Subscribe to our newsletters
Sign Up

The Hacker News — Cyber Security, Hacking, Technology News

Tuesday, November 14, 2017 Mohit Kumar

firefox-quantum
It is time to give Firefox another chance.

The Mozilla Foundation today announced the release of its much awaited Firefox 57, aka Quantum web browser for Windows, Mac, and Linux, which claims to defeat Google's Chrome.

It is fast. Really fast. Firefox 57 is based on an entirely revamped design and overhauled core that includes a brand new next-generation CSS engine written in Mozilla’s Rust programming language, called Stylo.

Firefox 57 "Quantum" is the first web browser to utilize the power of multicore processors and offers 2x times faster browsing experience while consuming 30 percent less memory than Google Chrome.

Besides fast performance, Firefox Quantum, which Mozilla calls "by far the biggest update since Firefox 1.0 in 2004," also brings massive performance improvements with tab prioritization, and significant visual changes with a completely redesigned user interface (UI), called Photon.
firefox-processes-v-Chrome
This new version also adds in support for AMD VP9 hardware video decoding during playback in an attempt to reduce power consumption, and thus preventing your systems from running out of battery.

Firefox 57 also includes built-in screenshot functionality, improved tracker blocking and support for WebVR to enable websites to take full advantage of VR headsets.

Firefox has plans to speed things even further by leveraging modern GPUs in the near future.

Firefox Quantum for the desktop version is available for download now on Firefox's official website, and all existing Firefox users should be able to upgrade to the new version automatically.

However, the Android version of Firefox 57 is rolling out on Google Play in coming days, and its iOS version should eventually arrive on Apple's official App Store.

Tuesday, November 29, 2016 Swati Khandelwal

Firefox Zero-Day Exploit to Unmask Tor Users Released Online
Hackers are actively exploiting a zero-day vulnerability in Firefox to unmask Tor Browser users, similar to what the FBI exploited during an investigation of a child pornography site.

Tor (The Onion Router) is an anonymity software that not only provides a safe heaven to human rights activists, journalists, government officials, but also is a place where drugs, assassins for hire, child pornography, and other illegal activities has allegedly been traded.

A Javascript zero-day exploit currently being actively exploited in the wild is designed to remotely execute malicious code on the Windows operating system via memory corruption flaw in Firefox web browser.

The exploit code was publicly published by an admin of the SIGAINT privacy-oriented public email service on the Tor-Talk mailing list.

The mailing list message reveals that the zero-day exploit affecting Firefox is currently being exploited against Tor Browser users by unknown attackers to leak the potentially identifying information of Tor users, officials of the anonymity service confirmed Tuesday.

Tor Browser Bundle is a repackaged version of Mozilla Firefox web browser that runs connections through the Tor anonymizing network configured to hide its user's public IP address.
"[The exploit code] consists of one HTML and one CSS file, both pasted below and also de-obscured," the author says. "The exact functionality is unknown, but it is getting access to VirtualAlloc in kernel32.dll and goes from there."
That means, when exploit opened by a Firefox or Tor Browser with Javascript enabled on a Windows computer, it leverage a memory corruption vulnerability in the background to make direct calls to kernel32.dll, which allows malicious code to be executed on computers running Windows.

Researchers also found that the exploit submits users' machine details to 5.39.27.226 (a remote server hosted on the OVH-hosted virtual machine in France) on port 80, which is no longer responding at the time of writing.

Although security researchers are still analyzing the Tor exploit code, a disassembly of it shows the latest zero-day flaw is very similar to a separate Tor Browser exploit that emerged in 2013.

The 2013 exploit was the work of the United States FBI, which was targeting Tor users who accessed child pornography.

Although Mozilla is scrambling to patch the critical vulnerability, it is still unknown who is behind the current Javascript exploit.
"So it sounds like the immediate next step is that Mozilla finishes their patch for it then…a quick Tor Browser update and somewhere in there people will look at the bug and see whether they think it really does apply to Tor Browser," Tor Project lead Roger Dingledine said.
The critical vulnerability is believed to affect multiple Windows versions of the open source Firefox web browser as far back as Firefox version 41, and up to Firefox version 50.

Sunday, September 18, 2016 Mohit Kumar

firefox-tor
A critical vulnerability resides in the fully-patched version of the Mozilla's Firefox browser that could allow well-resourced attackers to launch man-in-the-middle (MITM) impersonation attacks and also affects the Tor anonymity network.

