prefetch is turned on by default in Mozilla/Firefox. Basically, anything marked with a prefetched tag is brought down, and anybody can mark anything with a prefetch tag. To turn prefetching off, go to the address bar and type "about:config" and then scroll down to "network.prefetch-next". Double click on it to change the setting to False.

[Andreasm82]

For this and other reasions, prefetch is a bad feature.... it also leads to more traffic. But today's connections are so fast that this feature isn't needed anymore. It should be removed.

[AnotherGuest.]

Well, if you can find a means for Firefox to do so, there is a substantial reward for finding such security flaws. Of course, you will have to convince someone. In my opinion, finding a file on your computer and asserting that it came from Firefox is not convincing, but if you can provide the evidence, the bounty is yours.

Your link on dlsreports is down.

[Jesse]

What version of Java are you using? (You can check with http://www.ssec.wisc.edu/~tomw/version.html or about:plugins.)

Why do you think this security hole involves prefetch? Prefetch is just about getting things into the cache, not interpreting or executing them.

[Dunderklumpen]

For this and other reasions, prefetch is a bad feature.... it also leads to more traffic. But today's connections are so fast that this feature isn't needed anymore. It should be removed.

Prefect download things to the cache. Nothing wrong with that since nothing is executed.

[BenBasson]

Unable to reproduce on Firefox 1.0.6 with a dozen reloads and Java/Flash/JavaScript enabled. I agree with AnotherGuest, if you can provide some tangible evidence, do so and claim your $500.

[AnotherGuest.]

The ad that the file came from is no longer on the site.

Gruntled was using an outdated, vulnerable version of Java. Java, not Fx, was apparently the problem.

Thanks for reporting that, Gruntled. It is a good reminder to update Java or disable it.