The Tor Project patched the issue in the browser's HTTPS certificate pinning system on Friday with the release of its Tor Browser version 6.0.5, while Mozilla still has to patch the critical flaw in Firefox.

Attackers can deliver Fake Tor and Firefox Add-on Updates


The vulnerability could allow a man-in-the-middle attacker who is able to obtain a forged certificate for addons.mozilla.org to impersonate Mozilla servers and as a result, deliver a malicious update for NoScript, HTTPS Everywhere or other Firefox extensions installed on a targeted computer.
"This could lead to arbitrary code execution [vulnerability]," Tor officials warned in an advisory. "Moreover, other built-in certificate pinnings are affected as well."
Although it would be challenging to obtain a fraudulent certificate for addons.mozilla.org from any one of several hundred Firefox-trusted certificate authorities (CAs), it is within reach of powerful nation states attackers.

The vulnerability was initially discovered Tuesday by a security expert that goes by the name of @movrcx, who described the attacks against Tor, estimating attackers would need US$100,000 to launch the multi-platform attacks.

Actual Issue resides in Firefox's Certificate Pinning Procedure


However, according to a report posted Thursday by independent security researcher Ryan Duff, this issue also affects Firefox stable versions, although a nightly build version rolled out on September 4 is not susceptible.

Duff said the actual problem resides in Firefox's custom method for handling "Certificate Pinning," which is different from the IETF-approved HPKP (HTTP Public Key Pinning) standard.

Certificate Pinning is an HTTPS feature that makes sure the user's browser accepts only a specific certificate key for a particular domain or subdomain and rejects all others, preventing the user from being a victim of an attack made by spoofing the SSL certs.

While not very popular, HPKP standard is often used on websites that handle sensitive information.
"Firefox uses its own static key pinning method for its own Mozilla certifications instead of using HPKP," says Duff. "The enforcement of the static method appears to be much weaker than the HPKP method and is flawed to the point that it is bypassable in this attack scenario."
Mozilla is scheduled to release Firefox 49 on September 20, so the team has enough time to deliver a fix. The Tor Project took just one day to address the flaw after the bug's disclosure went online.

Users of Tor Browser should update to version 6.0.5, while Firefox users should disable automatic add-on updates, a default feature in the browser, or should consider using a different browser until Mozilla releases the update.

Thursday, September 17, 2015 Swati Khandelwal

bugzilla-zero-day-hacking
A Critical vulnerability discovered in Mozilla's popular Bugzilla bug-tracking software, used by hundreds of thousands of prominent software organizations, could potentially expose details of their non-public security vulnerabilities to the Hackers.

So it’s time for developers and organizations that use Bugzilla open source bug tracking system to upgrade to the latest patched versions – namely 5.0.1, 4.4.10, or 4.2.15.

Bugzilla is a vulnerability database used by Mozilla as well as many open-source projects and private organizations. Besides patched flaws, these databases also contain sensitive information related to unpatched vulnerabilities reported to organizations.

Unfortunately, the researchers at security firm PerimeterX have discovered a vulnerability (CVE-2015-4499) in Bugzilla's email-based permissions process that allowed them to gain high-level permissions on Bugzilla.

As a result, it is potentially possible for an attacker to easily access unpatched bugs in your database, which could then be exploited to attack affected pieces of software on people's computers before security patches are released.

So, anyone who uses Bugzilla and its email-based permissions is affected, including popular free software projects such as Apache Project, LibreOffice and Red Hat.

Incredibly Easy to Exploit


According to the researchers, the vulnerability is "incredibly easy to exploit." To exploit the vulnerability, all an attacker need is to register for a regular account via email and trick the system into believing that the attacker is part of a privileged domain.

This causes the system into believing that the attacker is part of a privileged domain and grant domain-specific permissions.
"The implications of this vulnerability are severe," PerimeterX's security researcher Netanel Rubin wrote in a blog post. "It could allow an attacker to access undisclosed security vulnerabilities in hundreds of products… Imagine the hundreds or thousands of zero-days and other security vulnerabilities that could potentially be exposed." 
Rubin said the flaw was tested on Mozilla's Bugzilla.mozilla.org and found that all Perl-based Bugzilla versions, including 2.0 to 4.2.14, 4.3.1 to 4.4.9, 4.5.1 to 5.0, were vulnerable at the time of the report.

It's not clear whether the Bugzilla vulnerability has been used by malicious hackers to gain access to more unpatched vulnerabilities.

Friday, August 07, 2015 Swati Khandelwal

mozilla-firefox-update
Earlier this week, Mozilla Security researcher Cody Crews discovered a malicious advertisement on a Russian news site that steals local files from a system and upload them to a Ukrainian server without the user ever knowing.

The malicious advertisement was exploiting a serious vulnerability in Firefox's PDF Viewer and the JavaScript context in order to inject a script capable of searching sensitive files on user's local file systems.

Mozilla versions of Firefox that do not contain the PDF Viewer, such as Firefox for Android, are not affected by the "Same origin violation and local file stealing via PDF reader" vulnerability.

The exploit does not execute any arbitrary code but injects a JavaScript payload into the local file context, allowing the script to search for and upload potentially user’s sensitive local files.

All an attacker need to do is load the page with this exploit and sit back and relax. The exploit will silently steal files in the background.

According to Mozilla lead security researcher Daniel Veditz, the exploit specifically searches for:
  • FTP configuration files, subversion, s3browser, Filezilla, libpurple and other account information on Windows systems.
  • Global configuration files and user directories on Linux systems.
Any files encountered by the exploit are uploaded to a server in Ukraine.
"The exploit leaves no trace it has been run on the local machine," Veditz wrote in a blog post. "If you use Firefox on Windows or Linux it would be prudent to change any passwords and keys found in the above-mentioned files if you use the associated programs."
Mac users are currently safe from this exploit, but researcher warned that another payload could potentially exploit the same vulnerability to target Mac systems.

All versions of Firefox are affected, but the good news is that Mozilla has fixed the issue in its software. So, users are recommended to update browsers to Firefox 39.0.3 to protect against the exploit. Enterprise users can patch to 38.1.1.

Sunday, August 03, 2014 Swati Khandelwal

Thousands of Mozilla Developers Emails and Password Exposed Accidentally
Mozilla on Friday notified users of its Mozilla Developer Network (MDN) that the company has accidentally exposed the e-mail addresses and cryptographically protected passwords of thousands of Mozilla developers.

The email addresses of over 76,000 members of its Developer Network, along with 4000 “salted” passwords were disclosed through a database glitch that may have been exploited by hackers, Mozilla officials warned Friday.

The database glitch caused due to a data "sanitization" process failure, that was lasted for a month beginning on June 23, which inadvertently published the records of members of the MDN and left on a publicly accessible server for around a month until one of the outfit’s web developers discovered their presence on a server accessible to the general public around a couple of weeks back, according to a blog post.
"As soon as we learned of it, the database dump file was removed from the server immediately, and the process that generates the dump was disabled to prevent further disclosure," Stormy Peters, director of developer relations, and Joe Stevensen, operations security manager, wrote.
"While we have not been able to detect malicious activity on that server, we cannot be sure there wasn't any such access."
There is no such indications that the exposed data was accessed by any hacker or cyber mind, but Mozilla officials investigating the disclosure can't ignore the possibility.

Mozilla said that the login information couldn't be used by an attacker to access Mozilla Developer Network accounts, but they may be able to access other user accounts secured with the same cracked password.

Also Read: Best Password Manager — For Windows, Linux, Mac, Android, iOS and Enterprise

Mozilla apologised for the inconvenience caused to its users and said it is working on both short-and long-term fixes. The company said that affected users have been notified of the breach and those users whose password hashes were disclosed are warned to change their similar passwords used on other services.

In addition to notifying users and recommending short term fixes, we’re also taking a look at the processes and principles that are in place that may be made better to reduce the likelihood of something like this happening again. If you have questions, please reach out to security@mozilla.org,” the duo said.

Monday, March 03, 2014 Sudhir K Bansal

Mozilla to Block all Plugins by Default in upcoming release, except Whitelist Plugins
The Mozilla Firefox web browser is used by roughly 30% of all Internet users and the company is seriously concerned about the Security of its users for many years.

To Improve the Stability, Security and performance of Firefox web browser, Mozilla announced back in 2013 that it planned to enable ‘Click to Play’ feature in upcoming Firefox versions, which will block most vulnerable plugins like Java by default.

Plugins are a significant source of poor performance, crashes and security vulnerabilities”, Mozilla said.

The Feature 'Click to play' blocks the execution of all plugins automatically, though this feature was annoying to the users, so to prevent all plugins from default blocking, Mozilla announced to maintain a whitelist of approved plugins.
"By allowing users to decide which sites need to use plugins, Firefox will help protect them and keep their browser running smoothly." ~Benjamin Smedberg, Engineering Manager.
Plugin authors can apply for inclusion in a whitelist. The developer has to submit their plugins using a template to Bugzilla and the application submitted till 31st March, 2014 will be reviewed by the Mozilla.

The Firefox web browser will only start blocking by default, no sooner than Firefox 30. If accepted, the plugin will be whitelisted for next 4 Firefox releases i.e. 30 weeks (6 weeks in beta version and 24 weeks in the general release channel), with the possibility to apply for a further extension later.

'Adobe Flash' is included in the whitelist by Mozilla, 'security and plugin teams work closely with Adobe to make sure that Firefox users are protected from instability or security issues in the Flash plugin', the company said; However, 'Java' plugin is excluded from the whitelist because of its continues security problems and slow performance.

Most widely used web browser Google Chrome is also working in this direction and last January it has blocked all NPAPI plugins except Silverlight, Unity, Google Earth, and Facebook Video.

Monday, October 29, 2012 Mohit Kumar

16.0.2 Firefox is now available for anyone who wants to try before anyone else. Mozilla address one serious vulnerability. According to the information security of Mozilla, they has fixed a number of issues related to the Location object in order to enhance overall security. The Location object is supported by all major browsers and contains information about the URL being requested.

Security researcher Mariusz Mlynski reported that the true value of window.location could be shadowed by user content through the use of the valueOf method, which can be combined with some plugins to perform a cross-site scripting (XSS) attack on users.

Another issue centers on the CheckURL function, which if exploited could be used during an XSS attack or to execute malicious code.

On Oct. 9, Mozilla released Firefox 16, but quickly pulled it back after a serious vulnerability was discovered. It was quickly addressed, but not before exploit code was made available.

Generally Firefox offers 16 power optimizations, minor visual changes and enhanced HTML5 support. As of now, version 16.0.2 is being reported as stable. Downloads are available online.

Friday, October 12, 2012 Mohit Kumar

Last week, Mozilla announced it will prompt Firefox users on Windows with old versions of Adobe Reader, Adobe Flash, and Microsoft Silverlight, but refused to detail how the system will work. Finally today Firefox 17 is now in beta and with it is a very cool feature, click-to-play plugins.

When a user lands on a site that requires the use of a plugin, say Adobe Flash, if the version running in the user's browser is on the list of known vulnerable applications, Mozilla will disable it and show the user a message saying that she needs to update the plugin.

"By combining the safety of the blocklist with the flexibility of click-to-play, we now have an even more effective method of dealing with vulnerable or out-of-date plugins." Mozilla wrote on blog. Mozilla is still working on implementing the controls, which would allow you to block all plugins by default and then pick where you want them to run.

As already mentioned, this feature will be enabled by default in Firefox 17. There is, however, an about:config preference “plugins.click_to_play” that can be set to true to enable click-to-play for all plugins, not just out-of-date ones. Mozilla says it is still developing this part.

The main motivation behind this plugin is to prevent users’ systems against drive-by attacks that target vulnerable plugins.

Subscribe to our Daily News-letter via email - Be First to know about Security and Hackers.

Thursday, October 11, 2012 Mohit Kumar

The latest version of Mozilla's Firefox browser has been taken offline after a security vulnerability was discovered. Mozilla's Firefox 16 web browser got its regular six-weekly update yesterday but the organisation decided to pull the browser hours after the release. The outfit claimed it became aware of a security vulnerability in Firefox 16 and that updates are expected to ship at some point today.

According to the Mozilla Security Blog, Firefox 16 features a security vulnerability that allows “a malicious site to potentially determine which websites users have visited and have access to the URL or URL parameters.

"As a precaution, users can downgrade to version 15.0.1" - Firefox 16 offers several new features, most of which are aimed at developers. One such feature is the Developer Command Line, which provides keyboard control over the Developer Tools. Other features include CSS3 Animations, Image Values, IndexedDB, Transitions, and Transforms.

Firefox 16 for Android was also affected by this vulnerability, but a patched version of the browser is already out.

Update : Proof-of-Concept code that exploits a privacy information leak introduced in the latest version of Firefox is available online here.

Subscribe to our Daily Newsletter via email - Be First to know about Security and Hackers. or Join our Huge Hackers Community on Facebook, Google+ and Twitter.

Newsletter Subscription

Subscribe to our newsletter and get all latest hacking news, free eBooks delivered to your inbox.

Join Over 450,000 Subscribers!